CVE-2023-29050

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE-90)

Published: Jan 8, 2024 / Updated: 10mo ago

Our April mini-briefing video includes an overview of the release and then a discussion of a few items from today's release. 00:52 - Overview 06:07 - CVE-2023-26234 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26234) 06:58 - CVE-2023-29050 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29050) 08:58 - CVE-2024-29990 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29990) 10:31 - CVE-2024-28906 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28906) ► Subscribe to Microsoft Security on YouTube here: https://aka.ms/SubscribeMicrosoftSecurity ► Follow us on social: LinkedIn: https://www.linkedin.com/showcase/microsoft-security/ Twitter: https://twitter.com/msftsecurity ► Join our Tech Community: https://aka.ms/SecurityTechCommunity ► For more about Microsoft Security: https://msft.it/6002T9HQY #microsoftsecurity #microsoft

High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info siemens -- simatic_ipc1047e A vulnerability has been identified in SIMATIC IPC1047E (All versions with maxView Storage Manager 2F024-01-09 10 CVE-2023-51438 productcert@siemens.com gitlab -- gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. 2024-01-12 10 CVE-2023-7028 cve@gitlab.com cve@gitlab.com snapcreek -- duplicator The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. 2024-01-08 9.8 CVE-2018-25095 contact@wpscan.com irfanview -- b3d IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-based out-of-bounds write. 2024-01-05 9.8 CVE-2020-13878 cve@mitre.org irfanview -- b3d IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-based out-of-bounds write. 2024-01-05 9.8 CVE-2020-13879 cve@mitre.org irfanview -- b3d IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+1cbf heap-based out-of-bounds write. 2024-01-05 9.8 CVE-2020-13880 cve@mitre.org wiselyhub -- js_help_desk Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk - Best Help Desk & Support Plugin.This issue affects JS Help Desk - Best Help Desk & Support Plugin: from n/a through 2.7.1. 2024-01-05 9.8 CVE-2022-46839 audit@patchstack.com netscout -- ngeniusone An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. 2024-01-09 9.8 CVE-2023-26999 cve@mitre.org cve@mitre.org cve@mitre.org open-xchange -- ox_app_suite The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy.

Internal reference: MWB-2261Type: CWE-78 (Improper Neutralization of Special Elements used in an OS

Internal reference: MWB-2261Type: CWE-78 (Improper Neutralization of Special Elements used in an OS

OX App Suite versions 7.10.6-rev50 suffers from remote code execution and LDAP injection vulnerabilities. Version 7.10.6-rev33 suffers from a cross site scripting vulnerability.