Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-46468: [CVE-2023-46468] There's an RCE vulnerability in Juzaweb CMS

An issue in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted file to the custom plugin function.

CVE
Open in Source
#vulnerability#web#git#php#rce
GHSA-47xw-vw6m-w9fq: HashiCorp Vagrant Insecure Operation on Windows Junction / Mount Point vulnerability

HashiCorp Vagrant's Windows installer targeted a custom location with a non-protected path that could be junctioned, introducing potential for unauthorized file system writes. Fixed in Vagrant 2.4.0.

CVE-2023-46587: vulns/XnView/2.51.5 at main · nasroabd/vulns

Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a local attacker to execute arbitrary code via a crafted TIF file.

GHSA-7c2q-5qmr-v76q: DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

### Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI `HTTPUtilities.getFileUploads` methods (or more specifically those methods in the `DefaultHTTPUtilities` implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well. ### Related to CVE-2023-24998 ### Patches ESAPI 2.5.2.0 or later. ### Workarounds - See the 'Solutions' section of Security Bulletin 11, in the References section. If you are not using ESAPI file uploads, see also the 'Workarounds' section. - Deploy an external WAF or other suitable DoS protection. - Add additional defenses to your code using HTTPUtilities.getFileUpload, such as requiring prior authentication, restricting how many / much content can be uploaded per user per day or per hour, etc. (It i...

CVE-2023-35794: GitHub - Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking: Repository contains description for CVE-2023-35794 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

CVE-2023-40117

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

CVE-2023-46853: Comparing 1.6.21...1.6.22 · memcached/memcached

In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used instead of \r\n.

CVE-2023-29009: Release basercms 4.8.0 リリース · baserproject/basercms

baserCMS is a website development framework with WebAPI that runs on PHP8 and CakePHP4. There is a XSS Vulnerability in Favorites Feature to baserCMS. This issue has been patched in version 4.8.0.

The Destruction of Gaza’s Internet Is Complete

As Israel increases its ground operation in Gaza, the last remaining internet and mobile connections have gone dark.