Security
Headlines
HeadlinesLatestCVEs

Tag

#apache

CVE-2023-22359: user: read permissions are now checked in the request schema before delete/edit/create user

User enumeration in Checkmk <=2.2.0p4 allows an authenticated attacker to enumerate usernames.

CVE
Open in Source
#vulnerability#apache#auth
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks

The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda. "The adversary consistently employed ManageEngine

CVE-2023-1724: GitHub - ladybirdweb/faveo-helpdesk: Faveo Open source ticketing system build on Laravel framework

Faveo Helpdesk Enterprise version 6.0.1 allows an attacker with agent permissions to perform privilege escalation on the application. This occurs because the application is vulnerable to stored XSS.

CVE-2023-35150: XWIKI-20285: Improve escaping of the Invitation Application · xwiki/xwiki-platform@b65220a

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

Patched OpenSSH Exploited for IoT, Linux Cryptomining

By Deeba Ahmed According to Microsoft, the new campaign is ongoing and uses a backdoor to install a patched version of OpenSSH to hijack targeted devices. This is a post from HackRead.com Read the original post: Patched OpenSSH Exploited for IoT, Linux Cryptomining

Debian Security Advisory 5435-2

Debian Linux Security Advisory 5435-2 - Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in information disclosure or denial of service.

GHSA-pm73-x2h5-cmj3: Apache StreamPipes Improper Privilege Management vulnerability

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0.

CVE-2023-31469

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0.

Debian Security Advisory 5435-1

Debian Linux Security Advisory 5435-1 - Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in information disclosure or denial of service.

CVE-2023-32449: DSA-2023-173: Dell PowerStore Family Security Update for Multiple Vulnerabilities

Dell PowerStore versions prior to 3.5 contain an improper verification of cryptographic signature vulnerability. An attacker can trick a high privileged user to install a malicious binary by bypassing the existing cryptographic signature checks