Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-w392-75q8-vr67: Guardrails has an arbitrary code execution vulnerability

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.

ghsa
Open in Source
#vulnerability#web#mac#auth
GHSA-hfmw-7g3m-gj6q: CoreDNS vulnerable to TuDoor Attacks

An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.

GHSA-g4r7-86gm-pgqc: sqlitedict insecure deserialization vulnerability

Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.

GHSA-wmjg-vqhv-q5p5: Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)

An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. Once a user upload is started via the [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) method, the file_upload and the folder parameter ```ruby def upload(settings = {}) params[:dimension] = nil if params[:skip_auto_crop].present? f = { error: 'File not found.' } if params[:file_upload].present? f = upload_file(params[:file_upload], { folder: params[:folder], dimension: params['dimension'], formats: params[:fo...

Backdoor.Win32.BlackAngel.13 MVID-2024-0695 Code Execution

Backdoor.Win32.BlackAngel.13 malware suffers from a code execution vulnerability.

Backdoor.Win32.Delf.yj MVID-2024-0693 Information Disclosure

Backdoor.Win32.Delf.yj malware suffers from an information leakage vulnerability.

Online Exam System 1.0 Insecure Settings

Online Exam System version 1.0 suffers from an ignored default credential vulnerability.

Online Bus Ticket Booking Website 1.0 SQL Injection

Online Bus Ticket Booking Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Nipah Virus Testing Management System 1.0 SQL Injection

Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.