Multiple vulnerabilities in QNAP TS-464 NAS devices

The advisories from ZDI-24-470 to ZDI-24-475 detail a series of vulnerabilities affecting QNAP TS-464 NAS devices, ranging from CRLF injection and SQL injection to improper certificate validation and file upload directory traversal. These vulnerabilities could allow remote attackers to make arbitrary configuration changes, execute code, escalate privileges, and create or delete files on affected devices. QNAP has issued updates to correct these vulnerabilities, highlighting the importance of applying security patches promptly to protect against potential exploits.

Read more Multiple vulnerabilities in QNAP TS-464 NAS devices

Multiple vulnerabilities in Cisco

Here’s a summary of the Cisco Security Advisories:

  1. Cisco AppDynamics Network Visibility Service DoS Vulnerability: An unauthenticated, local attacker could cause a denial of service (DoS) condition due to improper handling of unexpected input.
  2. Cisco Crosswork NSO Open Redirect Vulnerability: An unauthenticated, remote attacker could redirect a user to a malicious web page due to improper input validation of a parameter in an HTTP request.
  3. Cisco Crosswork NSO Privilege Escalation Vulnerability: An authenticated, local attacker could elevate privileges to root on an affected device because of a user-controlled search path used to locate executable files.
  4. Cisco Secure Client NAM Privilege Escalation Vulnerability: An unauthenticated attacker with physical access could elevate privileges to SYSTEM due to a lack of authentication on a specific function.
  5. Cisco Secure Email and Web Manager XSS Vulnerabilities: Multiple vulnerabilities could allow a remote attacker to conduct XSS attacks against users of the interface due to insufficient input validation.
  6. Cisco Secure Email Gateway HTTP Response Splitting Vulnerability: An unauthenticated, remote attacker could conduct an HTTP response splitting attack due to insufficient input validation of some parameters.
  7. Cisco Unified Communications Products API DoS Vulnerability: An unauthenticated, remote attacker could cause high CPU utilization and potentially impact access and call processing due to improper API authentication and incomplete validation of the API request.
Read more Multiple vulnerabilities in Cisco

Vulnerabilities in Adobe Readed DC Software

Consolidated summary:

  • ZDI-24-424 & ZDI-24-425: Both vulnerabilities, identified as CVE-2024-30305 and CVE-2024-30303 respectively, have a CVSS score of 7.8 and affect Adobe Acrobat Reader DC. They allow remote code execution due to improper handling of AcroForms. Users must interact with a malicious page or file to trigger the flaw.
  • ZDI-24-427: Identified as CVE-2024-30306 with a CVSS score of 7.8, this vulnerability in Adobe Acrobat Reader DC allows remote code execution through an out-of-bounds read in AcroForms. User interaction is required.
Read more Vulnerabilities in Adobe Readed DC Software

cURL and libcurl Vulnerability Affecting Cisco Products: October 2023

On October 11, 2023, cURL released Version 8.4.0 of the cURL utility and the libcurl library. This release addressed two security vulnerabilities: 

  • CVE-2023-38545 – High Security Impact Rating (SIR)
  • CVE-2023-38546 – Low SIR

This advisory covers CVE-2023-38545 only. For more information about this vulnerability, see the cURL advisory

This advisory is available at the following link: 

Security Impact Rating: High

CVE: CVE-2023-38545

Users in EU will have a choice

Google has just announced a change for users in Europe that will allow them to decide exactly how much data sharing is right for them. The new policy, which the company says is in response to the EU’s Digital Markets Act (DMA), allows users to opt out of data sharing for all, some or none of Google’s selected services. The services listed include YouTube, search, advertising services, Google Play, Chrome, Google Shopping and Google Maps. However, the policy is not airtight – Google will still share user information when necessary to perform a task (for example, when you pay for a purchase on Google Shopping using Google Pay), to comply with the law, to prevent fraud or to protect against abuse.

Read more Users in EU will have a choice

Nextcloud wins the Acteurs du Libre European Award 2023

Nextcloud has won the European Award of the Acteurs du Libre contest! This is a huge recognition for the community, the Nextcloud team, and the visionary leaders behind the project.

What is the Acteurs du Libre contest?

The Acteurs du Libre contest is part of the Open Source Experience event, which celebrates the achievements of Free Software companies, entrepreneurs, projects and associations. The contest awards six prizes every year, each honoring a different aspect of FOSS development, management or implementation: the Committed Public Service Award, the European Award in collaboration with APELL, the Business Development Award, the Best Open Source Strategy Award, the Open and Ethical Digital Award, and the Jury’s Special Award.

Read more Nextcloud wins the Acteurs du Libre European Award 2023

Critical vulnerability in Fortinet products

https://www.fortiguard.com/psirt/FG-IR-22-300

https://www.fortiguard.com/psirt/FG-IR-22-300

Summary

An external control of file name or path vulnerability [CWE-73] in FortiNAC webserver may allow an unauthenticated attacker to perform arbitrary write on the system.

Affected Products

FortiNAC version 9.4.0
FortiNAC version 9.2.0 through 9.2.5
FortiNAC version 9.1.0 through 9.1.7
FortiNAC 8.8 all versions
FortiNAC 8.7 all versions
FortiNAC 8.6 all versions
FortiNAC 8.5 all versions
FortiNAC 8.3 all versions

Is Mastodon a new Twitter?

What is Mastodon

Mastodon is a microblogging network, it is not controlled by a company or a server, it works through a decentralized federation of servers. The network is open source and we can access it on GitHub, where it is hosted so that anyone can access it.

Mastodon does not use a single server, it consists of several, and it is fast in terms of loading both the network and the application. The user has the option to create a community or instance. In addition, if you don’t want to do that, you can join one of the many available.

The first thing to start using Mastodon is to register with a short registration, when we say concise, that is, it won’t ask for much information about us. There will be four fields you must fill out to register with the site/app, including your username.

Read more Is Mastodon a new Twitter?