#auth

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

By Deeba Ahmed Yet another day, another instance of a Google service being exploited for spreading malware infections. This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

1 year ago

HackRead

Open in Source

#vulnerability #web #mac #google #cisco #git #intel #pdf #auth #chrome

GHSA-4qq5-mxxx-m6gg: MLflow authentication requirement bypass can allow a user to arbitrarily create an account

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

1 year ago

ghsa

Open in Source

#git #auth

CVE-2023-46213: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page

In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser.

1 year ago

CVE

Open in Source

#xss #vulnerability #web #java #auth

CVE-2023-6020: LFI in Ray API - GET /static/ in ray

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

1 year ago

CVE

Open in Source

#mac #js #intel #auth #ssh #firefox

CVE-2023-6014

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

1 year ago

CVE

Open in Source

#auth

New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

By Waqas Apart from displaying these messages, the packages performed no other actions. This indicates that these aren't malicious per se. This is a post from HackRead.com Read the original post: New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine

1 year ago

HackRead

Open in Source

#vulnerability #web #windows #nodejs #js #java #auth

GHSA-phmw-jx86-x666: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - `http[s]://[host]/context/rdJob/*` - `http[s]://[host]/context/api/*/incubator/jobs` ### Impact Rundeck, Process Automation version 4.12.0 up to 4.16.0 ### Patches Patched versions: 4.17.3 ### Workarounds Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level. - `http[s]://host/context/rdJob/*` - `http[s]://host/context/api/*/incubator/jobs` ### For more information If you have any questions or comments about this advisory: * Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation) * Enterprise Customers can open a [Support ticket](https://support.rundeck.com)

1 year ago

ghsa

Open in Source

#git #java #auth #maven

CVE-2023-32957: WordPress Team Members Showcase plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dazzlersoft Team Members Showcase plugin <= 1.3.4 versions.

1 year ago

CVE

Open in Source

#xss #vulnerability #web #wordpress #auth

CVE-2023-32796: WordPress WooCommerce Product Enquiry plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in MingoCommerce WooCommerce Product Enquiry plugin <= 2.3.4 versions.