Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

GHSA-mrf6-4gw6-65v3: Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

A missing permission check in Jenkins extreme-feedback Plugin 1.7 and earlier allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

ghsa
Open in Source
#mac#git#auth
CVE-2022-38073: Awesome Support – WordPress HelpDesk & Support Plugin

Multiple Authenticated (custom specific plugin role) Persistent Cross-Site Scripting (XSS) vulnerability in Awesome Support plugin <= 6.0.7 at WordPress.

CVE-2022-28802

Code by Zapier before 2022-08-17 allowed intra-account privilege escalation that included execution of Python or JavaScript code. In other words, Code by Zapier was providing a customer-controlled general-purpose virtual machine that unintentionally granted full access to all users of a company's account, but was supposed to enforce role-based access control within that company's account. Before 2022-08-17, a customer could have resolved this by (in effect) using a separate virtual machine for an application that held credentials - or other secrets - that weren't supposed to be shared among all of its employees. (Multiple accounts would have been needed to operate these independent virtual machines.)

AttachMe – Oracle Patches “Severe” Vulnerability in its Cloud Infrastructure

By Deeba Ahmed Dubbed AttachMe by researchers; the vulnerability was a severe one since it targeted all OIC customers. This is a post from HackRead.com Read the original post: AttachMe – Oracle Patches “Severe” Vulnerability in its Cloud Infrastructure

CVE-2022-35621: GitHub - MacherCS/CVE_Evoh_Contract: These are the materials about the vulnerability of Evoh NFT contract

Access control vulnerability in Evoh NFT EvohClaimable contract with sha256 hash code fa2084d5abca91a62ed1d2f1cad3ec318e6a9a2d7f1510a00d898737b05f48ae allows remote attackers to execute fraudulent NFT transfers.

CVE-2022-23952: Multiple Security Issues (including remote code execution in the Agent component)

In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

Data scientists, who often choose open source packages without considering security, increasingly face concerns over the unvetted use of those components, new study shows.

CVE-2022-41235: Jenkins Security Advisory 2022-09-21

Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

CVE-2022-41226: Jenkins Security Advisory 2022-09-21

Jenkins Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-41239: Jenkins Security Advisory 2022-09-21

Jenkins DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.