Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability

The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft. Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers. The issue, tracked as CVE-2023-47246, concerns a path traversal

The Hacker News
Open in Source
#vulnerability#web#microsoft#git#backdoor#auth#zero_day#The Hacker News
Judge rules it’s fine for car makers to intercept your text messages

A judge has refused to bring back a class action lawsuit against four car manufacturers because the privacy violation did not meet the WPA standard.

CVE-2023-47110: Any value can be changed in the configuration table by an employee having access to block reassurance module

blockreassurance adds an information block aimed at offering helpful information to reassure customers that their store is trustworthy. An ajax function in module blockreassurance allows modifying any value in the configuration table. This vulnerability has been patched in version 5.1.4.

CVE-2023-46894: Cryptographic API Misuse Vulnerability: AES ECB used for initialization (ESPTOOL-756) · Issue #926 · espressif/esptool

An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.

GHSA-72fp-w44g-625q: Signing DynamoDB Sets when using the AWS Database Encryption SDK.

### Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for DynamoDB. This also includes when a Set is part of a List or a Map. DB-ESDK for DynamoDB supports `SIGN_ONLY` and `ENCRYPT_AND_SIGN` attribute actions. In version 3.1.0 and below, when a Set type is assigned a `SIGN_ONLY` attribute action, there is a chance that signature validation of the record containing a Set will fail on read, even if the Set attributes contain the same values. The probability of a failure depends on the order of the elements in the Set combined with how DynamoDB returns this data, which is undefined. This update addresses the issue by ensuring that any Set values are canonicalized in the same order while written to DynamoDB as when read back from DynamoDB. ### Patches Fixed in version 3.1.1 We recommend all users upgrade as soon as possible. ### Workarounds None ### References For more information on how to addres...

GHSA-xfm3-hjcc-gv78: Any value can be changed in the configuration table by an employee having access to block reassurance module

### Impact An ajax function in module blockreassurance allows modifying any value in the configuration table ### Patches v5.1.4 ### Workarounds no workaround available ### References

CVE-2023-47373: CVE-reports/DRAGON FAMILY.md at main · syz913/CVE-reports

The leakage of channel access token in DRAGON FAMILY Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47372: CVE-reports/UPDATESALON C-LOUNGE.md at main · syz913/CVE-reports

The leakage of channel access token in UPDATESALON C-LOUNGE Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47370: CVE-reports/bluetrick.md at main · syz913/CVE-reports

The leakage of channel access token in bluetrick Line 13.6.1 allows remote attackers to send malicious notifications to victims.

CVE-2023-47368: CVE-reports/taketorinoyu.md at main · syz913/CVE-reports

The leakage of channel access token in taketorinoyu Line 13.6.1 allows remote attackers to send malicious notifications to victims.