‼ CVE-2023-3158 ‼
📖 Read
via "National Vulnerability Database".
The Mail Control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 0.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33891 ‼
📖 Read
via "National Vulnerability Database".
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-48450 ‼
📖 Read
via "National Vulnerability Database".
In bluetooth service, there is a possible missing params check. This could lead to local denial of service with System execution privileges needed.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30929 ‼
📖 Read
via "National Vulnerability Database".
In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-3202 ‼
📖 Read
via "National Vulnerability Database".
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_firebase_server_key function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36761 ‼
📖 Read
via "National Vulnerability Database".
The Top 10 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.10.4. This is due to missing or incorrect nonce validation on the tptn_export_tables() function. This makes it possible for unauthenticated attackers to generate an export of the top 10 table via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30917 ‼
📖 Read
via "National Vulnerability Database".
In DMService, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30937 ‼
📖 Read
via "National Vulnerability Database".
In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33879 ‼
📖 Read
via "National Vulnerability Database".
In music service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2562 ‼
📖 Read
via "National Vulnerability Database".
The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-33880 ‼
📖 Read
via "National Vulnerability Database".
In music service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30921 ‼
📖 Read
via "National Vulnerability Database".
In messaging service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.📖 Read
via "National Vulnerability Database".
📢 Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectors 📢
📖 Read
via "ITPro".
Database admins are advised to enforce better controls as attacks ending in ransomware are being observed 📖 Read
via "ITPro".
ITPro
Microsoft SQL password-guessing attacks rising as hackers pivot from OneNote vectors
Database admins are advised to enforce better controls as attacks ending in ransomware are being observed
‼ CVE-2023-36543 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2023-30429 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar.This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.When a client connects to the Pulsar Function Worker via the Pulsar Proxy where the Pulsar Proxy uses mTLS authentication to authenticate with the Pulsar Function Worker, the Pulsar Function Worker incorrectly performs authorization by using the Proxy's role for authorization instead of the client's role, which can lead to privilege escalation, especially if the proxy is configured with a superuser role.The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.3.0 Pulsar Function Worker users are unaffected.Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-46651 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22887 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2023-37579 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization vulnerability in Apache Software Foundation Apache Pulsar Function Worker.This issue affects Apache Pulsar: before 2.10.4, and 2.11.0.Any authenticated user can retrieve a source's configuration or a sink's configuration without authorization. Many sources and sinks contain credentials in the configuration, which could lead to leaked credentials. This vulnerability is mitigated by the fact that there is not a known way for an authenticated user to enumerate another tenant's sources or sinks, meaning the source or sink name would need to be guessed in order to exploit this vulnerability.The recommended mitigation for impacted users is to upgrade the Pulsar Function Worker to a patched version.2.10 Pulsar Function Worker users should upgrade to at least 2.10.4.2.11 Pulsar Function Worker users should upgrade to at least 2.11.1.3.0 Pulsar Function Worker users are unaffected.Any users running the Pulsar Function Worker for 2.9.* and earlier should upgrade to one of the above patched versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-42009 ‼
📖 Read
via "National Vulnerability Database".
SpringEL injection in the server agent in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22888 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to cause a service disruption by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".
‼ CVE-2023-35908 ‼
📖 Read
via "National Vulnerability Database".
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected📖 Read
via "National Vulnerability Database".