Yan&Co Security Vulnerabilities

SQL Injection Vulnerability in Green Alliance Operations and Maintenance Security Management System

Beijing Shenzhou Green Alliance Technology Co., Ltd. is a company whose business scope includes technology development, technology consulting, technology services; computer system services and so on. There is a SQL injection vulnerability in the Green Alliance Operations and Maintenance Security...

Unauthorized Access Vulnerability in Light Printing Self-service Printing System of Chongqing Xiaodou Technology Co.

Chongqing Xiaodou Technology Co., Ltd. focuses on the research and development of self-service printing system, is committed to creating a professional, perfect, convenient self-service printing system. Chongqing Xiaodu Technology Co., Ltd. light printing self-service printing system has an...

Arbitrary File Download Vulnerability in iVMS-8700 Integrated Security Management Platform Software of Hangzhou Hikvision Digital Technology Co.

The iVMS-8700 integrated security management platform software is a life-useful and convenient security software. Hangzhou Hikvision Digital Technology Co., Ltd. iVMS-8700 integrated security management platform software has an arbitrary file download vulnerability that can be exploited by...

Command Execution Vulnerability in DSS Monitoring Management Application Platform of Zhejiang Dahua Technology Co.

Zhejiang Dahua Technology Co., Ltd. is a supplier of surveillance products and solution service provider. A command execution vulnerability exists in the DSS surveillance management application platform of Zhejiang Dahua Technology Company Limited, which can be exploited by an attacker to execute.....

Beijing Douniu Network Technology Co., Ltd Douniu APP has information leakage vulnerability

Bean Cow APP is an online wholesale trading platform for agricultural and sideline products. Ltd. Bean cow APP has information leakage vulnerability, attackers can use the vulnerability to obtain sensitive information on the...

Exploit for CVE-2022-32862

%PDF-1.5 %���� 16 0 obj << /Length 972 /Filter...

CVE-2023-39809

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a command injection vulnerability via the system_hostname parameter at...

CVE-2023-39807

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a SQL injection vulnerability via the a_passwd parameter at...

CVE-2023-39809

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a command injection vulnerability via the system_hostname parameter at...

CVE-2023-39807

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a SQL injection vulnerability via the a_passwd parameter at...

CVE-2023-39808

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH...

CVE-2023-39808

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH...

The Milesight UR32L is a 4G industrial router from China's Milesight. A command execution vulnerability exists in the Milesight UR32L zebra vlan_name function, which can be exploited by an attacker to execute arbitrary commands on the system.

Zhejiang Dahua Technology Co., Ltd. is a supplier of surveillance products and solution service provider. A command execution vulnerability exists in the DSS surveillance management application platform of Zhejiang Dahua Technology Company Limited, which can be exploited by an attacker to execute.....

A firsthand perspective on the recent LinkedIn account takeover campaign

Not long ago I wrote about a recent campaign to hold LinkedIn users' accounts to ransom. Shortly after I published the article, a co-worker, Pearce, reached out to me told me he'd been a target of the campaign. His story begins with an SMS text from LinkedIn telling him to reset his password. He...

CVE-2023-40158

Hidden functionality vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series and...

CVE-2023-38585

Improper authentication vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series...

CVE-2023-40144

OS command injection vulnerability in the CBC products allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter its settings. As for the affected products/versions, see the detailed information provided by the vendor. Note that NR4H, NR8H, NR16H series and...

Way Too Vulnerable: Join this Webinar to Understand and Strengthen Identity Attack Surface

In today's digital age, it's not just about being online but how securely your organization operates online. Regardless of size or industry, every organization heavily depends on digital assets. The digital realm is where business takes place, from financial transactions to confidential data...

Three CISOs Share How to Run an Effective SOC

The role of the CISO keeps taking center stage as a business enabler: CISOs need to navigate the complex landscape of digital threats while fostering innovation and ensuring business continuity. Three CISOs; Troy Wilkinson, CISO at IPG; Rob Geurtsen, former Deputy CISO at Nike; and Tammy Moskites,....

Verint Engagement Management Cross-Site Scripting Vulnerability

Verint Engagement Management is a unified platform for knowledge management, process management, case management, email management, live chat, co-browsing and more. A cross-site scripting vulnerability exists in Verint Engagement Management version 15.3 Update 2023R2, which stems from the lack of.....

JVN#42527152: "FFRI yarai" and "FFRI yarai Home and Business Edition" handle exceptional conditions improperly

"FFRI yarai" and "FFRI yarai Home and Business Edition" provided by FFRI Security, Inc. handle exceptional conditions improperly (CWE-703). When the product's Windows Defender management feature is enabled, and Microsoft Defender detects some files matching specific conditions as a threat, the...

CVE-2023-39455

OS command injection vulnerability in ELECOM wireless LAN routers allows an authenticated user to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-600GHBK-A all versions, WRC-1467GHBK-A all versions, WRC-1900GHBK-A all...

CVE-2023-40069

OS command injection vulnerability in ELECOM wireless LAN routers allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted request. Affected products and versions are as follows: WRC-F1167ACF all versions, WRC-1750GHBK all versions,...

CVE-2023-39944

OS command injection vulnerability in WRC-F1167ACF all versions, and WRC-1750GHBK all versions allows an attacker who can access the product to execute an arbitrary OS command by sending a specially crafted...

CVE-2023-39454

Buffer overflow vulnerability in WRC-X1800GS-B v1.13 and earlier, WRC-X1800GSA-B v1.13 and earlier, and WRC-X1800GSH-B v1.13 and earlier allows an unauthenticated attacker to execute arbitrary...

CVE-2023-39809

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a command injection vulnerability via the system_hostname parameter at...

Shanghai Zhuozhuo Network Technology Co., Ltd. DedeCMS file containment vulnerability

DedeCMS is a PHP open source website management system. Shanghai Zhuozhuo Network Technology Co., Ltd DedeCMS file contains a vulnerability that can be exploited by attackers to execute...

CVE-2023-39807

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a SQL injection vulnerability via the a_passwd parameter at...

CVE-2023-39808

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 was discovered to contain a hardcoded root password which allows attackers to login with root privileges via the SSH...

CVE-2023-40281

EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using...

CVE-2023-39507

Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver. 11.5.0 allows a malicious intent to lead the vulnerable App to access an arbitrary...

File upload vulnerability in inforsuiteAS application server of Shandong Zhongchuang Software Commercial Middleware Co.(CNVD-2023-63818)

Shandong Zhongchuang Software Commercial Middleware Co., Ltd. is a company whose business scope includes sales and maintenance services of computers, software and auxiliary equipment, electronic equipment, computer network equipment, etc. A file upload vulnerability exists in the inforsuiteAS...

Cross site scripting

Out-of-bounds Write vulnerability in SSHDCPAPP TA prior to "SAMSUNG ELECTONICS, CO, LTD. - System Hardware Update - 7/13/2023" in Windows Update for Galaxy book Go, Galaxy book Go 5G, Galaxy book2 Go and Galaxy book2 Pro 360 allows local attacker to execute arbitrary...

JVN#60140221: Multiple vulnerabilities in i-PRO VI Web Client

VI Web Client provided by i-PRO Co., Ltd. is Video Insight’s video management software. VI Web Client contains multiple vulnerabilities listed below. Open Redirect (CWE-601) - CVE-2023-38574 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7...

Stack overflow

Stack overflow vulnerability in SSHDCPAPP TA prior to "SAMSUNG ELECTONICS, CO, LTD. - System Hardware Update - 7/13/2023" in Windows Update for Galaxy book Go, Galaxy book Go 5G, Galaxy book2 Go and Galaxy book2 Pro 360 allows local attacker to execute arbitrary...

Command Execution Vulnerability in Tianyi Application Virtualization System of Xi'an Ruiyou Information Technology Information Co.

Skywing Application Virtualization System is a virtualization platform based on application server architecture. Xi'an Ruiyou Information Technology Information Co., Ltd Skywing Application Virtualization System has a command execution vulnerability that can be exploited by attackers to execute...

CVE-2023-37563

ELECOM wireless LAN routers are vulnerable to sensitive information exposure, which allows a network-adjacent unauthorized attacker to obtain sensitive information. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S...

CVE-2023-37567

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a remote unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port of the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A...

CVE-2023-37566

Command injection vulnerability in ELECOM and LOGITEC wireless LAN routers allows a network-adjacent authenticated attacker to execute an arbitrary command by sending a specially crafted request to the web management page. Affected products and versions are as follows: WRC-1167GHBK3-A v1.24 and...

Advantech EKI-1524-CE / EKI-1522 / EKI-1521 Cross Site Scripting

...

Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack

Risk and financial advisory solutions provider Kroll on Friday disclosed that one of its employees fell victim to a "highly sophisticated" SIM swapping attack. The incident, which took place on August 19, 2023, targeted the employee's T-Mobile account, the company said. "Specifically, T-Mobile,...

Stable Channel Update for ChromeOS / ChromeOS Flex

ChromeOS M115 Stable The Stable channel is being updated to OS version: 15474.84.0 Browser version: 115.0.5790.182 for most ChromeOS devices. If you find new issues, please let us know one of the following ways File a bug Visit our ChromeOS communities General: Chromebook Help Community Beta...

Shanghai Zhuozhuo Network Technology Co., Ltd. DedeCMS file containment vulnerability

DedeCMS is a PHP open source website management system. Shanghai Zhuozhuo Network Technology Co., Ltd DedeCMS file contains a vulnerability that can be exploited by attackers to execute...

thesportstv1.co Cross Site Scripting vulnerability OBB-3324446

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Arbitrary File Download Vulnerability in ES File Browser of Beijing Xiaoxiong Bowang Technology Co.

ES File Explorer is a powerful and free local and network file manager. ES File Browser has an arbitrary file download vulnerability that can be exploited by attackers to obtain sensitive...

IT threat evolution in Q2 2023

IT threat evolution in Q2 2023 IT threat evolution in Q2 2023. Non-mobile statistics IT threat evolution in Q2 2023. Mobile statistics Targeted attacks Gopuram backdoor deployed through 3CX supply-chain attack Earlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program,...

district3.co Cross Site Scripting vulnerability OBB-3319428

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Tornado Cash Founders Charged in Billion-Dollar Crypto Laundering Scandal

The U.S. Justice Department (DoJ) on Wednesday unsealed an indictment against two founders of the now-sanctioned Tornado Cash cryptocurrency mixer service, charging them with laundering more than $1 billion in criminal proceeds. Both the individuals, Roman Storm and Roman Semenov, have been...

Authorization

An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & Android v1.4.4 allows attacker to unlock model(s) without authorization via arbitrary API...

Impact of the New SEC Cyber Incident Reporting Rules on the C-Suite and Beyond

We recently hosted a compact and very engaging panel discussion about the new SEC Cyber Incident Reporting Rules due to come into effect later this year. We were fortunate to be joined by two well-known experts: Sue Bergamo, a CISO, CIO, Board Member, Executive Advisor, and Investor with a track...