USN-6315-1: Linux kernel vulnerabilities

Ubuntu Security Advisory Daniel Moghimi discovered that some Intel(R) Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. (CVE-2022-40982) Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local…

Read More

USN-6314-1: Linux kernel vulnerabilities

Ubuntu Security Advisory It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service (infinite recursion). (CVE-2020-36691) Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel…

Read More

USN-6313-1: FAAD2 vulnerabilities

Ubuntu Security Advisory It was discovered that FAAD2 incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2021-32272, CVE-2021-32273, CVE-2021-32274, CVE-2021-32277, CVE-2021-32278, CVE-2023-38857, CVE-2023-38858) It was discovered that FAAD2 incorrectly handled certain…

Read More

CISA Releases IOCs Associated with Malicious Barracuda Activity

CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. Malicious threat actors exploited this vulnerability as a zero day as early as October 2022 to gain access to ESG appliances.  Download the newly released IOCs…

Read More

​PTC Codebeamer

1. EXECUTIVE SUMMARY ​CVSS v3 8.8 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: PTC ​Equipment: Codebeamer ​Vulnerability: Cross site scripting 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to inject arbitrary JavaScript code, which could be executed in the victim’s browser upon clicking on a malicious link. 3. TECHNICAL DETAILS 3.1 AFFECTED…

Read More

[CWE-502] Exploring the perils of unsafe unserialize() in PrestaShop (part 1)

The deserialization of instantiated objects in PHP involved the trigger of the magic methods __construct(), __wakeup() and __destruct(). A Smarty, Monolog or Symfony library’s Gadget hydratation with a malicious payload followed by its deserialization can be exploited in multiple malicious critical usages. Until this present research, we did not have any known gadget on our…

Read More

USN-6312-1: Linux kernel vulnerabilities

Ubuntu Security Advisory It was discovered that the netlink implementation in the Linux kernel did not properly validate policies when parsing attributes in some situations. An attacker could use this to cause a denial of service (infinite recursion). (CVE-2020-36691) Billy Jheng Bing Jhong discovered that the CIFS network file system implementation in the Linux kernel…

Read More