Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

By Deeba Ahmed In total, eight zero-day vulnerabilities have been detected in Carrier’s industrial control systems (ICS) which, if exploited, allow… This is a post from HackRead.com Read the original post: Vulnerabilities in Industrial Control Systems Lets Attackers Remotely Unlock Doors

HackRead
Open in Source
#vulnerability#google#dos#rce#auth#zero_day
CVE-2021-41749: craft-seomatic/CHANGELOG.md at develop · nystudio107/craft-seomatic

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

Bluetooth Signals Can Be Abused To Detect and Track Smartphones

By Deeba Ahmed Even unpaired smartphones are vulnerable to tracking. According to a study  by the University of California San Diego’s engineers,… This is a post from HackRead.com Read the original post: Bluetooth Signals Can Be Abused To Detect and Track Smartphones

CVE-2021-41738: rootless – Medium

ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerbynet IP parameter, which may allow an authenticated attacker to execute system commands.

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

PHDays 11: towards the Independence Era

Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]

CVE-2022-24376: Command Injection vulnerability in [email protected]

All versions of package git-promise are vulnerable to Command Injection due to an inappropriate fix of a prior [vulnerability](https://security.snyk.io/vuln/SNYK-JS-GITPROMISE-567476) in this package. **Note:** Please note that the vulnerability will not be fixed. The README file was updated with a warning regarding this issue.

CVE-2022-25863: fix(gatsby-plugin-mdx): don't allow JS frontmatter by default by pieh · Pull Request #35830 · gatsbyjs/gatsby

The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.

CVE-2017-20018: XAMPP 7.1.1-0-VC14 DLL Hijacking ≈ Packet Storm

A vulnerability was found in XAMPP 7.1.1-0-VC14. It has been classified as problematic. Affected is an unknown function of the component Installer. The manipulation leads to privilege escalation. It is possible to launch the attack remotely.