๐ด 2 Lenses for Examining the Safety of Open Source Software ๐ด
๐ Read
via "Dark Reading".
Improving the security of open source repositories and keeping malicious components out requires a combination of technology and people.๐ Read
via "Dark Reading".
โค1
โผ CVE-2023-33197 โผ
๐ Read
via "National Vulnerability Database".
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.๐ Read
via "National Vulnerability Database".
โค1๐1
โผ CVE-2023-2854 โผ
๐ Read
via "National Vulnerability Database".
BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file๐ Read
via "National Vulnerability Database".
โผ CVE-2023-21515 โผ
๐ Read
via "National Vulnerability Database".
InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32321 โผ
๐ Read
via "National Vulnerability Database".
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1. Users are advised to upgrade. There are no known workarounds for these issues.๐ Read
via "National Vulnerability Database".
๐2
โผ CVE-2023-33192 โผ
๐ Read
via "National Vulnerability Database".
ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2023-32325 โผ
๐ Read
via "National Vulnerability Database".
PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32688 โผ
๐ Read
via "National Vulnerability Database".
parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2922 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0. Affected is an unknown function of the file index.php of the component GET Parameter Handler. The manipulation of the argument msg leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230076.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-26129 โผ
๐ Read
via "National Vulnerability Database".
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:**To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2023-2928 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-32695 โผ
๐ Read
via "National Vulnerability Database".
socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. A patch has been released in version 4.2.3.๐ Read
via "National Vulnerability Database".
โค1๐ฅ1
โผ CVE-2015-20108 โผ
๐ Read
via "National Vulnerability Database".
xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used.๐ Read
via "National Vulnerability Database".
โค1
โผ CVE-2023-2947 โผ
๐ Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2942 โผ
๐ Read
via "National Vulnerability Database".
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2948 โผ
๐ Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2950 โผ
๐ Read
via "National Vulnerability Database".
Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-2951 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in code-projects Bus Dispatch and Information System 1.0. Affected is an unknown function of the file delete_bus.php. The manipulation of the argument busid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230112.๐ Read
via "National Vulnerability Database".
๐1
โผ CVE-2014-125101 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability classified as critical has been found in Portfolio Gallery Plugin up to 1.1.8 on WordPress. This affects an unknown part. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.1.9 is able to address this issue. The name of the patch is 58ed88243e17df766036f4857041edaf358076d3. It is recommended to upgrade the affected component. The identifier VDB-230085 was assigned to this vulnerability.๐ Read
via "National Vulnerability Database".
๐2๐ฅ1
โผ CVE-2023-33216 โผ
๐ Read
via "National Vulnerability Database".
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team WooDiscuz รขโฌโ WooCommerce Comments woodiscuz-woocommerce-comments allows Stored XSS.This issue affects WooDiscuz รขโฌโ WooCommerce Comments: from n/a through 2.2.9.๐ Read
via "National Vulnerability Database".
โผ CVE-2023-33315 โผ
๐ Read
via "National Vulnerability Database".
Cross-Site Request Forgery (CSRF) vulnerability in Stephen Darlington, Wandle Software Limited Smart App Banner plugin <=ร 1.1.2 versions.๐ Read
via "National Vulnerability Database".