Remote Code Execution (RCE) vulnerability in evaluating property name expressionsgithub.com ### Summary
Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely eval...
The Shadowserver Foundation
Our mission is to make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats. Join our Alliance!
https://shadowserver.org/partner
https://shadowserver.org/partner
lists.apache.org
NVD - CVE-2024-22729nvd.nist.gov
Progress Customer Communitycommunity.progress.com
Zyxel security advisory for multiple vulnerabilities in NAS products | Zyxel Networkszyxel.com CVEs: CVE-2024-29972, CVE-2024-29973, CVE-2024-29974, CVE-2024-29975, CVE-2024-29976 Summary Zyxel has released patches addressing command injection and remote code execution vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Users are advised to install them for optimal protection. What are the vulnerabilities? CVE-2024-29972 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request. CVE-2024-29973 **UNSUPPORTED WHEN ASSIGNED** This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request. CVE-2024-29974 **UNSUPPORTED WHEN ASSIGNED** This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device. CVE-2024-29975 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device. CVE-2024-29976 **UNSUPPORTED WHEN ASSIGNED** This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device. What versions are vulnerable—and what should you do? Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. Affected model Affected version Patch availability NAS326 V5.21(AAZF.16)C0 and earlier V5.21(AAZF.17)C0 NAS542 V5.21(ABAG.13)C0 and earlier V5.21(ABAG.14)C0 *Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023. Got a question? Please contact your local service rep or visit Zyxel’s Community for further information or assistance. Acknowledgment Thanks to Timothy Hjort from Outpost24 for reporting the issues to us. Revision history 2024-6-4: Initial release.
PHP: Hypertext Preprocessorphp.net PHP is a popular general-purpose scripting language that powers everything from your blog to the most popular websites in the world.
2024 Data Breach Investigations Reportverizon.com Reduce cyber risks with insights from the 2024 Data Breach Investigations Report (DBIR) from Verizon. Read the official report today.
Time series ·
General statistics ·
The Shadowserver Foundation
dashboard.shadowserver.org
Thank you Craig Newmark! Reflections on Cyber Civil Defensewww.youtube.com On April 24, 2024, Craig Newmark was presented with the Cyber Policy Award for Cyber Philanthropy/ist of the Year, a recognition of his commitment to advancing the global digital ecosystem's safety, security, and the rule of law through the Cyber Civil Defense initiative. Organizations from across the cyber policy ecosystem came together to reflect on what cyber civil defense means to them, recognize Craig's impact, and thank him for his efforts. "From all of us at the Cyber Civil Defense Initiative, thank you Craig for all that you do to make the world a safer, more cybersecure place," concluded IST Chief Strategy Officer Megan Stifel. Thank you to the following participants! Suzanne Spaulding: Director, Defending Democratic Institutions Project, Center for Strategic and International Studies Megan Stifel: Chief Strategy Officer, Institute for Security and Technology and Executive Director, Ransomware Task Force Philip Reitinger: President & CEO, Global Cyber Alliance Tod Eberle: Alliance Director, Shadowserver Foundation Vivian Yu: STEM Program Manager, Girl Scouts of Greater New York Lorrie Cranor: Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab, Carnegie Mellon University Stacey Higginbotham: Policy Fellow, Consumer Reports Katharine Brooks: Director, Global Cyber Policy, Aspen Institute Ally Armeson: Executive Director of Programs, Cybercrime Support Network Ann Cleaveland: Executive Director, UC Berkeley’s Center for Long-Term Cybersecurity Tarika Barrett: Chief Executive Officer, Girls Who Code J. Michael Daniel: President & CEO, Cyber Threat Alliance Rebekah Skeete: Chief Operating Officer, Black Girls Hack Lauren Bean Buitta: Founder and CEO, Girl Security [Learn more about the Cyber Policy Awards: https://securityandtechnology.org/inaugural-cyber-policy-awards/]