βΌ CVE-2022-47745 βΌ
π Read
via "National Vulnerability Database".
ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47197 βΌ
π Read
via "National Vulnerability Database".
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10765 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47740 βΌ
π Read
via "National Vulnerability Database".
Seltmann GmbH Content Management System 6 is vulnerable to SQL Injection via /index.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-1715 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10694 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-1713 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47194 βΌ
π Read
via "National Vulnerability Database".
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0406 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1676 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47196 βΌ
π Read
via "National Vulnerability Database".
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22741 βΌ
π Read
via "National Vulnerability Database".
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22745 βΌ
π Read
via "National Vulnerability Database".
tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.π Read
via "National Vulnerability Database".
βΌ CVE-2022-31901 βΌ
π Read
via "National Vulnerability Database".
Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46476 βΌ
π Read
via "National Vulnerability Database".
D-Link DIR-859 A1 1.05 was discovered to contain a command injection vulnerability via the service= variable in the soapcgi_main function.π Read
via "National Vulnerability Database".
βοΈ New T-Mobile Breach Affects 37 Million Accounts βοΈ
π Read
via "Krebs on Security".
T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.π Read
via "Krebs on Security".
Krebs on Security
New T-Mobile Breach Affects 37 Million Accounts
T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvestβ¦
βΌ CVE-2023-22339 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to bypass access restriction and obtain the server certificate including the private key of the product.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22373 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22331 βΌ
π Read
via "National Vulnerability Database".
Use of default credentials vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote unauthenticated attacker to alter user credentials information.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0410 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22334 βΌ
π Read
via "National Vulnerability Database".
Use of password hash instead of password for authentication vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to obtain user credentials information via a man-in-the-middle attack.π Read
via "National Vulnerability Database".
π1