Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-47642: Invalid metadata access for formerly subscribed streams.

Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had been removed from a stream, but still had an account in the organization, could still view metadata for that stream (including the stream name, description, settings, and an email address used to send emails into the stream via the incoming email integration). This potentially allowed users to see changes to a stream’s metadata after they had lost access to the stream. This vulnerability has been addressed in version 7.5 and all users are advised to upgrade. There are no known workarounds for this issue.

CVE
Open in Source
#vulnerability
CVE-2023-47112: Authenticated users can view job names and groups for which they do not have read authorization

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. In affected versions access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which provides a list of job names and groups for any project, without the necessary authorization checks. The output of these endpoints only exposes the name of job groups and the jobs contained within the specified project. The output is read-only and the access does not allow changes to the information. This vulnerability has been patched in version 4.17.3. Users are advised to upgrade. Users unable to upgrade may block access to the two URLs used in either Rundeck Open Source or Process Automation products at a load balancer level.

CVE-2023-46214: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.

CVE-2023-46213: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page

In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.

CVE-2023-6020: LFI in Ray API - GET /static/ in ray

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

CVE-2023-6014

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

CVE-2023-39926: WordPress Under Construction / Maintenance Mode from Acurax plugin <= 2.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Acurax Under Construction / Maintenance Mode from Acurax plugin <= 2.6 versions.

CVE-2023-36026

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-34375: WordPress SEO by 10Web plugin <= 1.2.9 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in 10Web SEO by 10Web plugin <= 1.2.9 versions.