Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Craft CMS 4.4.14 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

Packet Storm
Open in Source
#vulnerability#web#windows#google#php#auth#firefox
Chamilo 1.11.18 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

Artica Proxy 4.40 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php script.

Retail CISOs Take on More Risk to Foster Innovation

CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This…

CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who

New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution

GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. Tracked as CVE-2024-9164, the vulnerability carries a CVSS score of 9.6 out of 10. "An issue was discovered in GitLab EE

ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control

The BMS/BAS controller suffers from a vulnerability that allows an unauthenticated attacker to enable or disable the SSH daemon by sending a POST request to sshUpdate.php with a simple JSON payload. This can be exploited to start the SSH service on the remote host without proper authentication, potentially enabling unauthorized access or stop and deny service access.

GHSA-26jh-r8g2-6fpr: Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list

### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is a **data validation issue** in the Gradio `Dropdown` component's pre-processing step. Even if the `allow_custom_value` parameter is set to `False`, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine. ### Patches Yes, this issue is addressed in `gradio>=5.0`. Please upgrade to the latest version to resolve the problem. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing th...