#windows

GHSA-cvm3-pp2j-chr3: Grafana has Broken Access Control in Alert manager: Viewer can send test alerts

### Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. **Reason for the error**: The API does not check access to this function and allows it by users with the least rights, for example, the Viewer that does not see this option in the user panel. This enables malicious users to abuse the functionality by sending multiple alert messages (e-mail, slack, etc…), spamming users, prepare Phishing attack or blocked SMTP server / IP and automatically moved all message to spam folder, add to black list IP. ### Details The logged-in user, in the Viewer role, in the user panel, does not have access to the test option of sending an e-mail alert. View of the panel for the user in the Viewer role: ![image](https://user-images.githubusercontent.com/1643385/232904030-e8a8338d-f5e3-4b04-80c3-32f2164a190e.png) Admin role - View panel for admin role: ![image](https://user-images.github...

1 year ago

ghsa

Open in Source

#xss #web #mac #windows #apple #js #git #chrome #webkit

CVE-2023-30198: PrestaShop/Tools.php at 6c05518b807d014ee8edb811041e3de232520c28 · PrestaShop/PrestaShop

Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php.

1 year ago

CVE

Open in Source

#sql #csrf #web #mac #windows #apple #google #microsoft #ubuntu #linux #apache #js #java #php #perl #pdf #acer #auth #chrome #firefox #sap #ssl

CVE-2023-3208: vulhub/RoadFlow.md at master · yangxixx/vulhub

A vulnerability, which was classified as critical, has been found in RoadFlow Visual Process Engine .NET Core Mvc 2.13.3. Affected by this issue is some unknown functionality of the file /Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab_0B73635494734D66B9C015CAC149EB05 of the component Login. The manipulation of the argument sidx/sord leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-231230 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

1 year ago

CVE

Open in Source

#sql #vulnerability #windows #js #java #firefox

CVE-2023-34581: OffSec’s Exploit Database Archive

Sourcecodester Service Provider Management System v1.0 is vulnerable to SQL Injection via the ID parameter in /php-spms/?page=services/view&id=2

1 year ago

CVE

Open in Source

#sql #vulnerability #windows #linux #php #auth

Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme

A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021. "This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse

1 year ago

The Hacker News

Open in Source

#vulnerability #web #mac #windows #git #auth #ssh #The Hacker News

PhotoSwipe 5.3.7 Arbitrary File Download

PhotoSwipe version 5.3.7 suffers from an arbitrary file download vulnerability.

1 year ago

Packet Storm

Open in Source

#vulnerability #windows #google #php #auth #firefox

PES Pro CMS 1.9.7 Add Administrator

PES Pro CMS version 1.9.7 suffers from an add administrator vulnerability.