Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

Threat Roundup for June 30 to July 7

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

TALOS
Open in Source
#sql#xss#vulnerability#web#ios#mac#windows#google#microsoft#js#git#bios#acer#sap
CVE-2021-32494: Floating point exception on Mach-O parser · Issue #18667 · radareorg/radare2

Radare2 has a division by zero vulnerability in Mach-O parser's rebase_buffer function. This allow attackers to create malicious inputs that can cause denial of service.

CVE-2023-27845: Logiciel de caisse PrestaShop, caisse enregistreuse POS

SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.

CVE-2023-33715: Index

A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

CVE-2023-37264: v1beta1 package - github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1 - Go Packages

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. While the software stores and validates the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference, it only store (api version, kind, name) in the ChildStatusReference. This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is problematic since it can let users modify the config of Pipelines at runtime, which violates SLSA L2 Service Generated / Non-falsifiable requirements. This issue can be used to trick the Pipeline controller into associating unrelated Runs to the Pipeline, feedi...

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37063: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.