#web

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable Remotely/Low attack complexity Vendor: Johnson Controls Inc. Equipment: Quantum HD Unity Vulnerability: Active Debug Code 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized user to access debug features that were accidentally exposed. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Johnson Controls Quantum HD Unity products are affected: Quantum HD Unity Compressor control panels (Q5): All versions prior to v11.22 Quantum HD Unity Compressor control panels (Q6): All versions prior to v12.22 Quantum HD Unity AcuAir control panels(Q5): All versions prior to v11.12 Quantum HD Unity AcuAir control panels(Q6): All versions prior to v12.12 Quantum HD Unity Condenser/Vessel control panels (Q5): All versions prior to v11.11 Quantum HD Unity Condenser/Vessel control panels (Q6): All versions prior to v12.11 Quantum HD Unity Evaporator control panels (Q5): All versions prior to v...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: eSOMS Vulnerabilities: Generation of Error Message Containing Sensitive Information, Exposure of Sensitive System Information to an Unauthorized Control Sphere 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information related to eSOMS application configuration. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Hitachi Energy products are affected: eSOMS: v6.3.13 and prior 3.2 Vulnerability Overview 3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209 The response messages received from the eSOMS report generation using certain parameter queries with full file path can be abused for enumerating the local file system structure. CVE-2023-5514 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/...

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel. "The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday. The tool has been attributed to MuddyWater, an Iranian

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Face recognition technology has been controversial for years. Cops in the UK are drastically increasing the amount they use it.

Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being bundled together as a data subject access request package for the data subject to download. Supported data formats for the package include json and csv, but the most commonly used format is a series of HTML files compressed in a ZIP file. Once downloaded and unzipped, the data subject user can browse the HTML files on their local machine. It was identified that there was no validation of input coming from e.g. the connected systems and data stores which is later reflected in the downloaded data. This can result ...