Security
Headlines
HeadlinesLatestCVEs

Tag

#php

'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to

The Hacker News
Open in Source
#vulnerability#web#mac#git#wordpress#php#oauth#auth#The Hacker News
GHSA-296q-rj83-g9rq: Reflected Cross Site-Scripting (XSS) in Oveleon Cookiebar

## usd-2024-0009 | Reflected XSS in Oveleon Cookiebar ### Details **Advisory ID**: usd-2024-0009 **Product**: Cookiebar **Affected Version**: 2.X **Vulnerability Type**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **Security Risk**: HIGH, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N **Vendor URL**: https://www.usd.de/ **CVE Number**: Not requested yet **CVE Link**: Not requested yet ### Affected Component The `block` function in `CookiebarController.php`. ### Desciption Oveleon's Cookiebar is an extension for the popular Contao CMS. The `block/locale` endpoint does not properly sanitize the user-controlled `locale` input before including it in the backend's HTTP response, thereby causing reflected XSS. ### Fix Sanitize the `locale` input to prevent XSS payloads from being executed in a user's browser. ### Timeline * **2024-04-24**: Vulnerability discovered by Daniel Ruppel of usd AG. * *...

Ubuntu Security Notice USN-6914-1

Ubuntu Security Notice 6914-1 - Filip Hejsek discovered that the phpCAS library included in OCS Inventory was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account.

Ubuntu Security Notice USN-6913-1

Ubuntu Security Notice 6913-1 - Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a vulnerable CASified service. This security update introduces an incompatible API change. After applying this update, third party applications need to be modified to pass in an additional service base URL argument when constructing the client class.

Prison Management System 1.0 Shell Upload

Prison Management System version 1.0 suffers from an unauthenticated remote shell upload vulnerability.

SLiMS CMS 2.0 SQL Injection

SLiMS CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

StarTask CRM 1.9 SQL Injection

StarTask CRM version 1.9 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

UBM CMS 1.2 Insecure Direct Object Reference

UBM CMS version 1.2 suffers from an insecure direct object reference vulnerability.