Tag
#auth
SuperCali version 1.1.0 suffers from a cross site scripting vulnerability.
By Waqas The IntelBroker hacker has claimed responsibility for the breach. This is a post from HackRead.com Read the original post: Hackers Leak 2.5M Private Plane Owners’ Data Linked to LA Intl. Airport Breach
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This issue affects Apache DolphinScheduler: until 3.2.1. Users are recommended to upgrade to version 3.2.1, which fixes the issue.
Time to get patching!
The application suffers from an unquoted search path issue impacting the service 'Tosibox Key Service' for Windows deployed as part of Tosibox software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
ConnectWise customers need to take immediate action to remediate a critical vulnerability.
By Deeba Ahmed In 2024, over 60 countries worldwide are holding elections. The most significant threat to the integrity of these elections? Deepfake videos, readily accessible on the dark web and Telegram, with prices ranging from as low as $2 to $100. This is a post from HackRead.com Read the original post: Deepfake Threat: $2 Deceptive Content Undermines Election Integrity
The locations of microphones used to detect gunshots have been kept hidden from police and the public. A WIRED analysis of leaked coordinates confirms arguments critics have made against the technology.
### Impact An attacker able to submit many ciphertexts against a single private key, and to get responses in real-time, could recover the private key. This vulnerability has been named KyberSlash. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C ### Patches Version 0.0.6.1 and newer of PyPQC is patched. ### Workarounds No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes. ### References 1. This was partially patched ("KyberSlash 1") in the reference implementation by Peter Schwabe on December 1st, 2023. https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220 2. This was reported as a security vulnerability by Daniel J. Bernstein on December 15th, 2023. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ 3. A webpage was stood up for authoritative reference about this by Daniel J. Bernstein on December 19th, 2023. htt...
### Impact A bug in permissions validation allows a user with the `ci:ReadAction` permission to skip read checks when copying an object. If they additionally have read and write permission to path in the repository, they can copy an otherwise unreadable object and read it. In order to be affected and exploitable, the following conditions must ALL occur on the same user: 1. `ci:ReadAction` enabled for the repository. Predefined policies RepoManagementRead and RepoManagementFullAccess allow this action. 2. `fs:ReadObject` and `fs:WriteObject` enabled for some path. 3. `fs:ReadObject` _not_ available for some path Such a user can use (1) to copy the unreadable object (3) to a path that they can read and write (2). At that point they can read the object copy. ### Patches Releases >= 1.12.1 fix this issue in lakeFS. ### Workarounds As a workaround, use RBAC to deny `ci:*` permissions to all users, or to all users who have limited read access. Many installations are unaffected: *...