#ssl

CVE-2022-29182: Releases - Version notes | GoCD

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.

Threat Roundup for May 13 to May 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,... [[ This is only the beginning! Please visit the blog for the complete entry ]]

2 years ago

TALOS

Open in Source

#sql #vulnerability #web #ios #mac #windows #google #microsoft #js #git #pdf #botnet #ssl

CVE-2022-22365: IBM WebSphere Application Server spoofing CVE-2022-22365 Vulnerability Report

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, with the Ajax Proxy Web Application (AjaxProxy.war) deployed, is vulnerable to spoofing by allowing a man-in-the-middle attacker to spoof SSL server hostnames. IBM X-Force ID: 220904.

2 years ago

CVE

Open in Source

#vulnerability #web #ibm #ssl

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

2 years ago

CVE

Open in Source

#sql #csrf #vulnerability #git #php #rce #auth #docker #ssl

WordPress theme Jupiter patches critical privilege escalation flaw

Users urged to update systems amid reports of active exploitation

2 years ago

PortSwigger

Open in Source

#vulnerability #web #dos #wordpress #auth #ssl

Widespread Swagger-UI library vulnerability leads to DOM XSS attacks

Dozens of bugs reported with a backlog containing hundreds more

2 years ago

PortSwigger

Open in Source

#xss #vulnerability #web #microsoft #js #git #vmware #auth #ssl

CVE-2022-28104: Security Bulletins | Foxit Software

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

2 years ago

CVE

Open in Source

#sql #xss #vulnerability #web #ios #android #mac #windows #google #microsoft #linux #cisco #dos #js #git #java #intel #rce #perl #pdf #buffer_overflow #auth #ibm #zero_day #firefox #wifi #ssl

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

2 years ago

CVE

Open in Source

#vulnerability #web #mac #linux #apache #php #rce #perl #auth #firefox #ssl

CVE-2022-30551: GitHub - OPCFoundation/UA-Java-Legacy: This repository is provided by OPC Foundation as legacy support for an Java version for OPC UA.

OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.

2 years ago

CVE

Open in Source

#ios #android #apache #js #git #java #oracle #maven #ssl

CVE-2021-34111: Thecus N4800Eco Nas Server Control Panel Comand Injection

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

2 years ago

CVE

Open in Source

#vulnerability #php #auth #ssl

Tag

#ssl