Security
Headlines
HeadlinesLatestCVEs

Tag

#google

CVE-2022-27979: security-advisories/20220321-tooljet-xss.md at main · fourcube/security-advisories

A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.

CVE
#sql#xss#vulnerability#web#google#git#java#oauth#auth#mongo#postgres
Metaverse Version of the Dark Web Could be Nearly Impenetrable

Law enforcement will likely find it much harder to take down criminal activities on the "deepverse."

PHP Restaurants 1.0 SQL Injection / Cross Site Scripting

PHP Restaurants version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass and a cross site scripting vulnerability. Original discovery of SQL injection in this version is attributed to Nefrit ID in February of 2022.

Mars Stealer 8.3 Account Takeover

Mars Stealer version 8.3 suffers from an account takeover vulnerability.

CVE-2023-22729: [CVE-2023-22729] Escaped double slash is absolute URL · silverstripe/silverstripe-framework@1a5bb4c

Silverstripe Framework is the Model-View-Controller framework that powers the Silverstripe content management system. Prior to version 4.12.15, an attacker can display a link to a third party website on a login screen by convincing a legitimate content author to follow a specially crafted link. Users should upgrade to Silverstripe Framework 4.12.15 or above to address the issue.

Online Book Store 1.0 SQL Injection

Online Book Store version 1.0 suffers from a remote SQL injection vulnerability. This is a variant of the original vulnerability discovered in August of 2020 by Moaaz Taha.

CVE-2023-0045: git/tip/tip.git - Unnamed repository; edit this file 'description' to name the repository.

The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set  function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.  The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96

Dig Security Announces New Integration With CrowdStrike

New CrowdStrike Falcon platform integration delivers multi-cloud visibility and protection of data assets with layered malware detection and file scanning to stop modern attacks.

CVE-2023-23710: WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions.

CVE-2022-45291: PWS_Dashboard - CVE-2022-45291: "badweather"

PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.