A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Skip to content

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

*   Shop
*   Products1
    
    *   DAM & Photo Editing Software
        
        *   Photo Studio Ultimate 2023
        *   Photo Studio Professional 2023
        *   Photo Studio Home 2023
        *   Photo Studio for Mac 9
        *   Gemstone Photo Editor 12
    *   *   LUXEA Pro Video Editor 7NEW
        *   Video Converter Pro 5
        *   Video Converter 5
    *   *   ACDSee Mobile Sync
        *   ACDSee Light EQ™
        *   ACDSee for iOS
        *   ACDSee Pro for iOS
        *   ACDSee Camera Pro for iOS
    *   *   Ultimate Pack 2023
    
    *   *   ACDSee SendPix™
        *   ACDSee Free
    *   *   ACDSee 365
    *   *   Photography Courses by Alec Watson
    *   *   ACDSee Photo Studio Enterprise 2023
        *   ACDSee Workgroup
    
*   Free Trials
*   Community
    *   ACDSee Workshops
    *   ACDSee Video Tutorials
    *   Tutorials by Alec Watson
    *   ACDSee Stock Photography
    *   ACDSee Online Forum
    *   ACDSee I/O
*   Contact
    *   Support
    *   About
    *   Careers
    *   Media Room
*   Business
    
    *   Volume Licensing
        *   Small & Medium Business
        *   Education
        *   ACDSee for K-12
        *   Government
        *   Enterprise
    *   Solutions
        *   ACDSee Workgroup
        *   Custom Development
        *   Technology Licensing
        *   ACDSee SDK
    *   Partners
        *   Resellers
        *   Affiliates
        *   OEM
    *   How to Buy
        *   Contact Sales
        *   Find a Reseller
    
*   My Account
*   English
    *   Deutsch
    *   Français
    *   Italiano
    *   Español
    *   Nederlands
    *   Pусский
    *   日本語
    *   简体中文
    *   繁體中文

Page load link

CVE-2023-33715: Index

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on one Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities. As of time of publication, there are no known patches for this issue.

CVE-2023-37264: v1beta1 package - github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1 - Go Packages

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE-2023-25201: Security Advisories - usd HeroLab

Tenda AC10 v15.03.06.26 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37144: Vulnerability_info/ac10_command_injection/Readme.md at main · DaDong-G/Vulnerability_info

Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Tag

#mac