Security
Headlines
HeadlinesLatestCVEs

Tag

#mongo

CVE-2023-2905: fixed mqtt variable length header issue by robertc2000 · Pull Request #2274 · cesanta/mongoose

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.

CVE
Open in Source
#vulnerability#web#git#buffer_overflow#mongo
CVE-2023-4009: Ops Manager Server Changelog — MongoDB Ops Manager 5.0

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.

CVE-2023-37650: Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

GHSA-9m93-w8w6-76hh: Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

CVE-2023-3696

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

Silk Road’s Second-in-Command, Variety Jones, Gets 20 Years in Prison

Roger Thomas Clark, also known as Variety Jones, will spend much of the rest of his life in prison for his key role in building the world’s first dark-web drug market.

SmugX: Chinese Hackers Targeting Embassies in Europe

By Deeba Ahmed The researchers believe that the SmugX attack is an extension of a previously discovered campaign linked to Mustang Panda. This is a post from HackRead.com Read the original post: SmugX: Chinese Hackers Targeting Embassies in Europe

CVE-2023-31997

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.

GHSA-462x-c3jw-7vr6: Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter. ### Workarounds Disable remote code execution through the MongoDB BSON parser. ### Credits - Discovered by hir0ot working with Trend Micro Zero Day Initiative - Fixed by dbythy - Reviewed by mtrezza ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-462x-c3jw-7vr6 - https://github.com/advisories/GHSA-prm5-8g2m-24gg