Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-40314: NMS-15790: Transport bootstrap.jsp args in context by fooker · Pull Request #6791 · OpenNMS/opennms

Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Moshe Apelbaum for reporting this issue.

CVE
Open in Source
#xss#js#git
ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

By Deeba Ahmed Yet another day, another instance of a Google service being exploited for spreading malware infections. This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

GHSA-4qq5-mxxx-m6gg: MLflow authentication requirement bypass can allow a user to arbitrarily create an account

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

GHSA-phmw-jx86-x666: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - `http[s]://[host]/context/rdJob/*` - `http[s]://[host]/context/api/*/incubator/jobs` ### Impact Rundeck, Process Automation version 4.12.0 up to 4.16.0 ### Patches Patched versions: 4.17.3 ### Workarounds Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level. - `http[s]://host/context/rdJob/*` - `http[s]://host/context/api/*/incubator/jobs` ### For more information If you have any questions or comments about this advisory: * Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation) * Enterprise Customers can open a [Support ticket](https://support.rundeck.com)

Alleged Extortioner of Psychotherapy Patients Faces Trial

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

CVE-2023-48134: CVE-reports/nagayama_copabowl.md at main · syz913/CVE-reports

nagayama_copabowl Line 13.6.1 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor.

We all just need to agree that ad blockers are good

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

GHSA-f798-qm4r-23r5: MLflow allowed arbitrary files to be PUT onto the server

MLflow allowed arbitrary files to be PUT onto the server.

GHSA-8r96-8889-qg2x: HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

GHSA-fxff-wxxv-c2jc: PyPinkSign uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption

PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.