#mac

Categories: A week in security The most important and interesting computer security stories from the last week. (Read more...) The post A week in security (August 1 - August 7) appeared first on Malwarebytes Labs.

Cisco has released a security advisory about some serious security vulnerabilities in multiple Cisco small business VPN routers. The post Patch now! Cisco VPN routers are vulnerable to remote control appeared first on Malwarebytes Labs.

Whether you want to turn off link previews or block unwanted FaceTime calls, here's what you need to know.

Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: VPN routers Tags: CVE-2022-20842 Tags: CVE-2022-20827 Tags: CVE-2022-20841 Tags: input validation Cisco has released a security advisory about some serious security vulnerabilities in multiple Cisco small business VPN routers. (Read more...) The post Patch now! Cisco VPN routers are vulnerable to remote control appeared first on Malwarebytes Labs.

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more.

### Impact ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. _This vulnerability does NOT impact 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0 * 6.x patch file: https://github.com/DSpace/DSpace/commit/7af52a0883a9dbc475cf3001f04ed11b24c8a4c0.patch (may be applied manually if an immediate upgrade to 6.4 or 7.x is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/56e76049185bbd87c994128a9d77735ad7af0199 * 5.x patch file: https://github.c...

### Impact The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest are vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24 * 6.x patch file: https://github.com/DSpace/DSpace/commit/7569c6374aefeafb996e202cf8d631020eda5f24.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/d1dd7d23329ef055069759df15cfa200c8e3 * 5.x patch file: https://github.com/DSpace/DSpa...

### Impact The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.x via commit: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9 * 6.x patch file: https://github.com/DSpace/DSpace/commit/f7758457b7ec3489d525e39aa753cc70809d9ad9.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible) _DSpace 5.x:_ * Fixed in 5.x via commit: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de * 5.x patch file: https://github.com/DSpace/DSpace/commit/5f72424a478f59061dcc516b866dcc687bc3f9de.patch (may be applied manually if an immediate upgrade to 5.11 or 6,4 or above is not possible) #### Apply the patc...

### Impact The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819 * 6.x patch file: https://github.com/DSpace/DSpace/commit/503a6af57fd720c37b0d86c34de63baa5dd85819.patch (may be applied manually if an immediate upgrade to 6.4 is not possible) _DSpace 5.x:_ * Fixed in 5.11 via commit: https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37 * 5.x patch file: https://github.com/DSpace/DSpace/commit/28eb8158210d41168a62ed5f9e044f754513bc37.patch (may be applied manually if an immediate upgrade to 5.11 or 6.4 is not possible) #### Apply the patch to your DSpace If at all possible, we recommend upgradi...

### Impact The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both are vulnerable to XSS. This vulnerability only impacts the JSPUI. _This vulnerability does NOT impact the XMLUI or 7.x._ ### Patches _DSpace 6.x:_ * Fixed in 6.4 via two commits: * Fix for spellcheck: https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d * Fix for autocomplete: https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7 * 6.x patch files available (may be applied manually if an immediate upgrade to 6.4 or above is not possible) * Fix for spellcheck: https://github.com/DSpace/DSpace/commit/ebb83a75234d3de9be129464013e998dc929b68d.patch * Fix for autocomplete: https://github.com/DSpace/DSpace/commit/35030a23e48b5946f5853332c797e1c4adea7bb7.patch _DSpace 5.x:_ * Fixed in 5.11 via two co...