Overview Recently, NSFOCUS CERT found that Apache has issued an official security notice to fix multiple Apache HTTP Server vulnerabilities. Affected users should take protective measures as soon as possible. Apache HTTP Server Request Smuggling Vulnerability (CVE-2023-25690): When mod_ When proxy is enabled with some form of RewriteRule or ProxyPassMatch, a non-specific pattern will match […]
Overview Recently, NSFOCUS CERT found the PoC that disclosed Microsoft Word remote execution code vulnerability (CVE-2023-21716) on the Internet. Because the RTF parser in Microsoft Word will trigger a heap corruption vulnerability when processing a font table (* fonttbl *) that contains too many fonts (* f # # # *), an attacker can exploit […]
Overview Recently, NSFOCUS CERT found that GitLab has issued an official security notice to fix a cross-site scripting vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) (CVE-2023-0050). A remote attacker with low privileges can cause the client to store XSS through a specially crafted Kroki diagram, and finally perform arbitrary operations on the […]
Overview Recently, NSFOCUS CERT detected that Node.js officially fixed an authentication vulnerability (CVE-2023-23918). Due to the flaw of improper permission control in Node.js, a remote attacker can use the process.mainModule.require() function to bypass permissions and access unauthorized modules. The official said that this vulnerability only affects users who have enabled the experimental permission option –experimental-policy. […]
Overview Recently, NSFOCUS CERT detected that Google Chrome officially released a security bulletin, which fixed multiple security vulnerabilities. The key vulnerabilities are as follows: Google Chrome use-after-free vulnerability (CVE-2023-0927): Due to a use-after-free flaw in the Web Payments API in Google Chrome, a remote attacker capable of compromising the renderer process could exploit a heap […]
Overview Recently, NSFOCUS CERT found that VMware has officially fixed an App Control injection vulnerability (CVE-2023-20858). Due to flaws in product verification of user-input content, attackers with App Control management console permissions can access the underlying server operating system by entering specially crafted data, and ultimately achieve arbitrary code execution on the target system. The […]
Overview Recently, Joomla officially released a security update notice to fix a Joomla unauthorized access vulnerability (CVE-2023-23752), which was submitted by a researcher of NSFOCUS Tianji Lab. Due to flaws in Joomla’s access control to Web service endpoints, unauthenticated attackers access the RestAPI interface to obtain Joomla-related configuration information by constructing specially crafted requests, which […]
Overview Recently, NSFOCUS CERT found that Fortinet officially released a security notice, which fixed multiple Fortinet product vulnerabilities. The key vulnerabilities are as follows: FortiNAC keyUpload remote code execution vulnerability (CVE-2022-39952): Due to a flaw in the keyUpload script of FortNAC, an unauthenticated attacker can execute arbitrary code on the target system by sending a […]
Overview On February 15, NSFOCUS CERT monitored that Microsoft had released a security update patch for February, which fixed 75 security issues, involving widely-used products such as Microsoft Exchange Server, Microsoft Word, Windows Graphics Component, Microsoft Publisher, etc., including high-risk vulnerability types such as privilege enhancement and remote code execution. Among the vulnerabilities fixed in […]
Overview Recently, NSFOCUS CERT found that IBM officially fixed a remote code execution vulnerability in WebSphere Application Server (CVE-2023-23477). Due to the flaw in WebSphere Application Server’s validation of the data entered by users, under certain conditions, unauthenticated remote attackers can finally execute arbitrary code on the target server by constructing malicious serialized data. The […]
