#ios

Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.

### Impact An attacker with access to a Cilium agent pod can write to `/opt/cni/bin` due to a `hostPath` mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the underlying node. ### Patches The issue has been fixed and is available on versions >=1.11.15, >=1.12.8, >=1.13.1. ### Workarounds [Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) should be used to deny users and service accounts `exec` access to Cilium agent pods. In cases where a user requires `exec` access to Cilium agent pods, but should not have access to the underlying node, no workaround is possible. ### References * [PR containing resolution](https://github.com/cilium/cilium/pull/24075) ### Acknowledgements The Cilium community has worked together with members of Isovalent and Form3 to prepare these mitigations. Special thanks to Anastasios Kou...

**Synopsis:** Streamlit open source publicizes a prior security fix implemented in 2021. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 (inclusive) and was patched on April 21, 2021. If you are using Streamlit with version before 0.63.0 or after 0.80.0, no action is required. # 1. Impacted Products Streamilt Open Source versions between 0.63.0 and 0.80.0. # 2. Introduction On April 21, 2021, Streamlit merged a patch that fixed a cross-site scripting (XSS) vulnerability in the Streamlit open source library, without an associated public advisory. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 (inclusive), which are no longer supported. We recommend using the latest version of our library, but so long as you are not using an affected Streamlit version, no action is required. # 3. Cross Site Scripting Vulnerability ## 3.1 Description On April 20, 2021, Streamlit was informed via our support forum about a XSS vulnerability in the open ...

The chances of getting hacked are no longer low. Companies need to rethink their data collection and monitoring strategies to protect employee privacy and corporate integrity.

A remote denial of service vulnerability was found in the Linux kernel’s TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.

The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with administrator privileges could potentially exploit this vulnerability to perform arbitrary code execution.

Here is a cautionary tale of what happens if side-projects or sections of the website becomes obsolete. If you don't remove them, someone might hijack your subdomain.

Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.