Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-6394: cve-details

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

CVE
Open in Source
#vulnerability#web#red_hat#auth
CVE-2023-46494: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @evershop/evershop - Cx8ecec391-2014 - DevHub

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted request to the ProductGrid function in admin/productGrid/Grid.jsx.

CVE-2023-46499: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @evershop/evershop - Cx0f8b38be-d5de - DevHub

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a crafted scripts to the Admin Panel.

CVE-2023-46495: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @evershop/evershop - Cxbc6d4599-c1bd - DevHub

Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter.

Microsoft Defender Anti-Malware PowerShell API Arbitrary Code Execution

Microsoft Defender API and PowerShell APIs suffer from an arbitrary code execution due to a flaw in powershell not handling user provided input that contains a semicolon.

Meta’s Purple Llama wants to test safety risks in AI models

Meta's Project Llama aims to help developers filter out specific items that might cause their AI model to produce inappropriate content.

New 5G Modems Flaws Affect iOS Devices and Android Models from Major Brands

A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called 5Ghoul (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three

CVE-2023-23372: Vulnerability in QTS and QuTS hero - Security Advisory

A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2425 build 20230609 and later QTS 5.1.0.2444 build 20230629 and later QTS 4.5.4.2467 build 20230718 and later QuTS hero h5.1.0.2424 build 20230609 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h4.5.4.2476 build 20230728 and later

CVE-2023-32975: Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.0.1.2514 build 20230906 and later QTS 5.1.2.2533 build 20230926 and later QuTS hero h5.0.1.2515 build 20230907 and later QuTS hero h5.1.2.2534 build 20230927 and later

ISPConfig 3.2.11 PHP Code Injection

ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.