Security
Headlines
HeadlinesLatestCVEs

Tag

#firefox

PHPJabbers Simple CMS 5.0 Cross Site Scripting

PHPJabbers Simple CMS version 5.0 suffers from a persistent cross site scripting vulnerability.

Packet Storm
Open in Source
#xss#vulnerability#web#linux#php#auth#firefox
CVE-2023-32007: Security | Apache Spark

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. This issue was disclosed earlier as CVE-2022-33891, but incorrectly claimed version 3.1.3 (which has since gone EOL) would not be affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Users are recommended to upgrade to a supported version of Apache Spark, such as version 3.4.0.

LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads

In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT. "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One

Apple, Google, and Microsoft Just Fixed Zero-Day Security Flaws

Firefox gets a needed tune-up, SolarWinds squashes two high-severity bugs, Oracle patches 433 vulnerabilities, and more updates you should make now.

CVE-2023-30405: Aigital Wireless-N Repeater Mini_Router.0.131229 Cross Site Scripting ≈ Packet Storm

A cross-site scripting (XSS) vulnerability in Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the wl_ssid parameter at /boafrm/formHomeWlanSetup.

CVE-2023-26782: There is a denial of service vulnerability in your project · Issue #2 · chshcms/mccms

An issue discovered in mccms 2.6.1 allows remote attackers to cause a denial of service via Backend management interface ->System Configuration->Cache Configuration->Cache security characters.

CVE-2023-26781: SQL injection exists in your project · Issue #1 · chshcms/mccms

SQL injection vulnerability in mccms 2.6 allows remote attackers to run arbitrary SQL commands via Author Center ->Reader Comments ->Search.

Aigital Wireless-N Repeater Mini_Router.0.131229 Remote Command Execution

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a remote command execution vulnerability.

Aigital Wireless-N Repeater Mini_Router.0.131229 Cross Site Scripting

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a persistent cross site scripting vulnerability.

Paperbug Attack: New Politically-Motivated Surveillance Campaign in Tajikistan

A little-known Russian-speaking cyber-espionage group has been linked to a new politically-motivated surveillance campaign targeting high-ranking government officials, telecom services, and public service infrastructures in Tajikistan. The intrusion set, dubbed Paperbug by Swiss cybersecurity company PRODAFT, has been attributed to a threat actor known as Nomadic Octopus (aka DustSquad). "The