| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function |
| Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. |
| MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12 |
| Certain versions of the Atlassian Companion App for MacOS were affected by a remote code execution vulnerability. An attacker could utilize WebSockets to bypass Atlassian Companion’s blocklist and MacOS Gatekeeper to allow execution of code. |
| This vulnerability, if exploited, allows an attacker to perform privileged RCE (Remote Code Execution) on machines with the Assets Discovery agent installed. The vulnerability exists between the Assets Discovery application (formerly known as Insight Discovery) and the Assets Discovery agent. |
| Sandbox escape in the Storage: IndexedDB component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Undefined behavior in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The REST API of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the API. The server will automatically restart. |
| Mitigation bypass in the DOM: HTML Parser component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Windows Print Spooler Elevation of Privilege Vulnerability |
| Incorrect boundary conditions in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Improper
access control in multiple DVLS REST API endpoints in Devolutions
Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data. |
| Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Same-origin policy bypass in the Networking: JAR component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| Mitigation bypass in the Networking: Cache component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. |
| We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
An attacker could craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Please see the Security Updates table for the link to the updated app. Alternatively you can download and install the Installer using the links provided in the FAQ section.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
December 27 2023 Update:
In recent months, Microsoft Threat Intelligence has seen an increase in activity from threat actors leveraging social engineering and phishing techniques to target Windows OS users and utilizing the ms-appinstaller URI scheme.
To address this increase in activity, we have updated the App Installer to disable the ms-appinstaller protocol by default and recommend other potential mitigations. |
