Blog

Security Advisory Description Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, ... More info: https://my.f5.com/manage/s/article/K000135156?utm_source=f5support&utm_medium=RSS

Security Advisory Description Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable ... More info: https://my.f5.com/manage/s/article/K000134942?utm_source=f5support&utm_medium=RSS

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are ... More info: https://my.f5.com/manage/s/article/K000135149?utm_source=f5support&utm_medium=RSS

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Cisco Secure Email Gateway, formerly Cisco Email Security Appliance (ESA); and Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has More info: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Secure%20Email%20Gateway,%20Cisco%20Secure%20Email%20and%20Web%20Manager,%20and%20Cisco%20Secure%20Web%20Appliance%20Cross-Site%20Scripting%20Vulnerabilities&vs_k=1

A vulnerability in Cisco Duo Two-Factor Authentication for macOS could allow an authenticated, physical attacker to bypass secondary authentication and access an affected macOS device. This vulnerability is due to the incorrect handling of responses from Cisco Duo when the application is configured to fail open. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access More info: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-mac-bypass-OyZpVPnx?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Duo%20Two-Factor%20Authentication%20for%20macOS%20Authentication%20Bypass%20Vulnerability&vs_k=1

par Michael Hawkins. Authenticated users were able to enumerate other users names via the learning plans page.Severity/Risk:MinorVersions affected:4.1 to 4.1.1 and 4.0 to 4.0.6Versions fixed:4.1.2 and 4.0.7Reported by:Paul HoldenCVE identifier:CVE-2023-28334Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77129Tracker issue:MDL-77129 Users name enumeration possible via IDOR on learning plans page More info: https://moodle.org/mod/forum/discuss.php?d=445066&parent=1788899

par Michael Hawkins. The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.Severity/Risk:MinorVersions affected:4.1 to 4.1.1Versions fixed:4.1.2Reported by:DegrangeMCVE identifier:CVE-2023-28335Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77008Tracker issue:MDL-77008 CSRF risk in resetting all templates of a database activity More info: https://moodle.org/mod/forum/discuss.php?d=445067&parent=1788900

par Michael Hawkins. The course participation report required additional checks to prevent roles being displayed which the user did not have access to view.Severity/Risk:MinorVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:Chris PrattCVE identifier:CVE-2023-1402Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-75517Tracker More info: https://moodle.org/mod/forum/discuss.php?d=445069&parent=1788902

par Michael Hawkins. Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.Severity/Risk:MinorVersions affected:4.1 to 4.1.1, 4.0 to 4.0.6, 3.11 to 3.11.12, 3.9 to 3.9.19 and earlier unsupported versionsVersions fixed:4.1.2, 4.0.7, 3.11.13 and 3.9.20Reported by:DegrangeMCVE identifier:CVE-2023-28336Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76809Tracker More info: https://moodle.org/mod/forum/discuss.php?d=445068&parent=1788901

par Michael Hawkins. Insufficient sanitizing of loaders used by TinyMCE resulted in an arbitrary folder creation risk.Severity/Risk:SeriousVersions affected:4.1 to 4.1.2Versions fixed:4.1.3Reported by:Yaniv Nizry (SonarSource)CVE identifier:CVE-2023-30943Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-77718Tracker issue:MDL-77718 TinyMCE loaders susceptible to Arbitrary Folder Creation More info: https://moodle.org/mod/forum/discuss.php?d=446285&parent=1793613