Security
Headlines
HeadlinesLatestCVEs

Tag

#apache

CVE-2022-44008

An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly.

CVE
Open in Source
#sql#vulnerability#web#apache#js#auth
Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass

Revenue Collection System version 1.0 suffers from a persistent cross site scripting vulnerability allowing an authenticated client user to add an administrative user account to the application then log in as the newly created admin.

Revenue Collection System 1.0 SQL Injection / Remote Code Execution

Revenue Collection System version 1.0 suffers from an unauthenticated SQL injection vulnerability in step1.php that allows remote attackers to write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.

RHSA-2022:8506: Red Hat Security Advisory: Satellite 6.12 Release

An update is now available for Red Hat Satellite 6.12. The release contains a new version of Satellite and important security fixes for various components.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way * CVE-2022-22818: django: Possible XSS via '{% debug %}' template tag * CVE-2022-24836: nokogiri: ReDoS in HTML encoding detection * CVE-2022-25648: ruby-git: package vulnerable to Command Injection via git argument injection * CVE-2022-29970: sinatra: path traversal possible outside of public_dir when servin...

CVE-2022-45047: CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45385: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CVE-2022-45379: Jenkins Security Advisory 2022-11-15

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

CVE-2022-45386: Jenkins Security Advisory 2022-11-15

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-38666: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.