Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory (Azure AD) Applicationand/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. The keyCredentials property is used to configure an application’s authentication credentials.

msrc-blog
Open in Source
#microsoft#auth
CVE-2021-25976: Merge pull request #1742 from PiranhaCMS/features/manager-security-up… · PiranhaCMS/piranha.core@e42abac

In PiranhaCMS, versions 4.0.0-alpha1 to 9.2.0 are vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

CVE-2021-43495: [Security] : Path Traversal in the IO module · Issue #43 · AlquistManager/alquist

AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability in alquist/IO/input.py. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.

Golden Certificate

Domain persistence techniques enable red teams that have compromised the domain to operate with the highest level of privileges in a large period. One of… Continue reading → Golden Certificate

CVE-2021-43493: [Security] Path Traversal Vulnerability found · Issue #21 · cksgf/ServerManagement

ServerManagement master branch as of commit 49491cc6f94980e6be7791d17be947c27071eb56 is affected by a directory traversal vulnerability. This vulnerability can be used to extract credentials which can in turn be used to execute code.

CVE-2021-43492: [Security] : Path Traversal in the IO module · Issue #42 · AlquistManager/alquist

AlquistManager branch as of commit 280d99f43b11378212652e75f6f3159cde9c1d36 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system andcan significantly aid in getting remote code access.

CVE-2021-43496: [Security] Path Traversal Vulnerability found · Issue #12 · varun-suresh/Clustering

Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.

CVE-2021-43494: [Security] Path Traversal Vulnerability found · Issue #2 · codingforentrepreneurs/OpenCV-REST-API

OpenCV-REST-API master branch as of commit 69be158c05d4dd5a4aff38fdc680a162dd6b9e49 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access.

CVE-2021-34422: Security Bulletin

The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

CVE-2021-34420: A Red Team Operation Leveraging a zero-day vulnerability in Zoom

The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer's computer.