Security
Headlines
HeadlinesLatestCVEs

Tag

#apple

CVE-2022-23810: Multiple vulnerabilities in a-blog cms

Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to obtain an arbitrary file on the server via unspecified vectors.

CVE
#vulnerability#web#apple
CVE-2022-24620: Piwigo-12.2.0 Vulnerable For Stored XSS Which Is Leading To Privilege Escalation · Issue #1605 · Piwigo/Piwigo

Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster's cookies to get the webmaster's access.

CVE-2021-44142: Samba - Security Announcement Archive

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

CVE-2022-24553: Zfaka Backend RCE(All version) · Issue #260 · zfaka-plus/zfaka

An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.

CVE-2022-25366: Cryptomator 1.6.5 Dylib Injection - AppleBois - Medium

Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements. An attacker can exploit this by creating a malicious .dylib file that can be executed via the DYLD_INSERT_LIBRARIES environment variable.

CVE-2022-22916: O2OA-POC/POC.md at main · wendell1224/O2OA-POC

O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

CVE-2021-46252: Fix CSRF when adding requirements bypass by apple502j · Pull Request #155 · InternationalScratchWiki/scratch-confirmaccount-v3

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.

CVE-2021-46251: SECURITY: Escape username in invalid username error · ScratchVerifier/ScratchOAuth2@1603f04

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

CVE-2021-46250: SECURITY: Use strict comparison when authenticating · ScratchVerifier/ScratchOAuth2@a91879b

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.