#js

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** An attacker would require access to a low privileged session on the user's device to obtain a JWT (JSON Web Token) which can then be used to craft a long-lived assertion using the Windows Hello for Business Key from the victim's device.

The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to update the plugins settings, via a forged request granted the attacker can trick a site's administrator into performing an action such as clicking on a link.

IBM Watson Knowledge Catalog on Cloud Pak for Data 4.0 could allow an authenticated user send a specially crafted request that could cause a denial of service. IBM X-Force ID: 251704.

Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

This is release 1.4 of the rpms for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2879: A flaw was found in the gol...

Peer-pods is a new Red Hat OpenShift feature that enables an OpenShift sandboxed container (OSC) running on a bare-metal deployment to run on OpenShift in a public cloud and on VMware. It's not uncommon to want to run OpenShift in a virtual machine instead of on the bare-metal nodes. While it's possible to run a virtual machine inside a virtual machine, it demands a whole new subset of support concerns when you do it in production. In this article, I'll demonstrate how to solve this problem, using a combination of peer-pods and libvirt. By the end of this tutorial, you'll know how to create a

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application.

In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.