Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

CVE-2022-29182: Releases - Version notes | GoCD

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#mac#windows#google#microsoft#amazon#ubuntu#linux#debian#apache#nodejs#js#git#java#oracle#kubernetes#rce#perl#ldap#aws#log4j#oauth#auth#ssh#dell#ruby#rpm#postgres#docker#bitbucket#chrome#gradle#maven#ssl
CVE-2022-28995: https://github.com/yogeshojha/rengine rce report · Issue #1 · zongdeiqianxing/rengine

Rengine v1.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the yaml configuration function.

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

CVE-2022-25227: Thinfinity VNC v4.0.0.1 - CORS Misconfiguration to RCE | Fluid Attacks

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

380K Kubernetes API Servers Exposed to Public Internet

More than 380,000 of the 450,000-plus servers hosting the open-source container-orchestration engine for managing cloud deployments allow some form of access.

Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1

By Waqas Other than Windows 11, Microsoft Teams and Mozilla Firefox, Oracle Virtualbox, Ubuntu Desktop, and Safari browser were also… This is a post from HackRead.com Read the original post: Pwn2Own 2022 – Windows 11, MS Teams and Firefox Pwned on Day 1