Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-39110: CVE_Request/rConfig/rConfig_ ajaxGetFileByPath.md at master · zer0yu/CVE_Request

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

CVE
Open in Source
#vulnerability#git#php#ssrf#auth
CVE-2023-39109: CVE_Request/rConfig/rConfig_path_a.md at master · zer0yu/CVE_Request

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_a parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

CVE-2023-39108: CVE_Request/rConfig/rConfig_path_b.md at master · zer0yu/CVE_Request

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the path_b parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs.

CVE-2022-39987: raspap-webgui/ajax/networking/get_wgkey.php at master · RaspAP/raspap-webgui

A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the "entity" POST parameters in /ajax/networking/get_wgkey.php.

CVE-2023-34634: GreenShot 1.2.10 Arbitrary Code Execution ≈ Packet Storm

Greenshot 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened.

Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack

By Waqas The Israeli security agency Shin Bet claims to have thwarted a LinkedIn phishing scam carried out by Iranian hackers. This is a post from HackRead.com Read the original post: Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack

CVE-2023-37478: Release v7.33.4 · pnpm/pnpm

pnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.

CVE-2023-32302: [CVE-2023-32302] Require password field to be non-empty · silverstripe/silverstripe-framework@7b21b38

Silverstripe Framework is the MVC framework that powers Silverstripe CMS. When a new member record is created and a password is not set, an empty encrypted password is generated. As a result, if someone is aware of the existence of a member record associated with a specific email address, they can potentially attempt to log in using that empty password. Although the default member authenticator and login form require a non-empty password, alternative authentication methods might still permit a successful login with the empty password. This issue has been patched in versions 4.13.4 and 5.0.13.

European Bank Customers Targeted in SpyNote Android Trojan Campaign

Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023. "The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," Italian cybersecurity

How AI May Be Used to Create Custom Disinformation Ahead of 2024

Generative AI won't just flood the internet with more lies—it may also create convincing disinformation that's targeted at groups or even individuals.