#acer

### Summary XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. ### Details When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template. ``` <p align="center"> <a href="https://www.osmedeus.org"><img alt="Osmedeus" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="140" /></a> <br /> <br /> <strong>Execute Summary Generated by Osmedeus {{Version}} at <em>{{CurrentDay}}</em></strong> <p align="center"> <a href="https://docs.osmedeus.org/"><img src="https://img.shields.io/badge/Documentation-0078D4?style=for-the-badge&logo=GitBook&logoColor=39ff14&labelColor=black&color=black"></a> <a href="https://docs.osmedeus.org/donation/"><img src="https://img.shields.io/badge/Donation-0078D4?style=for-the-badge&logo=GitHub-Sponsors&logoColor=39ff14&labelColor=...

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

Misconfigurations, weak authentication, and logic flaws are among the main drivers of API security risks at many organizations.

Ping Identity PingIDM versions 7.0.0 through 7.5.0 enabled an attacker with read access to the User collection, to abuse API query filters in order to obtain managed and/or internal user's passwords in either plaintext or encrypted variants, based on configuration. The API clearly prevents the password in either plaintext or encrypted to be retrieved by any other means, as this field is set as protected under the User object. However, by injecting a malicious query filter, using password as the field to be filtered, an attacker can perform a blind brute-force on any victim's user password details (encrypted object or plaintext string).

Knee-jerk reactions to major vendor outages could do more harm than good.

A successful CIA hack of Venezuela's military payroll system, insider fights for spy agency resources, and messy opposition politics: A WIRED investigation reveals a secret Trump-era attempt to oust autocratic ruler Nicolás Maduro.

Linux Foundation removes 11 Russian developers from the Linux kernel project due to U.S. sanctions. Linus Torvalds confirms…

Cyber attackers are using encoded JavaScript files to hide malware, abusing Microsoft’s Script Encoder to disguise harmful scripts…

Immigration and Customs Enforcement's contract with Paragon Solutions faces scrutiny over whether it complies with the Biden administration's executive order on spyware, WIRED has learned.

The vulnerability allows an unauthenticated attacker to perform network operations such as ping, traceroute, or nslookup on arbitrary hosts or IPs by sending a crafted GET request to networkDiagAjax.php. This could be exploited to interact with or probe internal or external systems, leading to internal information disclosure and misuse of network resources.