Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-39610: publications/1.TP-Link Tapo C100 - HTTP Denial-Of-Service at main · zn9988/publications

An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted web request.

CVE
Open in Source
#vulnerability#web#dos#git
CVE-2023-3676: [Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

GHSA-mp92-3jfm-3575: Synapse vulnerable to leak of remote user device information

### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. ### Patches System administrators are encouraged to upgrade to Synapse 1.95.1 as soon as possible. ### Workarounds The `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

CVE-2023-37832: Vulns/Lack of resources and rate limiting - Elenos.md at main · strik3r0x1/Vulns

A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.

CVE-2023-45955: IoT-Fuzz/Nanoleaf Lightstrip Vulnerability Report.pdf at main · IoT-Fuzz/IoT-Fuzz

An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers to cause a denial of service via crafted write binding attribute commands.

CVE-2023-37831: Vulns/User enumeration - Elenos.md at main · strik3r0x1/Vulns

An issue discovered in Elenos ETG150 FM transmitter v3.12 allows attackers to enumerate user accounts based on server responses when credentials are submitted.

How Telegram Became a Terrifying Weapon in the Israel-Hamas War

Hamas posted gruesome images and videos that were designed to go viral. Sources argue that Telegram’s lax moderation ensured they were seen around the world.

CVE-2023-46722: Implement Asset Sanitizer Queue & Preview Check (#16053) · pimcore/pimcore@7573756

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.

CVE-2023-46245: Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Kimai is a web-based multi-user time-tracking application. Versions 2.1.0 and prior are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. As of time of publication, no patches or known workarounds are available.

CVE-2023-46240: Merge pull request from GHSA-hwxf-qxj7-7rfj · codeigniter4/CodeIgniter4@423569f

CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.