#git

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.

By Waqas US Treasury Sanctions Sinbad.io for Laundering Millions in Stolen Funds Linked to North Korea's Lazarus Group. This is a post from HackRead.com Read the original post: US Seizes Bitcoin Mixer Sinbad.io Used by Lazarus Group

Organizations from the Middle East and Africa have typically escaped public ransoms, but that's changing amid heightened geopolitical conflicts and digitalization initiatives.

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. Jira Plugin 3.12 defines the appropriate context for credentials lookup.

Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following: - Enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. - Connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. Google Compute Engine Plugin 4.551.v5a_4dc98f6962 requires Overall/Administer permission for the affected HTTP endpoints.

By Owais Sultan In today’s era, where streaming platforms reign supreme in the music industry, internet radio continues to thrive as… This is a post from HackRead.com Read the original post: How Internet Radio Hosting Royalties Fuel the Digital Airwaves

WordPress Royal Elementor Addons and Templates plugin versions prior to 1.3.79 suffer from a remote shell upload vulnerability.

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.