‼ CVE-2023-27845 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3544 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in GZ Scripts Time Slot Booking Calendar PHP 1.8. It has been declared as problematic. This vulnerability affects unknown code of the file /load.php. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. The attack can be initiated remotely. The identifier of this vulnerability is VDB-233296. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3541 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /author_posts.php. The manipulation of the argument author with the input g6g12<script>alert(1)</script>o8sdm leads to cross site scripting. The attack can be launched remotely. The identifier VDB-233293 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3542 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in ThinuTech ThinuCMS 1.5 and classified as problematic. Affected by this issue is some unknown functionality of the file /contact.php. The manipulation of the argument name/body leads to cross site scripting. The attack may be launched remotely. VDB-233294 is the identifier assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3543 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in GZ Scripts Availability Booking Calendar PHP 1.8. It has been classified as problematic. This affects an unknown part of the file load.php of the component HTTP POST Request Handler. The manipulation of the argument cid/first_name/second_name/address_1/country leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-233295. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-25201 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37264 ‼
📖 Read
via "National Vulnerability Database".
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feeding its data through the rest of the Pipeline. This requires access to create TaskRuns, so impact may vary depending on one Tekton setup. If users already have unrestricted access to create any Task/PipelineRun, this does not grant any additional capabilities. As of time of publication, there are no known patches for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29998 ‼
📖 Read
via "National Vulnerability Database".
A Cross-site scripting (XSS) vulnerability in the content editor in Gis3W g3w-suite 3.5 allows remote authenticated users to inject arbitrary web script or HTML and gain privileges via the description parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33715 ‼
📖 Read
via "National Vulnerability Database".
A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37067 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37066 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37061 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33664 ‼
📖 Read
via "National Vulnerability Database".
ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37062 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37063 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37064 ‼
📖 Read
via "National Vulnerability Database".
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-36201 ‼
📖 Read
via "National Vulnerability Database".
An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker to obtain sensitive information via a crafted script to the arrays.📖 Read
via "National Vulnerability Database".
🕴 MOVEit Transfer Faces Another Critical Data-Theft Bug 🕴
📖 Read
via "Dark Reading".
Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.📖 Read
via "Dark Reading".
Dark Reading
MOVEit Transfer Faces Another Critical Data-Theft Bug
Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.
🕴 Spyware Gamed 1.5M Users of Google Play Store 🕴
📖 Read
via "Dark Reading".
Malware spoofed file management applications thanks to elevated permissions, enabling exfiltration of sensitive data with no user interaction, researchers find. 📖 Read
via "Dark Reading".
Dark Reading
Spyware Gamed 1.5M Users of Google Play Store
Malware spoofed file management applications thanks to elevated permissions, enabling exfiltration of sensitive data with no user interaction, researchers find.
‼ CVE-2021-39014 ‼
📖 Read
via "National Vulnerability Database".
IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213650.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33796 ‼
📖 Read
via "National Vulnerability Database".
In MuJS before version 1.1.2, a use-after-free flaw in the regexp source property access may cause denial of service.📖 Read
via "National Vulnerability Database".