BD Pyxis™ SupplyStation™ RF Auxiliary Security Vulnerabilities

Security Bulletin: Multiple vulnerabilities in the GSKit builds affect IBM Rational ClearQuest

Summary There are multiple vulnerabilities in the GSKit, which are used by IBM Rational ClearQuest. IBM Rational ClearQuest has addressed the applicable CVEs. Vulnerability Details ** CVEID: CVE-2023-33850 DESCRIPTION: **IBM GSKit-Crypto could allow a remote attacker to obtain sensitive...

Security Bulletin: IBM® Db2® is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256)

Summary IBM® Db2® is vulnerable to an information disclosure due to improper privilege management when certain federation features are used. Vulnerability Details ** CVEID: CVE-2023-29256 DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to an...

Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase.

Summary There are vulnerabilities in the IBM® Runtime Environment Java™ Versions 7 and 8, which is used by IBM Rational ClearCase. CVE-2023-33850, CVE-2023-32342, CVE-2023-21930, CVE-2023-21967 Vulnerability Details ** CVEID: CVE-2023-33850 DESCRIPTION: **IBM GSKit-Crypto could allow a remote...

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote Denial Of Service Vulnerability

Electrolink FM/DAB/TV Transmitter from a denial of service scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi...

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credential Disclosure

...

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure

...

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure Vulnerability

Electrolink FM/DAB/TV Transmitter suffers from a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system...

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal Exploit

Electrolink FM/DAB/TV Transmitter suffers from an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. It is also vulnerable to account takeover and arbitrary password...

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution

...

Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation

...

Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation Vulnerability

Electrolink FM/DAB/TV Transmitter suffers from a privilege escalation vulnerability. An attacker can escalate his privileges by poisoning the Cookie from GUEST to ADMIN to effectively become Administrator or poisoning to ZSL to become Super...

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credential Disclosure Vulnerability

The Electrolink FM/DAB/TV Transmitter suffers from a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system...

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass Vulnerability

Electrolink FM/DAB/TV Transmitter suffers from an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except NO to the Login Cookie and have full system...

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote Denial Of Service

...

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass

...

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal

...

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vulnerability

Electrolink FM/DAB/TV Transmitter allows access to an unprotected endpoint that allows an MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or...

Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality

...

Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality Vulnerability

Electrolink FM/DAB/TV Transmitter allows an unauthenticated attacker to bypass authentication and modify the Cookie to reveal hidden pages that allows more critical operations to the...

[SECURITY] [DLA 3596-1] firmware-nonfree security update

Debian LTS Advisory DLA-3596-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost September 30, 2023 https://wiki.debian.org/LTS Package : firmware-nonfree Version :...

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I...

2023 OWASP Top-10 Series: API10:2023 Unsafe Consumption of APIs

Welcome to the 11th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API10:2023 Unsafe Consumption of APIs. In this series we are taking an in-depth look at each category – the details, the impact...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to remote code execution due to IBM Java SDK (CVE-2022-40609)

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable CVE. Vulnerability Details ** CVEID: CVE-2022-40609 DESCRIPTION: **IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could.....

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable CVEs. Vulnerability Details ** CVEID: CVE-2023-21930 DESCRIPTION: **An unspecified vulnerability in Oracle Java SE,...

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass

Title: Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass Advisory ID: ZSL-2023-5791 Type: Local/Remote Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data Risk: (5/5) Release...

Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution

Title: Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Advisory ID: ZSL-2023-5796 Type: Local/Remote Impact: Security Bypass, System Access, DoS Risk: (5/5) Release Date: 30.09.2023 Summary Since 1990 Electrolink has been dealing with design and manufacturing of...

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure

Title: Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure Advisory ID: ZSL-2023-5789 Type: Local/Remote Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information Risk: (5/5) Release Date: 30.09.2023 ...

Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation

Title: Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation Advisory ID: ZSL-2023-5793 Type: Local/Remote Impact: Privilege Escalation, Manipulation of Data Risk: (4/5) Release Date: 30.09.2023 Summary Since 1990 Electrolink has been dealing with design and manufacturing of advanced...

Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality

Title: Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality Advisory ID: ZSL-2023-5794 Type: Local/Remote Impact: Security Bypass, Privilege Escalation Risk: (4/5) Release Date: 30.09.2023 Summary Since 1990 Electrolink has been dealing with design and manufacturing of advanced...

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal

Title: Electrolink FM/DAB/TV Transmitter Remote Authentication Removal Advisory ID: ZSL-2023-5792 Type: Local/Remote Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data Risk: (5/5) Release Date:...

Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS

Title: Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS Advisory ID: ZSL-2023-5795 Type: Local/Remote Impact: DoS Risk: (4/5) Release Date: 30.09.2023 Summary Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television...

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure

Title: Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure Advisory ID: ZSL-2023-5790 Type: Local/Remote Impact: Security Bypass, Privilege Escalation, System Access, Exposure of System Information, Exposure of Sensitive Information Risk: (5/5) Release Date: 30.09.2023 ...

Rockwell Automation PanelView 800

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PanelView 800 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : binutils (SUSE-SU-2023:3825-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3825-1 advisory. An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data...

kernel security, bug fix, and enhancement update

An update is available for kernel. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The kernel packages contain the Linux kernel, the core of any Linux operating....

Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090) kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch...

2023 OWASP Top-10 Series: API9:2023 Improper Inventory Management

Welcome to the 10th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API9:2023 Improper Inventory Management. In this series we are taking an in-depth look at each category – the details, the impact....

Metasploit Weekly Wrap-Up

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary.....

Security Bulletin: Due to use of IBM® SDK Java™ Technology Edition, IBM Workload Scheduler is vulnerable to an unspecified vulnerability.

Summary IBM® SDK Java™ Technology Edition is used by IBM Workload Scheduler. (CVE-2023-21830, CVE-2023-21843) Vulnerability Details ** CVEID: CVE-2023-21830 DESCRIPTION: **An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a...

SUSE SLES12 Security Update : binutils (SUSE-SU-2023:3695-1)

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3695-1 advisory. An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to...

CVE-2023-20597

Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local...

CVE-2023-20594

Improper initialization of variables in the DXE driver may allow a privileged user to leak sensitive information via local...

Rapid7 doubles down on a platform approach for Vulnerability Risk Management

This week, Rapid7 was named a Strong Performer in The Forrester Wave™: Vulnerability Risk Management, Q3 2023. The report, which included 11 vulnerability risk management vendors, represented Rapid7's inclusion in the Wave report for vulnerability management. We are proud to be recognized for our.....

DXE Driver Memory Leaks

Bulletin ID: AMD-SB-4007 Potential Impact:Data Leakage Severity:Medium Summary Potential memory leak vulnerabilities in AMD Driver Execution Environment (DXE) driver may allow a highly privileged user to obtain sensitive information. CVE Details Refer to Glossary for explanation of terms CVE|...

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Microsoft is proud to be recognized as a Leader in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report. At Microsoft, we understand modernizing security is a complex task in this era of ever-evolving cyberthreats and complex digital environments. Serious threats have necessitated a.....

Forrester names Microsoft a Leader in the 2023 Zero Trust Platform Providers Wave™ report

Microsoft is proud to be recognized as a Leader in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report. At Microsoft, we understand modernizing security is a complex task in this era of ever-evolving cyberthreats and complex digital environments. Serious threats have necessitated a.....

(RHSA-2023:5244) Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090) kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch...

ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop. "HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and....

Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090) kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch...

Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090) kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch...