patch Archives - Cyber Security Minute

Zimbra zero-day exploited to steal government emails by four groups

Issued by: Security Affairs

Google Threat Analysis Group (TAG) researchers revealed that a zero-day vulnerability, tracked as CVE-2023-37580 (CVSS score: 6.1), in the Zimbra Collaboration email software was exploited by four different threat actors to steal email data, user credentials, and authentication tokens from government organizations. The experts observed that most of the attacks took place after the public…

Vulnerabilities

Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation

Issued by: The Hacker News

Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. “There are indications from Google Threat Analysis Group and Google Project Zero…

Vulnerabilities

Trend Micro Patches Zero-Day Endpoint Vulnerability

Issued by: Dark Reading

Trend Micro has released an advisory covering a critical zero-day flaw — tracked as CVE-2023-41179 — that affects Apex One, Apex One SaaS, and Worry-Free Business Security. The vulnerability can be exploited for arbitrary code execution, and it revolves around the “products’ ability to uninstall third-party security software.” The advisory, written in Japanese, details how…

Vulnerabilities

Citrix ADC, Gateway Users Race Against Hackers to Patch Critical Flaw

Issued by: Dark Reading

Citrix has issued a patch for a critical flaw affecting Citrix ADC and Citrix Gateway, adding that the company is aware of attacks against the vulnerability in the wild. The vulnerability, tracked under CVE-2022-27518, affects Citrix ADC and Citrix Gateway versions 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32. “Both must be configured with…

Vulnerabilities

Fortinet Patches 6 High-Severity Vulnerabilities

Issued by: Security Week

One of the high-severity issues affects FortiTester and it allows an authenticated attacker to execute commands via specially crafted arguments to existing commands. FortiSIEM is affected by a vulnerability that allows a local attacker with command-line access to perform operations on the Glassfish server directly via a hardcoded password. The remaining high-severity flaws are stored…

Vulnerabilities

Anxiously Awaited OpenSSL Vulnerability’s Severity Downgraded From Critical to High

Issued by: Security Week

The OpenSSL Project revealed last week that an update for OpenSSL 3.0 would address a critical vulnerability. That flaw is tracked as CVE-2022-3602 and it has been described as a buffer overrun that can be triggered in X.509 certificate verification. Exploitation of the flaw could lead to a denial-of-service (DoS) condition caused by a crash,…

Vulnerabilities

WordPress Security Update 6.0.3 Patches 16 Vulnerabilities

Issued by: Security Week

WordPress 6.0.3 fixes nine stored and reflected cross-site scripting (XSS) vulnerabilities, as well as open redirect, data exposure, cross-site request forgery (CSRF), and SQL injection flaws. WordPress security company Defiant has shared a description of each vulnerability. Four of them have a ‘high severity’ rating, and the rest have ‘medium’ or ‘low’ severity. “We have…

Vulnerabilities

Chrome 105 Patches Critical, High-Severity Vulnerabilities

Issued by: Security Week

Twenty-one of the resolved security defects were reported by external researchers, including one critical-, eight high-, nine medium-, and three low-severity vulnerabilities. A total of nine use-after-free issues were resolved with the latest browser update, the most important of which is a critical flaw in the Network Service component, reported by Google Project Zero researcher…

Vulnerabilities

Cisco Patches High-Severity Vulnerabilities in Business Switches

Issued by: Security Week

Impacting the OSPF version 3 (OSPFv3) feature of NX-OS, the first of these issues is tracked as CVE-2022-20823 and could be exploited remotely, without authentication, to cause a denial-of-service (DoS) condition. The flaw exists due to incomplete input validation of specific OSPFv3 packets, allowing an attacker to send a malicious OSPFv3 link-state advertisement (LSA) to…

Vulnerabilities

Microsoft Shares Details on Critical ChromeOS Vulnerability

Issued by: Security Week

Tracked as CVE-2022-2587 (CVSS score of 9.8) and described as an out-of-bounds write, the vulnerability was addressed with the release of a patch in June. The issue was identified in the CRAS (ChromiumOS Audio Server) component, and could be triggered using malformed metadata associated with songs. CRAS resides between the operating system and ALSA (Advanced…