Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

CVE-2023-5948: Merge pull request #127 from TeamAmaze/bugfix/welcomescreen · TeamAmaze/AmazeFileUtilities@62d0220

Improper Authorization in GitHub repository teamamaze/amazefileutilities prior to 1.91.

CVE
Open in Source
#android#git#java#auth
CVE-2023-41356: 台灣智園 Tronclass ilearn - Broken Access Control

NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files.

CVE-2023-5763: Eclipse GlassFish Security Guide, Release 7

In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

CVE-2023-41351: 中華電信 NOKIA G-040W-Q - Broken Access Control

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of authentication bypass, which allows an unauthenticated remote attacker to bypass the authentication mechanism to log in to the device by an alternative URL. This makes it possible for unauthenticated remote attackers to log in as any existing users, such as an administrator, to perform arbitrary system operations or disrupt service.

CVE-2023-41355: 中華電信 NOKIA G-040W-Q-Improper Input Validation

Chunghwa Telecom NOKIA G-040W-Q Firewall function has a vulnerability of input validation for ICMP redirect messages. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted package to modify the network routing table, resulting in a denial of service or sensitive information leaking.

CVE-2023-41354: 中華電信 NOKIA G-040W-Q - Exposure of Sensitive Information

Chunghwa Telecom NOKIA G-040W-Q Firewall function does not block ICMP TIMESTAMP requests by default, an unauthenticated remote attacker can exploit this vulnerability by sending a crafted package, resulting in partially sensitive information exposed to an actor.

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. All the counterfeit packages have been published by

CVE-2023-44271: Uncontrolled Resource Consumption in Pillow - CVE-2023-44271 - DevHub

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.

CVE-2023-43982: [CVE-2023-43982] Server-Side Request Forgery (SSRF) in Bon Presta - SocialFeed - Photos & Video/Reels using the Instagram API for PrestaShop

Bon Presta boninstagramcarousel between v5.2.1 to v7.0.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the url parameter at insta_parser.php. This vulnerability allows attackers to use the vulnerable website as proxy to attack other websites or exfiltrate data via a HTTP call.

CVE-2023-46817: phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability

An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code.