βΌ CVE-2023-0326 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab DAST API scanner affecting all versions starting from 1.6.50 before 2.11.0, where Authorization headers was leaked in vulnerability report evidence.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26493 βΌ
π Read
via "National Vulnerability Database".
Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} Γ’β¬β the name of the forkΓ’β¬β’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26549 βΌ
π Read
via "National Vulnerability Database".
The SystemUI module has a vulnerability of repeated app restart due to improper parameters. Successful exploitation of this vulnerability may affect confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2023-20860 βΌ
π Read
via "National Vulnerability Database".
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0179 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1637 βΌ
π Read
via "National Vulnerability Database".
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28430 βΌ
π Read
via "National Vulnerability Database".
OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full write-permissions GitHub repository token since the default workflow permissions on Organization/Repository level are set to read-write. This workflow runs the following step with data controlled by the comment `(${{ github.event.issue.title }} Γ’β¬β the full title of the Issue)`, allowing an attacker to take over the GitHub Runner and run custom commands, potentially stealing any secret (if used), or altering the repository. This issue was found with CodeQL using javascriptΓ’β¬β’s Expression injection in Actions query. This issue has been addressed in the repositories github action. No actions are required by users. This issue is also tracked as `GHSL-2023-051`.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26547 βΌ
π Read
via "National Vulnerability Database".
The InputMethod module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1648 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab DAST API scanner affecting all versions starting from 1.6.50 before 2.11.0, where Authorization headers was leaked in vulnerability report evidence.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26548 βΌ
π Read
via "National Vulnerability Database".
The pgmng module has a vulnerability in serialization/deserialization. Successful exploitation of this vulnerability may affect availability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0210 βΌ
π Read
via "National Vulnerability Database".
A bug affects the Linux kernelΓ’β¬β’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.π Read
via "National Vulnerability Database".
βΌ CVE-2023-28102 βΌ
π Read
via "National Vulnerability Database".
discordrb is an implementation of the Discord API using Ruby. In discordrb before commit `91e13043ffa` the `encoder.rb` file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library is not directly exploitable: the exploit requires that some client of the library calls the vulnerable method with user input. However, if unsafe input reaches the library method, then an attacker can execute arbitrary shell commands on the host machine. Full impact will depend on the permissions of the process running the `discordrb` library and will likely not be total system access. This issue has been addressed in code, but a new release of the `discordrb` gem has not been uploaded to rubygems. This issue is also tracked as `GHSL-2022-094`.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48347 βΌ
π Read
via "National Vulnerability Database".
The MediaProvider module has a vulnerability in permission verification. Successful exploitation of this vulnerability may affect confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48358 βΌ
π Read
via "National Vulnerability Database".
The BatteryHealthActivity has a redirection vulnerability. Successful exploitation of this vulnerability by a malicious app can cause service exceptions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1665 βΌ
π Read
via "National Vulnerability Database".
Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 0.0.0.π Read
via "National Vulnerability Database".
βΌ CVE-2022-48357 βΌ
π Read
via "National Vulnerability Database".
Some products have the double fetch vulnerability. Successful exploitation of this vulnerability may cause denial of service (DoS) attacks to the kernel.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40595 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40592 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40587 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40599 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2022-40594 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2022. Notes: none.π Read
via "National Vulnerability Database".