Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

CVE-2023-23374: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** This vulnerability could lead to a browser sandbox escape.

Microsoft Security Response Center
Open in Source
#vulnerability#web#microsoft#rce#chrome#Microsoft Edge (Chromium-based)#Security Vulnerability
CVE-2023-21794: Microsoft Edge (Chromium-based) Spoofing Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow

The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.

ARMO integrates ChatGPT to secure Kubernetes

By Deeba Ahmed Kubernetes' creator ARMO announced the integration in a blog post on February 7th, 2023. This is a post from HackRead.com Read the original post: ARMO integrates ChatGPT to secure Kubernetes

Building Up IAM in a Multicloud World

In the cloud-first world, the security goal is to ensure only qualified users can access information across clouds.

GHSA-r4f8-f93x-5qh3: TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering

> ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2) ### Problem TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of [`GeneralUtility::getIndpEnv('SCRIPT_NAME')`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well. - `GeneralUtility::getIndpEnv('PATH_INFO') ...

CVE-2023-25396: Advanced Installer 20.1 - Release Notes

Privilege escalation in the MSI repair functionality in Caphyon Advanced Installer 20.0 and below allows attackers to access and manipulate system files.

New MSRC Blog Site

We are excited to announce the release of the new Microsoft Security Response Center (MSRC) blog site. Please visit msrc.microsoft.com/blog/starting February 9th, 2023, for all past and future MSRC blog content.  In addition to the new URL, we have refreshed the site with a new look and improved site performance, search, categories, and tags to … New MSRC Blog Site Read More »

CVE-2023-0748: Fix a bunch of open redirect · btcpayserver/btcpayserver@c2cfa17

Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.