Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GoMining Review: This Platform Makes Bitcoin Mining Possible Through NFTs

By Uzair Amir Curious to learn how GoMining is pioneering the democratization of crypto mining? Read on as we explore their approach, technicals, and how they ensure safety for their users. This is a post from HackRead.com Read the original post: GoMining Review: This Platform Makes Bitcoin Mining Possible Through NFTs

HackRead
#vulnerability#mac#redis#git#auth#ssl
GHSA-5xvc-rwv8-86p7: Ignite Realtime Openfire privilege escalation vulnerability

An issue in Ignite Realtime Openfire v.4.8.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.

GHSA-438c-3975-5x3f: TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. ### Fix TinyMCE 6.8.1 introduced a new `sandbox_iframes` boolean option which adds the `sandbox=""` attribute to every `iframe` element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in `iframe` elements. From TinyMCE 7.0.0 onwards the default value of this option is `true`. In TinyMCE 7.0.0 a new `sandbox_iframes_exclusions` option was also added, allowing a list of domains to be specified that should be excluded from having the `sandbox=""` attribute applied when the `sandbox_iframes` option is...

GHSA-mh7p-8m2f-qrm6: Grafana vulnerable to authorization bypass

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a `DELETE` request to `/api/snapshots/<key>` using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Don't Allow" to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to "verify" a one-time code.

Ubuntu Security Notice USN-6588-2

Ubuntu Security Notice 6588-2 - USN-6588-1 fixed a vulnerability in PAM. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Matthias Gerstner discovered that the PAM pam_namespace module incorrectly handled special files when performing directory checks. A local attacker could possibly use this issue to cause PAM to stop responding, resulting in a denial of service.

Bludit 3.13.0 Cross Site Scripting

Bludit version 3.13.0 suffers from a cross site scripting vulnerability.

Insurance Management System PHP And MySQL 1.0 Cross Site Scripting

Insurance Management System PHP and MySQL version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

Craft CMS 4.4.14 Remote Code Execution

Craft CMS version 4.4.14 suffers from an unauthenticated remote code execution vulnerability.

LimeSurvey Community 5.3.32 Cross Site Scripting

LimeSurvey Community version 5.3.32 suffers from a persistent cross site scripting vulnerability.