FISA

Patches have been released to address two new security vulnerabilities in  Apache Superset  that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs  CVE-2023-39265  and  CVE-2023-37941 , which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset's metadata database. Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue ( CVE-2023-36388 ) that allows for low-privilege users to carry out server-side request forgery ( SSRF ) attacks. "Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface," Horizon3.ai's Naveen Sunkavally said in a technical write-up. "If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application

VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," the company  said  in an advisory. ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue. The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. Credited with re

  Four security vulnerabilities in the ScrutisWeb ATM fleet monitoring software made by Iagona could be exploited to remotely break into ATMs, upload arbitrary files, and even reboot the terminals. The shortcomings were discovered by the Synack Red Team (SRT) following a client engagement. The issues have been addressed in ScrutisWeb version 2.1.38. "Successful exploitation of these vulnerabilities could allow an attacker to upload and execute arbitrary files," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in an advisory published last month. ScrutisWeb is a web browser-based solution for monitoring banking and retail ATM fleets, including gleaning information system status, detecting low paper alerts, shutting down or restarting a terminal, and remotely modifying data. Details of the four flaws are as follows - CVE-2023-33871  (CVSS score: 7.5) - A directory traversal vulnerability that could allow an unauthenticated user to directly access any file