Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196PUBLISHED: 2023-05-26Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879PUBLISHED: 2023-05-26GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file
User Rank: Strategist
6/23/2017 | 11:38:43 AM
Until a dedicated exchange or forum exists (besides the existing tools that mesh subscriber detections today) that anonymizes the reporting entity sources, we won't see any real open collaboration. The fundamental problem in this interchange model is that the closer you get to anonymity the farther you get from assurance and authenticity. Meaning, the reliability of threat articulation from an anonymous source is less than a vetted representative from "MegaCorp, LLC" proper. This could be overcome by a intermediate, sanctioned broker to ensure the reporting entity is genuine.
Until the exchange mechanism is sexy and "now" it won't work either. The threat intelligence collaboration and sharing service needs to solidly be edgy social media. Think "HackedIn" and not some cold, corporate or government offering that reads like RFC's and NIST documentation.
Until the threat intelligence interchange is highly automated, it won't be accepted. MegaCorp is not going to dedicate service agents or ongoing labor to the contributions nor consuming content. If the end-all solution doesn't facilitate fast-flux transactions in both directions and provide actionable output that itself can be automated, it won't be widely adopted.