Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

Top AI Trends Every Software Development Company to Follow in 2025

The software development industry is expanding tremendously. It drives up the need for technical people and new solutions.…

HackRead
#sql#vulnerability#web#mac#nodejs#js#git#java#intel#aws#docker#kotlin
Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.  The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted

India Sees Surge in API Attacks, Especially in Banking, Utilities

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

Cl0p Ransomware Exploits Cleo Vulnerability, Threatens Data Leaks

SUMMARY The Cl0p ransomware group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file…

OData Injection Risk in Low-Code/No-Code Environments

As the adoption of LCNC grows, so will the complexity of the threats organizations face.

GHSA-wh34-m772-5398: XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

### Impact In `getdocument.vm` ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. It's possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections. ### Patches This has been patched in 13.10.5 and 14.3-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-17568 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-787v-v9vq-4rgv: Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Chinese Hacker Pwns 81K Sophos Devices With Zero-Day Bug

The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks.

ABB Cylon Aspect 3.08.01 Unauthenticated DB Download

An unauthenticated vulnerability in ABB Cylon Aspect BMS/BAS allows the download of an SQLite3 database file, exposing sensitive information stored in several tables. This vulnerability could lead to unauthorized access to system data, enabling information disclosure and potential exploitation of critical building management or automation systems.

GHSA-f626-677r-j5vq: Nette Database SQL injection

Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method.