A security vulnerability in Kyocera's Device Manager product has been exposed, potentially allowing malicious actions on affected systems. Trustwave revealed the flaw, identified as CVE-2023-50916, which permits attackers to manipulate authentication attempts toward their resources, seizing or relaying Active Directory hashed credentials. This occurs when the security policy "Restrict NTLM: Outgoing NTLM traffic to remote servers" is disabled. Kyocera's late-month advisory characterized the issue as a path traversal flaw, enabling interception and modification of the database's backup location path to a Universal Naming Convention (UNC) path. Exploiting this flaw allows unauthorized access to clients' accounts, leading to data theft. Additionally, depending on the environment's configuration, it could facilitate NTLM relay attacks. Kyocera has addressed this vulnerability in Device Manager version 3.1.1213.0. Similarly, QNAP addressed several vulnerabilities, including high-severity issues in QTS, QuTS hero, QuMagie, Netatalk, and Video Station. Among these, CVE-2023-39296, classified as prototype pollution, could enable remote attackers to overwrite existing attributes, potentially causing system crashes. Fixes for this were provided in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110. Additionally, various other vulnerabilities were identified: CVE-2023-47559: Cross-site scripting (XSS) flaw in QuMagie (Addressed in QuMagie 2.2.1 and later) CVE-2023-47560: Operating system command injection flaw in QuMagie (Addressed in QuMagie 2.2.1 and later) CVE-2023-41287: SQL injection vulnerability in Video Station (Addressed in Video Station 5.7.2 and later) CVE-2023-41288: Operating system command injection vulnerability in Video Station (Addressed in Video Station 5.7.2 and later) CVE-2022-43634: Unauthenticated remote code execution vulnerability in Netatalk (Addressed in QTS 5.1.3.2578 build 20231110 and QuTS hero h5.1.3.2578 build 20231110).
Geisinger, a prominent healthcare system in Pennsylvania, has disclosed a data breach involving a former employee of Nuance, an IT services provider contracted by the organization....
Claroty, a security firm specializing in cyber-physical systems, has disclosed several vulnerabilities in Emerson's gas chromatographs that could have severe impacts if exploit...
GitLab has released security patches for both GitLab Community Edition (CE) and Enterprise Edition (EE) to address a total of 14 vulnerabilities, including critical and high-severi...