Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2024-49042: Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability

**How could an attacker exploit this vulnerability?** An attacker with the administrator role of "azure\_pg\_admin" in the target environment could exploit this vulnerability to gain the same privileges as a SuperUser by sending a specially crafted request to an Azure Database for PostgreSQL Flexible Server with specific non-default functionality enabled.

Microsoft Security Response Center
Open in Source
#sql#vulnerability#postgres#Azure Database for PostgreSQL#Security Vulnerability
CVE-2024-43613: Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploits this vulnerability would gain the same privileges as the SuperUser role.

Open Source Security Incidents Aren't Going Away

Companies and organizations need to recognize the importance of investing in engineers who possess both the soft and hard skills required to secure open source software effectively.

AI & LLMs Show Promise in Squashing Software Bugs

Large language models (LLMs) can help app security firms find and fix software vulnerabilities. Malicious actors are on to them too, but here's why defenders may retain the edge.

6 Infotainment Bugs Allow Mazdas to Be Hacked With USBs

Direct cyberattacks on vehicles are all but unheard of. In theory though, the opportunity is there to cause real damage — data extraction, full system compromise, even gaining access to safety-critical systems.

Hackers Can Access Mazda Vehicle Controls Via System Vulnerabilities

Hackers can exploit critical vulnerabilities in Mazda’s infotainment system, including one that enables code execution via USB, compromising…

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony. The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point

GHSA-q78v-cv36-8fxj: Devtron has SQL Injection in CreateUser API

### Summary An authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). ### Details The API is CreateUser (/orchestrator/user). The function to read user input is: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/api/auth/user/UserRestHandler.go#L96-L104 The userInfo (line 104) parameter can be controlled by users. The SQL injection can happen in the code: https://github.com/devtron-labs/devtron/blob/4296366ae288f3a67f87e547d2b946acbcd2dd65/pkg/auth/user/repository/UserAuthRepository.go#L1038 The query (line 1038) parameter can be controlled by a user to create and execute a malicious SQL query. The user should be authenticated but only needs minimum permissions: ![image](https://github.com/user-attachments/assets/08ba940e-33a8-408d-9a1e-9cd1504b95c5) ### PoC Demonstrate a blind SQL injection to retrieve the database name: `...

GHSA-mx26-62xm-2p83: Moodle vulnerable to site administration SQL injection via XMLDB editor

A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.

CyberPanel upgrademysqlstatus Arbitrary Command Execution

Proof of concept remote command execution exploit for CyberPanel versions prior to 5b08cd6.