βΌ CVE-2022-45003 βΌ
π Read
via "National Vulnerability Database".
Gophish through 0.12.1 allows attackers to cause a Denial of Service (DoS) via a crafted payload involving autofocus.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0386 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernelΓ’β¬β’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28664 βΌ
π Read
via "National Vulnerability Database".
The Meta Data and Taxonomies Filter WordPress plugin, in versions < 1.3.1, is affected by a reflected cross-site scripting vulnerability in the 'tax_name' parameter of the mdf_get_tax_options_in_widget action, which can only be triggered by an authenticated user.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28432 βΌ
π Read
via "National Vulnerability Database".
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28439 βΌ
π Read
via "National Vulnerability Database".
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages on a web page with missing proper Content Security Policy configuration; initializing the editor on an element and using an element other than `<textarea>` as a base; and destroying the editor instance. This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. A fix is available in CKEditor4 version 4.21.0. In some rare cases, a security fix may be considered a breaking change. Starting from version 4.21.0, the Iframe Dialog plugin applies the `sandbox` attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the `config.iframe_attributes` option. Also starting from version 4.21.0, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the `config.embed_keepOriginalContent` option. Those who choose to enable either of the more permissive options or who cannot upgrade to a patched version should properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on their web page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28662 βΌ
π Read
via "National Vulnerability Database".
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an unauthenticated SQL injection vulnerability in the template parameter in the wpgv_doajax_voucher_pdf_save_func action.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28661 βΌ
π Read
via "National Vulnerability Database".
The WP Popup Banners WordPress Plugin, version <= 1.2.5, is affected by an authenticated SQL injection vulnerability in the 'value' parameter in the get_popup_data action.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28667 βΌ
π Read
via "National Vulnerability Database".
The Lead Generated WordPress Plugin, version <= 1.23, was affected by an unauthenticated insecure deserialization issue. The tve_labels parameter of the tve_api_form_submit action is passed to the PHP unserialize() function without being sanitized or verified, and as a result could lead to PHP object injection, which when combined with certain class implementations / gadget chains could be leveraged to perform a variety of malicious actions granted a POP chain is also present.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28438 βΌ
π Read
via "National Vulnerability Database".
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method (no CSRF protection), an attacker can inject an arbitrary query by manipulating a user to click on a link. Users should upgrade to version 10.5.19 to receive a patch or, as a workaround, may apply the patch manually.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28119 βΌ
π Read
via "National Vulnerability Database".
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45004 βΌ
π Read
via "National Vulnerability Database".
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28663 βΌ
π Read
via "National Vulnerability Database".
The Formidable PRO2PDF WordPress Plugin, version < 3.11, is affected by an authenticated SQL injection vulnerability in the Γ’β¬ΛfieldmapΓ’β¬β’ parameter in the fpropdf_export_file action.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28433 βΌ
π Read
via "National Vulnerability Database".
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.π Read
via "National Vulnerability Database".
βοΈ Google Suspends Chinese E-Commerce App Pinduoduo Over Malware βοΈ
π Read
via "Krebs on Security".
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.π Read
via "Krebs on Security".
Krebs on Security
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app soughtβ¦
βΌ CVE-2023-27054 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in MiroTalk P2P before commit f535b35 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the settings module.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27060 βΌ
π Read
via "National Vulnerability Database".
LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-43863 βΌ
π Read
via "National Vulnerability Database".
IBM QRadar SIEM 7.4 and 7.5 is vulnerable to privilege escalation, allowing a user with some admin capabilities to gain additional admin capabilities. IBM X-Force ID: 239425.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27100 βΌ
π Read
via "National Vulnerability Database".
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1590 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. This issue affects the function exec of the file admin/operations/currency.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223655.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1051 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in As Koc Energy Web Report System allows Reflected XSS.This issue affects Web Report System: before 23.03.10.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1050 βΌ
π Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in As Koc Energy Web Report System allows SQL Injection.This issue affects Web Report System: before 23.03.10.π Read
via "National Vulnerability Database".