#perl

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Here are some of the easily avoidable mistakes most companies made last year, gleaned from hundreds of cybersecurity engagements by red and blue teams.

Ubuntu Security Notice 5870-1 - Ronald Crane discovered that APR-util did not properly handled memory when encoding or decoding certain input data. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code.

LS ELECTRIC XBC-DN32U with operating system version 01.80 does not properly control access to the PLC over its internal XGT protocol. An attacker could control and tamper with the PLC by sending the packets to the PLC over its XGT protocol.

Categories: Apple Categories: Exploits and vulnerabilities Tags: Apple Tags: macOS Ventura Tags: 13.2.1 Tags: iOS Tags: iPadOS Tags: 16.3.1 Tags: CVE-2023-23514 Tags: CVE-2023-23522 Tags: CVE-2023-23529 Tags: use after free Tags: type confusion Apple has released patches for macOS Ventura, iPadOs, and iOS. Among the patched vulnerabilities is a WebKit vulnerability which may have been exploited in the wild. (Read more...) The post Update now! Apple patches vulnerabilities in MacOS and iOS appeared first on Malwarebytes Labs.

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, a View allows for Cross-Site Scripting (XSS) in an extensible mark-up language (XML) View through the ‘layoutPanel’ attribute in the ‘module’ tag’. The vulnerability affects instances with Splunk Web enabled.

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).

GSS-NTLMSSP, a mechglue plugin for the GSSAPI library that implements NTLM authentication, has an out-of-bounds read when decoding target information prior to version 1.2.0. The length of the `av_pair` is not checked properly for two of the elements which can trigger an out-of-bound read. The out-of-bounds read can be triggered via the main `gss_accept_sec_context` entry point and could cause a denial-of-service if the memory is unmapped. The issue is fixed in version 1.2.0.

State of XIoT Security Report: 2H 2022 from Claroty's Team82 reveals positive impact by researchers on strengthening XIoT security and increased investment among XIoT vendors in securing their products.

JBoss EAP XP 4.0.0.GA Security release on the EAP 7.4.9 base. See references for release notes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-0341: In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Androi...