⚠ S3 Ep142: Putting the X in X-Ops ⚠
📖 Read
via "Naked Security".
How to get all your corporate "Ops" teams working together, with cybersecurity correctness as a guiding light.📖 Read
via "Naked Security".
Naked Security
S3 Ep142: Putting the X in X-Ops
How to get all your corporate “Ops” teams working together, with cybersecurity correctness as a guiding light.
‼ CVE-2023-3539 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, has been found in SimplePHPscripts Simple Forum PHP 2.7. This issue affects some unknown processing of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-233291.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37149 ‼
📖 Read
via "National Vulnerability Database".
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadSetting function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37146 ‼
📖 Read
via "National Vulnerability Database".
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3537 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in SimplePHPscripts News Script PHP Pro 2.4. This affects an unknown part of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-233289 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3540 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability, which was classified as problematic, was found in SimplePHPscripts NewsLetter Script PHP 2.4. Affected is an unknown function of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-233292.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37148 ‼
📖 Read
via "National Vulnerability Database".
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the ussd parameter in the setUssd function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37144 ‼
📖 Read
via "National Vulnerability Database".
Tenda AC10 v15.03.06.26 was discovered to contain a command injection vulnerability via the mac parameter in the function formWriteFacMac.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37145 ‼
📖 Read
via "National Vulnerability Database".
TOTOLINK LR350 V9.3.5u.6369_B20220309 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3538 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic was found in SimplePHPscripts Photo Gallery PHP 2.0. This vulnerability affects unknown code of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. VDB-233290 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
🔥1
‼ CVE-2023-37065 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27845 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3544 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in GZ Scripts Time Slot Booking Calendar PHP 1.8. It has been declared as problematic. This vulnerability affects unknown code of the file /load.php. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-233296. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3541 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /author_posts.php. The manipulation of the argument author with the input g6g12<script>alert(1)</script>o8sdm leads to cross site scripting. The attack can be launched remotely. The identifier VDB-233293 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3542 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /contact.php. The manipulation of the argument name/body leads to cross site scripting. The attack may be launched remotely. VDB-233294 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3543 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in GZ Scripts Availability Booking Calendar PHP 1.8. It has been classified as problematic. This affects an unknown part of the file load.php of the component HTTP POST Request Handler. The manipulation of the argument cid/first_name/second_name/address_1/country leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-233295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25201 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37264 ‼
📖 Read
via "National Vulnerability Database".
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on one Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities. As of time of publication, there are no known patches for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29998 ‼
📖 Read
via "National Vulnerability Database".
A Cross-site scripting (XSS) vulnerability in the content editor in Gis3W g3w-suite 3.5 allows remote authenticated users to inject arbitrary web script or HTML and gain privileges via the description parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33715 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37067 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.📖 Read
via "National Vulnerability Database".