βΌ CVE-2023-25656 βΌ
π Read
via "National Vulnerability Database".
notation-go is a collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures and the application will be finally killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-24998 βΌ
π Read
via "National Vulnerability Database".
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25613 βΌ
π Read
via "National Vulnerability Database".
An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25569 βΌ
π Read
via "National Vulnerability Database".
Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cookie SameSite strategy was set to Lax in version 2.1.0. As a workaround, avoid visiting unknown source pages.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25570 βΌ
π Read
via "National Vulnerability Database".
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25805 βΌ
π Read
via "National Vulnerability Database".
versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.π Read
via "National Vulnerability Database".
β Twitter tells users: Pay up if you want to keep using insecure 2FA β
π Read
via "Naked Security".
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.π Read
via "Naked Security".
Naked Security
Twitter tells users: Pay up if you want to keep using insecure 2FA
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process thatβs not considered secure enough for everyone else.
π1
βΌ CVE-2022-48321 βΌ
π Read
via "National Vulnerability Database".
Limited Server-Side Request Forgery (SSRF) in agent-receiver in Tribe29's Checkmk <= 2.1.0p11 allows an attacker to communicate with local network restricted endpoints by use of the host registration API.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46303 βΌ
π Read
via "National Vulnerability Database".
Command injection in SMS notifications in Tribe29 Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker with User Management permissions, as well as LDAP administrators in certain scenarios, to perform arbitrary commands within the context of the application's local permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2022-47909 βΌ
π Read
via "National Vulnerability Database".
Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48319 βΌ
π Read
via "National Vulnerability Database".
Sensitive host secret disclosed in cmk-update-agent.log file in Tribe29's Checkmk <= 2.1.0p13, Checkmk <= 2.0.0p29, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to gain access to the host secret through the unprotected agent updater log file.π Read
via "National Vulnerability Database".
βΌ CVE-2022-46836 βΌ
π Read
via "National Vulnerability Database".
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32848 βΌ
π Read
via "National Vulnerability Database".
Octobox is software for managing GitHub notifications. Prior to pull request (PR) 2807, a user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability. This issue is fixed in PR 2807.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32847 βΌ
π Read
via "National Vulnerability Database".
HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior, a malicious guest can trigger a vulnerability in the host by abusing the disk driver that may lead to the disclosure of the host memory into the virtualized guest. This issue is fixed in commit cf60095a4d8c3cb2e182a14415467afd356e982f.π Read
via "National Vulnerability Database".
βΌ CVE-2015-10081 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and classified as problematic. This issue affects some unknown processing of the file edit_list.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.0b2.9a is able to address this issue. The name of the patch is a739f680a1623d22f52ff1371e86ca472e63756f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-221495.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48320 βΌ
π Read
via "National Vulnerability Database".
Cross-site Request Forgery (CSRF) in Tribe29's Checkmk <= 2.1.0p17, Checkmk <= 2.0.0p31, and all versions of Checkmk 1.6.0 (EOL) allow an attacker to add new visual elements to multiple pages.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48317 βΌ
π Read
via "National Vulnerability Database".
Expired sessions were not securely terminated in the RestAPI for Tribe29's Checkmk <= 2.1.0p10 and Checkmk <= 2.0.0p28 allowing an attacker to use expired session tokens when communicating with the RestAPI.π Read
via "National Vulnerability Database".
βΌ CVE-2016-15027 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in meta4creations Post Duplicator Plugin 2.18. It has been classified as problematic. Affected is the function mtphr_post_duplicator_notice of the file includes/notices.php. The manipulation of the argument post-duplicated leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.19 is able to address this issue. The name of the patch is ca67c05e490c0cf93a1e9b2d93bfeff3dd96f594. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221496.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48318 βΌ
π Read
via "National Vulnerability Database".
No authorisation controls in the RestAPI documentation for Tribe29's Checkmk <= 2.1.0p13 and Checkmk <= 2.0.0p29 which may lead to unintended information disclosure through automatically generated user specific tags within Rest API documentation.π Read
via "National Vulnerability Database".
βΌ CVE-2019-25104 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been found in rtcwcoop 1.0.2 and classified as problematic. Affected by this vulnerability is the function AICast_ScriptLoad of the file code/game/ai_cast_script.c of the component Team Command Handler. The manipulation leads to denial of service. The name of the patch is f2cd18bc2e1cbca8c4b78bee9c392272bd5f42ac. It is recommended to apply a patch to fix this issue. The identifier VDB-221485 was assigned to this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32850 βΌ
π Read
via "National Vulnerability Database".
jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version 2.3.6.π Read
via "National Vulnerability Database".