CVE-2024-3661, a.k.a. TunnelVision, Exposes a VPN Bypass Vulnerability
IntroductionOn May 6, 2024, a researcher from Leviathan Security Group identified a new technique, termed as “TunnelVision”, that can bypass VPN encapsulation and enable attackers to send the traffic outside a VPN tunnel using the built-in features of Dynamic Host Configuration Protocol (DHCP). TunnelVision involves the routing of traffic without ... Read More
Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-51467)
Introduction On December 26, 2023, researchers at SonicWall announced the discovery of a zero-day security flaw in Apache OFBiz. Tracked as CVE-2023-51467, the vulnerability allows threat actors to bypass authentication and perform a Server-Side Request Forgery (SSRF). CVE-2023-51467 earned a critical CVSS score of 9.8. According to researchers at SonicWall, ... Read More
Coverage Advisory for CVE-2023-50164: Apache Struts Path Traversal and File Upload Vulnerability
Introduction On December 7, the Apache Software Foundation released Apache Struts versions 6.3.0.2 and 2.5.33 to address a critical vulnerability currently identified as CVE-2023-50164, which is a path traversal flaw allowing a malicious file to be uploaded and potentially lead to Remote Code Execution (RCE) on affected versions of Apache ... Read More
Coverage Advisory for CVE-2023-47246 SysAid Zero-Day Vulnerability
Introduction On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability leading to code execution for the same software. This blog includes immediate recommendations for SysAid On-Premise software customers, best practices ... Read More