Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

CVE-2024-20694: Windows CoreMessaging Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could potentially read small portions of stack memory.

Microsoft Security Response Center
Open in Source
#vulnerability#windows#Windows Collaborative Translation Framework#Security Vulnerability
CVE-2024-20680: Windows Message Queuing Client (MSMQC) Information Disclosure

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.

CVE-2024-20683: Win32k Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2024-20677: Microsoft Office Remote Code Execution Vulnerability

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

CVE-2024-20666: BitLocker Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

CVE-2024-20674: Windows Kerberos Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** The authentication feature could be bypassed as this vulnerability allows impersonation.

GHSA-93p6-9cxv-5rpq: juzawebCMS Incorrect Access Control vulnerability

juzaweb <= 3.4 is vulnerable to Incorrect Access Control, resulting in an application outage after a 500 HTTP status code. The payload in the timezone field was not correctly validated.

Patch management needs a revolution, part 1: Surveying cybersecurity’s lineage

Traditional vulnerability management uses a singular “patch all things” approach that is ineffective and costly. It’s time we shifted to adopting appropriate risk-based approaches that consider more than an exclusive focus on patching security issues. Organizations are increasingly called upon to navigate a complex cybersecurity landscape which is more than just potential threats and attacks. It also includes the complexity and sheer volume of software. This requires going beyond “security by compliance” and utilizing comprehensive risk assessment, appropriate prioritization of resou

GHSA-cjqf-877p-7m3f: snapd Race Condition vulnerability

Race condition in snap-confine's must_mkdir_and_open_with_perms()

GHSA-8959-rfxh-r4j4: XWiki vulnerable to Denial of Service attack through attachments

### Impact A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. ### Patches This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1. ### Workarounds The workaround is to download [commons-compress 1.24](https://search.maven.org/remotecontent?filepath=org/apache/commons/commons-compress/1.24.0/commons-compress-1.24.0.jar) and replace the one located in XWiki `WEB-INF/lib/` folder. ### References https://jira.xwiki.org/browse/XCOMMONS-2796 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])