Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

Online Travel Agency System 1.0 Shell Upload

Online Travel Agency System version 1.0 suffers from a remote shell upload vulnerability.

Packet Storm
Open in Source
#vulnerability#web#windows#google#git#php#auth#firefox
Tourism Management System 1.0 SQL Injection

Tourism Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack

A new malware campaign is spoofing Palo Alto Networks' GlobalProtect VPN software to deliver a variant of the WikiLoader (aka WailingCrab) loader by means of a search engine optimization (SEO) campaign. The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers

GHSA-v26r-4c9c-h3j6: gix-path uses local config across repos when it is the highest scope

### Summary `gix-path` executes `git` to find the path of a configuration file that belongs to the `git` installation itself, but mistakenly treats the local repository's configuration as system-wide if no higher scoped configuration is found. In rare cases, this causes a less trusted repository to be treated as more trusted, or leaks sensitive information from one repository to another, such as sending credentials to another repository's remote. ### Details In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` and parses the first line of the output to extract the path to the configuration file holding the configuration variable of highest [scope](https://git-scm.com/docs/git-config#SCOPES): https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13d8/gix-path/src/env/git/mod.rs#L91 https://github.com/Byron/gitoxide/blob/12251eb052df30105538fa831e641eea557f13...

Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

Webpay E-Commerce 1.0 SQL Injection

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

Online Traffic Offense 1.0 Cross Site Request Forgery

Online Traffic Offense version 1.0 suffers from a cross site request forgery vulnerability.

Penglead 2.0 Cross Site Scripting

Penglead version 2.0 suffers from a cross site scripting vulnerability.