Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-2hm9-h873-pgqh: OpenFGA Vulnerable to DoS from circular relationship definitions

## Overview OpenFGA is vulnerable to a DoS attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. ## Am I Affected? Yes, if your store contains an authorization model that allows circular relationships. For example, with this model: ``` model schema 1.1 type user type group relations define memberA: [user] or memberB or memberC or memberD or memberE define memberB: [user] or memberA or memberC or memberD or memberE define memberC: [user] or memberA or memberB or memberD or memberE define memberD: [user] or memberA or memberB or memberC or memberE define memberE: [user] or memberA or memberB or memberC or memberD ``` This Check: `(user:anne, memberA, group:X)` can exhaust memory in the server. ## Fix Upgrade to v1.3.2 and update any offending models. **[BREAKING]** If your model contained cycles or a relatio...

ghsa
Open in Source
#auth
CVE-2023-44173: projectworlds | Free Projects and Free Learnings

Online Movie Ticket Booking System v1.0 is vulnerable to an authenticated Reflected Cross-Site Scripting vulnerability.

CVE-2023-43013: Asset Management System v1.0 - Unauthenticated SQL Injection (SQLi) | Advisories | Fluid Attacks

Asset Management System v1.0 is vulnerable to an unauthenticated SQL Injection vulnerability on the 'email' parameter of index.php page, allowing an external attacker to dump all the contents of the database contents and bypass the login control.

CVE-2023-5185: Gym Management System Project v1.0 - Insecure File Upload | Advisories | Fluid Attacks

Gym Management System Project v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'file' parameter of profile/i.php page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.

CVE-2023-5004: Hospital-management-system-in-php 378c157 - Blind SQL Injection | Advisories | Fluid Attacks

Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.

Dark Web Pedophiles Using Open-Source AI to Generate CSAM

By Waqas This was revealed by the Internet Watch Foundation, a UK-based internet watchdog. This is a post from HackRead.com Read the original post: Dark Web Pedophiles Using Open-Source AI to Generate CSAM

The security pitfalls of social media sites offering ID-based authentication

Two notable vulnerabilities in Google Chrome should be patched asap, and an allegedly new ransomware-as-a-service group.

GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions

A new malicious campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code

US Justice Department Urged to Investigate Gunshot Detector Purchases

A civil liberties group has asked the DOJ to investigate deployment of the ShotSpotter gunfire-detection system, which research shows is often installed in predominantly Black neighborhoods.