#git

### Impact A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. ### Workarounds If using 0.17.1, can just pull the latest docker image of backend and restart server. ### References Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

### Impact An IDOR vulnerability was found in the user update function. By specifying another user's username it is possible to update the other user's password. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. ### Workarounds If using 0.17.1, can just pull the latest docker image of backend and restart server. ### References Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

### Impact Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. ### Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. ### Workarounds If using 0.17.1, can just pull the latest docker image of backend and restart server. ### References Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks. Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll -- the company handling both firms' bankruptcy restructuring.

A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.

By Owais Sultan Okay, digital explorers! Strap yourselves in as we prepare to embark on a thrilling expedition through the complex and ever-shifting digital wilderness. This is a post from HackRead.com Read the original post: Defending the Virtual Kingdom: Exploring Modern Cybersecurity Landscapes

By Owais Sultan Data security is vital for protecting sensitive information and maintaining trust. This is a post from HackRead.com Read the original post: Elevating Data Security: Key Considerations When Transferring Your Digital Workspace

In Tenda AC23 v16.03.07.45_cn, the formSetIPv6status and formGetWanParameter functions do not authenticate user input parameters, resulting in a post-authentication stack overflow vulnerability.

In Tenda AC23 v16.03.07.45_cn, the sub_4781A4 function does not validate the parameters entered by the user, resulting in a post-authentication stack overflow vulnerability.

Phicomm k2 v22.6.529.216 is vulnerable to command injection.