Security
Headlines
HeadlinesLatestCVEs

Tag

#web

MD-Pro 1.0.76 Shell Upload / SQL Injection

MD-Pro version 1.0.76 suffers from remote SQL injection and shell upload vulnerabilities.

Packet Storm
Open in Source
#sql#vulnerability#web#windows#google#php#auth
MITRE Launches AI Incident Sharing Initiative

The collaboration with industry partners will improve collective AI defenses. Trusted contributors receive protected and anonymized data on real-world AI incidents.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

GHSA-q898-frwq-f3qp: Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

### Summary The `HtmlGenerator` class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. ### Context Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the `description` property of the [Status Response](https://wiki.vg/Server_List_Ping#Status_Response) packet. The [jgniecki/MinecraftMotdParser](https://github.com/jgniecki/MinecraftMotdParser) PHP library is able to parse the value of the `description` property, which can be either a string or an array of text components. By utilizing the aforementioned `HtmlGenerator` class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page. ### Details The `HtmlGenerator` iterates through objects of `MotdItem` that are contained in an...

GHSA-8xq9-g7ch-35hg: Parse Server's custom object ID allows to acquire role privileges

### Impact If the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. ### Patches Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected. ### Workarounds - Disable custom object IDs by setting `allowCustomObjectId: false` or not setting the option which defaults to `false`. - Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix `role:`. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg - https://github.com/parse-community/parse-server/pull/9317 (fix for Parse Server 7) - https://github.com/parse-community/parse-server/pull/9318 (fix for Parse Server 6)

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

GHSA-8h22-6qwx-q4w9: OpenStack Ironic fails to verify checksums of supplied image_source URLs

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

Vehicle Service Management System 1.0 Code Injection

Vehicle Service Management System version 1.0 suffers from a PHP code injection vulnerability.

Transport Management System 1.0 Code Injection

Transport Management System version 1.0 suffers from a PHP code injection vulnerability.