Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-4201: Inventory-Management-System/SQL Injection in ex_catagory_data.php/vuln.md at main · Yesec/Inventory-Management-System

A vulnerability was found in SourceCodester Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file ex_catagory_data.php. The manipulation of the argument columns[1][data] leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-236291.

CVE
Open in Source
#sql#vulnerability#git#php
CVE-2023-39524: Merge remote-tracking branch 'ghsa-75p5-jwx4-qw9h/fix-advisory-1' int… · PrestaShop/PrestaShop@2047d4c

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, SQL injection possible in the product search field, in BO's product page. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

CVE-2023-38704: sanitize URLs · DataDog/import-in-the-middle@2531cdd

`import-in-the-middle` is a module loading interceptor specifically for ESM modules. Prior to version 1.4.2, the `import-in-the-middle` loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an `import()` function. This vulnerability has been patched in `import-in-the-middle` version 1.4.2. Some workarounds are available. Do not pass any user-supplied input to `import()`. Instead, verify it against a set of allowed values. If using `import-in-the-middle` and support for EcmaScript Modules is not needed, ensure that certain options are set, either via command-line or the `NODE_OPTIONS` environment variable.

CVE-2023-36054: Kerberos Security Advisories

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

CVE-2023-38930: IoT-Vulns/tenda/addWifiMacFilter/README.md at main · FirmRec/IoT-Vulns

Tenda AC7 V1.0,V15.03.06.44, F1203 V2.0.1.6, AC5 V1.0,V15.03.06.28, AC9 V3.0,V15.03.06.42_multi and FH1205 V2.0.0.7(775) were discovered to contain a stack overflow via the deviceId parameter in the addWifiMacFilter function.

CVE-2023-38931: IoT-Vulns/tenda/cloudv2_setaccount/README.md at main · FirmRec/IoT-Vulns

Tenda AC10 V1.0 V15.03.06.23, AC1206 V15.03.06.23, AC8 v4 V16.03.34.06, AC6 V2.0 V15.03.06.23, AC7 V1.0 V15.03.06.44, F1203 V2.0.1.6, AC5 V1.0 V15.03.06.28, AC10 v4.0 V16.03.10.13 and FH1203 V2.0.1.6 were discovered to contain a stack overflow via the list parameter in the setaccount function.

CVE-2023-36499: IoT-Vulns/netgear/nvram_ssid/README.md at main · FirmRec/IoT-Vulns

Netgear XR300 v1.0.3.78 was discovered to contain multiple buffer overflows via the wla_ssid and wlg_ssid parameters at genie_ap_wifi_change.cgi.

CVE-2023-38922: IoT-Vulns/netgear/http_passwd_auth/README.md at main · FirmRec/IoT-Vulns

Netgear JWNR2000v2 v1.0.0.11, XWN5001 v0.4.1.1, and XAVN2001v2 v0.4.0.7 were discovered to contain multiple buffer overflows via the http_passwd and http_username parameters in the update_auth function.

CVE-2023-38924: IoT-Vulns/netgear/http_password_create_smb_cfg/README.md at main · FirmRec/IoT-Vulns

Netgear DGN3500 1.1.00.37 was discovered to contain a buffer overflow via the http_password parameter at setup.cgi.

CVE-2023-38929: IoT-Vulns/tenda/VirtualSer/README.md at main · FirmRec/IoT-Vulns

Tenda 4G300 v1.01.42 was discovered to contain a stack overflow via the page parameter at /VirtualSer.