Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-48078: GitHub - esasadam06/Simple-CRUD-Functionality-SQLi-POC

SQL Injection vulnerability in add.php in Simple CRUD Functionality v1.0 allows attackers to run arbitrary SQL commands via the 'title' parameter.

CVE
Open in Source
#sql#vulnerability#web#git#php#auth
CVE-2023-47025: [Bugs]Amf crashed when failed to resolve the IP of ngap message , resulting in a null pointer reference. · Issue #501 · free5gc/free5gc

An issue in Free5gc v.3.3.0 allows a local attacker to cause a denial of service via the free5gc-compose component.

CVE-2023-40314: NMS-15790: Transport bootstrap.jsp args in context by fooker · Pull Request #6791 · OpenNMS/opennms

Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Moshe Apelbaum for reporting this issue.

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

By Deeba Ahmed Yet another day, another instance of a Google service being exploited for spreading malware infections. This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

GHSA-4qq5-mxxx-m6gg: MLflow authentication requirement bypass can allow a user to arbitrarily create an account

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirement.

GHSA-phmw-jx86-x666: Authenticated Rundeck users can view or delete jobs they do not have authorization for.

Access to two URLs used in both Rundeck Open Source and Process Automation products could allow authenticated users to access the URL path, which would allow access to view or delete jobs, without the necessary authorization checks. The affected URLs are: - `http[s]://[host]/context/rdJob/*` - `http[s]://[host]/context/api/*/incubator/jobs` ### Impact Rundeck, Process Automation version 4.12.0 up to 4.16.0 ### Patches Patched versions: 4.17.3 ### Workarounds Access to two URLs used in either Rundeck Open Source or Process Automation products could be blocked at a load balancer level. - `http[s]://host/context/rdJob/*` - `http[s]://host/context/api/*/incubator/jobs` ### For more information If you have any questions or comments about this advisory: * Open an issue in [our forums](https://community.pagerduty.com/forum/c/process-automation) * Enterprise Customers can open a [Support ticket](https://support.rundeck.com)

Alleged Extortioner of Psychotherapy Patients Faces Trial

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

CVE-2023-48134: CVE-reports/nagayama_copabowl.md at main · syz913/CVE-reports

nagayama_copabowl Line 13.6.1 is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor.

We all just need to agree that ad blockers are good

YouTube’s new rules may not be around for long anyway, because they might run afoul of European Union regulations

GHSA-f798-qm4r-23r5: MLflow allowed arbitrary files to be PUT onto the server

MLflow allowed arbitrary files to be PUT onto the server.