βΌ CVE-2013-10019 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in OCLC-Research OAICat 1.5.61. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.5.62 is able to address this issue. The name of the patch is 6cc65501869fa663bcd24a70b63f41f5cfe6b3e1. It is recommended to upgrade the affected component. The identifier VDB-221489 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
ποΈ βMost web API flaws are missed by standard security testsβ β Corey J Ball on securing a neglected attack vector ποΈ
π Read
via "The Daily Swig".
API security is a βgreat gatewayβ into a pen testing career, advises specialist in the fieldπ Read
via "The Daily Swig".
portswigger.net
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger offers tools for web application security, testing, & scanning. Choose from a range of security tools, & identify the very latest vulnerabilities.
π΄ Modern Software: What's Really Inside? π΄
π Read
via "Dark Reading".
Open source has changed the software game from build or buy to assemble with care.π Read
via "Dark Reading".
Dark Reading
Modern Software: What's Really Inside?
Open source has changed the software game from build or buy to assemble with care.
π Falco 0.34.1 π
π Read
via "Packet Storm Security".
Sysdig Falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about Falco as a mix between snort, ossec and strace.π Read
via "Packet Storm Security".
Packetstormsecurity
Falco 0.34.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π AIEngine 2.3.0 π
π Read
via "Packet Storm Security".
AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine. AIEngine also helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.π Read
via "Packet Storm Security".
Packetstormsecurity
AIEngine 2.3.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2023-25656 βΌ
π Read
via "National Vulnerability Database".
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24998 βΌ
π Read
via "National Vulnerability Database".
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25613 βΌ
π Read
via "National Vulnerability Database".
An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25569 βΌ
π Read
via "National Vulnerability Database".
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25570 βΌ
π Read
via "National Vulnerability Database".
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25805 βΌ
π Read
via "National Vulnerability Database".
versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.π Read
via "National Vulnerability Database".
β Twitter tells users: Pay up if you want to keep using insecure 2FA β
π Read
via "Naked Security".
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.π Read
via "Naked Security".
Naked Security
Twitter tells users: Pay up if you want to keep using insecure 2FA
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process thatβs not considered secure enough for everyone else.
π1
βΌ CVE-2022-48321 βΌ
π Read
via "National Vulnerability Database".
Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46303 βΌ
π Read
via "National Vulnerability Database".
Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47909 βΌ
π Read
via "National Vulnerability Database".
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48319 βΌ
π Read
via "National Vulnerability Database".
Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46836 βΌ
π Read
via "National Vulnerability Database".
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32848 βΌ
π Read
via "National Vulnerability Database".
Octobox is software for managing GitHub notifications. Prior to pull request (PR) 2807, a user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability. This issue is fixed in PR 2807.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32847 βΌ
π Read
via "National Vulnerability Database".
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior, a malicious guest can trigger a vulnerability in the host by abusing the disk driver that may lead to the disclosure of the host memory into the virtualized guest. This issue is fixed in commit cf60095a4d8c3cb2e182a14415467afd356e982f.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10081 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and classified as problematic. This issue affects some unknown processing of the file edit_list.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.0b2.9a is able to address this issue. The name of the patch is a739f680a1623d22f52ff1371e86ca472e63756f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-221495.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48320 βΌ
π Read
via "National Vulnerability Database".
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.π Read
via "National Vulnerability Database".