Security
Headlines
HeadlinesLatestCVEs

Tag

#firefox

Sitecore 8.2 Remote Code Execution

Sitecore version 8.2 suffers from a remote code execution vulnerability.

Packet Storm
Open in Source
#vulnerability#web#windows#google#rce#auth#firefox
Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

Hitachi NAS SMU Backup and Restore versions prior to 14.8.7825.01 suffer from an insecure direct object reference vulnerability.

Ubuntu Security Notice USN-6649-2

Ubuntu Security Notice 6649-2 - USN-6649-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Alfred Peters discovered that Firefox did not properly manage memory when storing and re-accessing data on a networking channel. An attacker could potentially exploit this issue to cause a denial of service. Johan Carlsson discovered that Firefox incorrectly handled Set-Cookie response headers in multipart HTTP responses. An attacker could potentially exploit this issue to inject arbitrary cookie values. Gary Kwong discovered that Firefox incorrectly generated codes on 32-bit ARM devices, which could lead to unexpected numeric conversions or undefined behaviour. An attacke...

ALPHV ransomware gang fakes own death, fools no one

The ALPHV gang's attempt to cover up an exit scam isn't going well.

GHSA-9p43-hj5j-96h5: esphome vulnerable to stored Cross-site Scripting in edit configuration file API

### Summary Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with “Content-Type: text/html; charset=UTF-8”, allowing remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting (XSS). ### Credits Spike Reply Cybersecurity Teams ### Details It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page /edit?configuration=[xss file]. ### PoC To reproduce the issue, it is possible to perform a POST request to inject the payload: request: POST /edit?configuration=xss.yaml HTTP/1.1 Host: localhost:6052 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: */* Accept-Language: ...

Wallos Shell Upload

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

Boss Mini 1.4.0 Local File Inclusion

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

Here Are the Google and Microsoft Security Updates You Need Right Now

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

WordPress IDonate Blood Request Management System 1.8.1 Cross Site Scripting

WordPress IDonate Blood Request Management System plugin versions 1.8.1 and below suffer from a persistent cross site scripting vulnerability.

Blood Bank 1.0 SQL Injection

Blood Bank version 1.0 suffers from multiple remote SQL injection vulnerabilities. Original discovery of SQL injection in this version is attributed to Nitin Sharma in October of 2021.