โผ CVE-2023-28119 โผ
๐ Read
via "National Vulnerability Database".
The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-45004 โผ
๐ Read
via "National Vulnerability Database".
Gophish through 0.12.1 was discovered to contain a cross-site scripting (XSS) vulnerability via a crafted landing page.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-28663 โผ
๐ Read
via "National Vulnerability Database".
The Formidable PRO2PDF WordPress Plugin, version < 3.11, is affected by an authenticated SQL injection vulnerability in the รขโฌหfieldmapรขโฌโข parameter in the fpropdf_export_file action.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-28433 โผ
๐ Read
via "National Vulnerability Database".
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.๐ Read
via "National Vulnerability Database".
โ๏ธ Google Suspends Chinese E-Commerce App Pinduoduo Over Malware โ๏ธ
๐ Read
via "Krebs on Security".
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.๐ Read
via "Krebs on Security".
Krebs on Security
Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app soughtโฆ
โผ CVE-2023-27054 โผ
๐ Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in MiroTalk P2P before commit f535b35 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the settings module.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27060 โผ
๐ Read
via "National Vulnerability Database".
LightCMS v1.3.7 was discovered to contain a remote code execution (RCE) vulnerability via the image:make function.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-43863 โผ
๐ Read
via "National Vulnerability Database".
IBM QRadar SIEM 7.4 and 7.5 is vulnerable to privilege escalation, allowing a user with some admin capabilities to gain additional admin capabilities. IBM X-Force ID: 239425.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-27100 โผ
๐ Read
via "National Vulnerability Database".
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1590 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. This issue affects the function exec of the file admin/operations/currency.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223655.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1051 โผ
๐ Read
via "National Vulnerability Database".
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in As Koc Energy Web Report System allows Reflected XSS.This issue affects Web Report System: before 23.03.10.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1050 โผ
๐ Read
via "National Vulnerability Database".
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in As Koc Energy Web Report System allows SQL Injection.This issue affects Web Report System: before 23.03.10.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1589 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability has been found in SourceCodester Online Tours & Travels Management System 1.0 and classified as critical. This vulnerability affects the function exec of the file admin/operations/approve_delete.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-223654 is the identifier assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1591 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in SourceCodester Automatic Question Paper Generator System 1.0. This affects an unknown part of the file classes/Users.php?f=save_ruser. The manipulation of the argument id/email leads to sql injection. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-223659.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26114 โผ
๐ Read
via "National Vulnerability Database".
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance.๐ Read
via "National Vulnerability Database".
โผ CVE-2022-22512 โผ
๐ Read
via "National Vulnerability Database".
Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1410 โผ
๐ Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.๐ Read
via "National Vulnerability Database".
๐ด IoT Startup OP[4] Launches With Vulnerability Management Platform ๐ด
๐ Read
via "Dark Reading".
Automated Platform Detects, Prioritizes, Remediates Exploitable Vulnerabilities in Internet of Things and Embedded Systems.๐ Read
via "Dark Reading".
Dark Reading
DR Technology
โผ CVE-2023-1593 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in SourceCodester Automatic Question Paper Generator System 1.0. This issue affects some unknown processing of the file classes/Master.php?f=save_class. The manipulation of the argument description leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-223661 was assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1595 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability has been found in novel-plus 3.6.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file common/log/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223663.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-1592 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. This vulnerability affects unknown code of the file admin/courses/view_class.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The identifier of this vulnerability is VDB-223660.๐ Read
via "National Vulnerability Database".