Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

GHSA-hcw2-2r9c-gc6p: CasaOS Username Enumeration - Bypass of CVE-2024-24766

### Summary The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in `CasaOS v0.4.7`. ### Details It is observed that the attacker can enumerate the CasaOS username using the application response. If the username is incorrect the application gives the error "**User does not exist**" with success code "**10006**", If the password is incorrect the application gives the error "**User does not exist or password is invalid**" with success code "**10013**". ### PoC 1. If the Username is invalid application gives "User does not exist" with success code "**10006**". ![1](https://github.com/IceWhaleTech/CasaOS-UserService/assets/63414468/a6eb4321-b2f3-4fba-aa8e-e1d0fbf58187) 2. If the Password is invalid application gives "**User does not exist or password is invalid**" with success code "**10013**". ![2](https://github.com/IceWhaleTech/CasaOS-UserService/assets/63414468/126eff54-eeb0-4ee6-bc46-695376b5e5cd) ### Impact Using...

ghsa
Open in Source
#vulnerability#git
WordPress Gutenberg 18.0.0 Cross Site Scripting

WordPress Gutenberg plugin version 18.0.0 suffers from a persistent cross site scripting vulnerability.

ARIS: Business Process Management 10.0.21.0 Cross Site Scripting

ARIS: Business Process Management version 10.0.21.0 suffers from a persistent cross site scripting vulnerability.

Linux nf_tables Local Privilege Escalation

A use-after-free vulnerability exists in the Linux kernel netfilter: nf_tables component. This is a universal local privilege escalation proof of concept exploit working on Linux kernels between 5.14 and 6.6, including Debian, Ubuntu, and KernelCTF.

BioTime Directory Traversal / Remote Code Execution

BioTime versions 8.5.5 and 9.0.1 suffer from directory traversal and file write vulnerabilities. This exploit also achieves remote code execution on version 8.5.5.

Red Hat Security Advisory 2024-1576-03

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

Gibbon 26.0.00 Server-Side Template Injection / Remote Code Execution

Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.

GHSA-8vj9-5v5q-fhch: Bonita cross-site scripting vulnerability

Bonita before 10.1.0.W11 allows stored XSS via a UI screen in the administration panel.

You Should Update Apple iOS and Google Chrome ASAP

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

GHSA-34h3-8mw4-qw57: @electron/packager's build process memory potentially leaked into final executable

### Impact A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc. ### Patches This issue is patched in 18.3.1 ### Workarounds No workarounds, please update to a patched version of `@electron/packager` immediately if impacated.