Microsoft has recently addressed a significant security issue in their instant messaging and videotelephony application, Skype for Business, tracked as CVE-2023-41763. This vulnerability is categorized as an Elevation of Privilege bug. Although Microsoft has now fixed it, the flaw was actively exploited. Attackers could access some sensitive information but not alter or restrict access to it. The impact relates primarily to confidentiality.

The maintainers of the cURL data transfer project are actively working on addressing a high-severity vulnerability in the software, which affects both libcurl and curl. This vulnerability is tracked as CVE-2023-38545 and is considered one of the most severe flaws in the open-source tool. While specific details about the vulnerability and affected versions have not been disclosed to prevent pre-release problem identification, all iterations released over the "last several years" are considered vulnerable. The release of fixes for this vulnerability is scheduled for October 11, 2023.

A Cisco Security Advisory was released on October 4th, 2023, regarding CVE-2023-20101. This vulnerability has a CVSS 3.1 base score of 9.8, marking it as critical. It affects the ‘Cisco Emergency Responder Release 12.5(1)SU4’ within their Unified Communications Manager. This vulnerability enables an unauthenticated remote attacker to log in to an affected device with root-level privileges.

CVE-2023-44416 (CVSS Score: 6.8) is just one of many recent zero days from D-Link, a Taiwanese networking equipment corporation. This specific flaw, reported by Zero Day Initiative, affects the command line interface (CLI) service that listens on TCP port 23 within the DAP-2622 Access Point product. There is a lack of proper validation of a user-supplied string before executing a system call. A network-adjacent attacker can use the vulnerability to execute arbitrary code in root context on affected installations of D-Link DAP-2622 without requiring authentication.

A use-after-free vulnerability, identified as CVE-2023-5345, has been discovered in the Linux kernel's fs/smb/client component. This vulnerability has the potential for local privilege escalation. Specifically, the vulnerability arises from an error in the smb3_fs_context_parse_param function, leading to the improper handling of the ctx->password field. If exploited, this could result in a double-free condition. The severity of this vulnerability is rated as high (CVSS v3 Base Score: 7.8).

CVE-2023-42115, a CVSS 3.1: 9.8 rated critical vulnerability affects Exim Internet Mailer, a message transfer agent used with Unix systems connected to the internet. It is described as an AUTH out-of-bounds write remote code execution vulnerability.

A problematic vulnerability, CVE-2023-5313, has been identified in the phpkobo Ajax Poll Script version 3.18. This vulnerability resides in the file ajax-poll.php within the Poll Handler component and is related to improper enforcement of a single, unique action. The severity of this vulnerability is categorized as critical (CVSS v3 Base Score: 9.8). It allows remote attackers to exploit the system, and an exploit for this vulnerability has been publicly disclosed.

Google has identified and addressed a high-severity zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser. This vulnerability involves a heap-based buffer overflow in the VP8 compression format within the libvpx video codec library, which is used by Google and the Alliance for Open Media (AOMedia). Clément Lecigne of Google's Threat Analysis Group (TAG) discovered and reported this flaw on September 25, 2023, and it has already been actively exploited by a commercial spyware vendor.

Cisco has issued a warning about a zero-day vulnerability, identified as CVE-2023-20109, impacting IOS and IOS XE software. This medium-severity security flaw is associated with the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols used in the GET VPN feature. The vulnerability, discovered by X. B. of the Cisco Advanced Security Initiatives Group (ASIG), can potentially allow attackers to execute arbitrary code or cause system crashes. While exploitation requires administrative control of a key server or a group member, attackers have already started targeting it in attacks.