Security
Headlines
HeadlinesLatestCVEs

Search

lenovo warranty check/lookup | check warranty status | lenovo support us

Found 10000 results in 47 ms.

CVE-2023-3519: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Unauthenticated remote code execution

CVE
#xss#vulnerability#web#rce#auth
GHSA-56p6-qw3c-fq2g: Suspended Directus user can continue to use session token to access API

### Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status. ### Details There is a check missing in `verifySessionJWT` to verify that a user is actually still active and allowed to access the API. Right now one can extract the session token obtained by, e.g. login in to the app while still active and then, after the user has been suspended continue to use that token until it expires. ### PoC * Create an active user * Log in with that user and note the session cookie * Suspend the user (and don't trigger an `/auth/refresh` call, as that invalidates the session * Access the API with `Authorization: Bearer <token>` ### Impact This weakens the security of suspending users.

CVE-2023-24127: Eagle Financial Services Inc.

Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a stack overflow via the wepkey1 parameter at /goform/WifiBasicSet.

CVE-2019-16738: ⚓ T230402 Exposed suppressed username via Special:Redirect

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.

CVE-2022-34358: Security Bulletin: Digital Certificate Manager for IBM i is vulnerable to cross-site scripting (CVE-2022-34358)

IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230516.

CVE-2022-34336: IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2022-34336)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229714.

CVE-2023-30990: IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990)

IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.

CVE-2023-30989: IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989)

IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 contains a local privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain all object access to the host operating system. IBM X-Force ID: 254017.

CVE-2023-29258: IBM® Db2® is vulnerable to a denial of service through a specially crafted federated query on specific federation objects. (CVE-2023-29258)

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1, and 11.5 is vulnerable to a denial of service through a specially crafted federated query on specific federation objects. IBM X-Force ID: 252048.

CVE-2023-45184: Security Bulletin: IBM i Access Client Solutions is vulnerable to remote code execution and failing to secure passwords due to multiple vulnerabilities

IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.