Security
Headlines
HeadlinesLatestCVEs

Tag

#apple

CVE-2021-44142: Samba - Security Announcement Archive

The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.

CVE
Open in Source
#vulnerability#mac#apple
CVE-2022-24553: Zfaka Backend RCE(All version) · Issue #260 · zfaka-plus/zfaka

An issue was found in Zfaka <= 1.4.5. The verification of the background file upload function check is not strict, resulting in remote command execution.

CVE-2022-25366: Cryptomator 1.6.5 Dylib Injection - AppleBois - Medium

Cryptomator through 1.6.5 allows DYLIB injection because, although it has the flag 0x1000 for Hardened Runtime, it has the com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables entitlements. An attacker can exploit this by creating a malicious .dylib file that can be executed via the DYLD_INSERT_LIBRARIES environment variable.

CVE-2022-22916: O2OA-POC/POC.md at main · wendell1224/O2OA-POC

O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

CVE-2021-46252: Fix CSRF when adding requirements bypass by apple502j · Pull Request #155 · InternationalScratchWiki/scratch-confirmaccount-v3

A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.

CVE-2021-46251: SECURITY: Escape username in invalid username error · ScratchVerifier/ScratchOAuth2@1603f04

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

CVE-2021-46250: SECURITY: Use strict comparison when authenticating · ScratchVerifier/ScratchOAuth2@a91879b

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

CVE-2020-26728: routers/rce1.md at a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180 · Lyc-heng/routers

A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request.

CVE-2022-24647: Multiple Unauthorized Arbitrary File Deletion vulnerabilities · Issue #23 · CuppaCMS/CuppaCMS

Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function.