Tag
#auth
In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Leantime is an open source project management system. A 'userId' variable in `app/domain/files/repositories/class.files.php` is not parameterized. An authenticated attacker can send a carefully crafted POST request to `/api/jsonrpc` to exploit an SQL injection vulnerability. Confidentiality is impacted as it allows for dumping information from the database. This issue has been addressed in version 2.4-beta-4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
By Waqas If you are a Casio ClassPad customer, it is strongly recommended that you change your ClassPad password immediately to protect yourself. This is a post from HackRead.com Read the original post: Human Error: Casio ClassPad Data Breach Impacting 148 Countries
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
Categories: Business Categories: News Tags: IT administrators Tags: admin Tags: password Tags: qwerty Tags: 123456 Are IT administrators any better at coming up with decent passwords? Research says they aren't. (Read more...) The post IT administrators' passwords are awful too appeared first on Malwarebytes Labs.
### Impact During a security audit of Artifact Hub's code base, a security researcher at [OffSec](https://www.offsec.com/) identified a bug in which a default unsafe rego built-in was allowed to be used when defining authorization policies. Artifact Hub includes a fine-grained authorization mechanism that allows organizations to define what actions can be performed by their members. It is based on customizable authorization policies that are enforced by the [Open Policy Agent](https://www.openpolicyagent.org/). Policies are written using [rego](https://www.openpolicyagent.org/docs/latest/#rego) and their data files are expected to be json documents. By default, `rego` allows policies to make HTTP requests, which can be abused to send requests to internal resources and forward the responses to an external entity. In the context of Artifact Hub, this capability should have been disabled. ### Patches This issue has been resolved in version [1.16.0](https://artifacthub.io/packages/helm...
Categories: News Categories: Ransomware Tags: IT-SA Tags: ransomware Tags: AI Tags: ChatGPT Tags: NIS2 The major talking points IT-SA included ransomware, ChatGPT, and NIS2. (Read more...) The post The hot topics from Europe's largest trade fair for IT security appeared first on Malwarebytes Labs.
Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.
(This advisory is canonically <https://advisories.nats.io/CVE/secnote-2023-01.txt>) ## Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. NATS users exist within accounts, and once using accounts, the old authorization block is not applicable. ## Problem Description Without any authorization rules in the nats-server, users can connect without authentication. Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block. If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. Wh...