Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Governments May Spy on You by Requesting Push Notifications from Apple and Google

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden. "Push notifications are alerts sent by phone apps to users' smartphones," Wyden said. "These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of

The Hacker News
Open in Source
#web#ios#android#windows#apple#google#microsoft#amazon#git#pdf#The Hacker News
GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

CVE-2023-48860: security_research/TOTOLINK-N300RT-RCE.md at main · xieqiang11/security_research

TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code.

CVE-2023-48861: POC4/README.md at main · xieqiang11/POC4

DLL hijacking vulnerability in TTplayer version 7.0.2, allows local attackers to escalate privileges and execute arbitrary code via urlmon.dll.

CVE-2023-43298: CVE-reports/CVE-2023-43298.md at main · syz913/CVE-reports

An issue in SCOL Members Card mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-43299: CVE-reports/CVE-2023-43299.md at main · syz913/CVE-reports

An issue in DA BUTCHERS mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-43300: CVE-reports/CVE-2023-43300.md at main · syz913/CVE-reports

An issue in urban_project mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token.

CVE-2023-49225: 20231128 | Security Bulletins | Ruckus Wireless Support

A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section.

CVE-2023-48825: PHPJabbers Availability Booking Calendar 5.0 HTML Injection ≈ Packet Storm

Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.