#ssl

Detailing how extended IoT (xIoT) devices can be used at scale by attackers to establish persistence across networks and what enterprises should start doing about the risk.

mp4v2 v2.0.0 was discovered to contain a heap buffer overflow via the MP4GetVideoProfileLevel function at /src/mp4.cpp.

Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

Red Hat Security Advisory 2023-1766-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.

1. EXECUTIVE SUMMARY CVSS v3 6.2 ATTENTION: Low attack complexity   Vendor: Siemens Equipment: Adaptec maxView Application Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor  2. RISK EVALUATION Successful exploitation of this vulnerability could allow a local attacker to decrypt intercepted local traffic between the browser and the application. A local attacker could perform a machine-in-the-middle attack to modify data in transit.  3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following software from Siemens is affected:  SIMATIC IPC1047: All versions   SIMATIC IPC1047E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows  SIMATIC IPC647D: All versions  SIMATIC IPC647E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows  SIMATIC IPC847D: All versions  SIMATIC IPC847E: All versions with Adaptec maxView Storage Manager prior to 4.09.00.25611 on Windows  3.2 VULNERABILITY OVERVIEW 3.2.1 EXPOSURE OF S...

### Impact Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the [legacy notification activity macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/Legacy%20Notification%20Activity%20Macro/). This macro is installed by default in XWiki. A proof of concept exploit is ``` {{activity wikis="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}"/}} ``` If the output of this macro is ``` The [notifications] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from Groovy!" displayMinorEvents="false" displayRSSLink="false" /}} ``` or similar, the XWiki installation is vulnerable. The vulnerability can be exploited via ever...

Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries. Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default.