Team Member – Team With Slider Security Vulnerabilities

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS RM3/CRS dispenser firmware (all versions up to and including 41128 1002 RM3_CRS.BTR + 170329 2332 RM3_CRS.FRM) Severity: Severity level: High Encryption bypass when downloading a firmware update in...

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5 CMDv5 dispenser firmware (all versions up to and including 141128 1002 CD5_ATM.BTR + 170329 2332 CD5_ATM.FRM) Severity: Severity level: High Encryption bypass when downloading a firmware update in...

SQL Injection in Harbor scan log API

Impact A user with an administrator, project_admin, or project_maintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API: GET...

Open Redirect URL in Harbor

Description Under OIDC authentication mode, there is a redirect_url parameter exposed in the URL which is used to redirect the current user to the defined location after the successful OIDC login, This redirect_url can be an ambiguous URL and can be used to embed a phishing URL. For example: if a.....

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...

Unsafe Reflection in base Component class in yiisoft/yii2

Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'. Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using...

code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.head_ref user input, which is used to dynamically construct a command for installing.....

Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`

Impact Due to an improperly applied permission check in the wagtail.contrib.settings module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model....

Slack integration leaks sensitive information in logs

Impact Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, including the deprecated Slack verification token. With this verification token, it is possible under specific configurations, an attacker can forge...

Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints

The Fides webserver has a number of endpoints that retrieve ConnectionConfiguration records and their associated secrets which can contain sensitive data (e.g. passwords, private keys, etc.). These secrets are stored encrypted at rest (in the application database), and the associated endpoints are....

Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

During the internal penetration testing of our product based on Yii2, we discovered an XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 (2.0.49.3). Conditions for vulnerability reproduction The framework is in debug mode (YII_DEBUG set to true)......

Exploit for CVE-2024-24919

CVE-2024-24919-Sniper ![CVE-2024-24919 Sniper...

CVE-2024-36883

In the Linux kernel, the following vulnerability has been resolved: net: fix out-of-bounds access in ops_init net_alloc_generic is called by net_alloc, which is called without any locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It is read twice, first to allocate an array,....

CVE-2024-36885

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor() Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a BUG() on startup: kernel BUG at include/linux/scatterlist.h:187! invalid opcode: 0000 [#1]...

CVE-2024-36886

In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0...

Exploit for Type Confusion in Google Chrome

Chrome Renderer 1day RCE via Type Confusion in Async Stack...

EvilSlackbot - A Slack Bot Phishing Framework For Red Teaming Exercises

EvilSlackbot A Slack Attack Framework for conducting Red Team and phishing exercises within Slack workspaces. Disclaimer This tool is intended for Security Professionals only. Do not use this tool against any Slack workspace without explicit permission to test. Use at your own risk. Background...

Exploit for CVE-2024-25600

CVE-2024-25600 Exploit Tool 🚀 Disclaimer: This tool is...

Exploit for CVE-2024-24919

CVE_2024_24919 Vulnerability Scanner This Java tool scans a...

Exploit for CVE-2024-24919

CVE_2024_24919 Vulnerability Scanner This Java tool scans a...

Updated unbound packages fix security vulnerability

Along with various minor bug fixing, this update addresses the security vulnerability CVE-2024-33655 which would have allowed unbound to be used as a...

[SECURITY] Fedora 39 Update: rust-zram-generator-1.1.2-11.fc39

This is a systemd unit generator that enables swap on zram. (With zram, there is no physical swap device. Part of the available RAM is used to store compressed pages, essentially trading CPU cycles for memor y.) To activate, install zram-generator-defaults...

[SECURITY] Fedora 39 Update: rust-uu_yes-0.0.23-3.fc39

yes ~ (uutils) repeatedly display a line with STRING (or...

[SECURITY] Fedora 39 Update: rust-uu_shred-0.0.23-3.fc39

shred ~ (uutils) hide former FILE contents with repeated...

[SECURITY] Fedora 39 Update: rust-uu_nl-0.0.23-3.fc39

nl ~ (uutils) display input with added line...

[SECURITY] Fedora 39 Update: rust-uu_join-0.0.23-3.fc39

join ~ (uutils) merge lines from inputs with matching join...

[SECURITY] Fedora 39 Update: rustup-1.26.0-3.fc39

Manage multiple rust installations with...

[SECURITY] Fedora 39 Update: rust-uu_basename-0.0.23-3.fc39

basename ~ (uutils) display PATHNAME with leading directory components...

[SECURITY] Fedora 39 Update: rust-tealdeer-1.6.1-8.fc39

Fetch and show tldr help pages for many CLI commands. Full featured offline client with caching...

[SECURITY] Fedora 39 Update: rust-sequoia-octopus-librnp-1.8.1-4.fc39

Reimplementation of RNP's interface using Sequoia for use with...

[SECURITY] Fedora 39 Update: rust-silver-2.0.1-8.fc39

A cross-shell customizable powerline-like prompt with...

[SECURITY] Fedora 39 Update: rust-sha1collisiondetection-0.3.4-2.fc39

SHA-1 hash function with collision detection and...

[SECURITY] Fedora 39 Update: rust-sd-1.0.0-2.fc39

Intuitive find & replace CLI. * Painless regular expressions sd uses regex syntax that you already know from JavaScript and Python. Forget about dealing with quirks of sed or awk - get productive immediate ly. * String-literal mode Non-regex find & replace. No more backslashes or...

[SECURITY] Fedora 39 Update: rust-resctl-bench-2.2.5-3.fc39

resctl-bench is a collection of whole-system benchmarks to evaluate resource control and hardware behaviors using realistic simulated workloads. Comprehensive resource control involves the whole system. Furthermore, test ing resource control end-to-end requires scenarios involving realistic...

[SECURITY] Fedora 39 Update: rust-python-launcher-1.0.0-12.fc39

The Python Launcher for Unix. Launch your Python interpreter the lazy/smart way! This launcher is an implementation of the py command for Unix-based platfor ms. The goal is to have py become the cross-platform command that Python users typically use to launch an interpreter while doing...

[SECURITY] Fedora 39 Update: rust-lsd-1.1.2-3.fc39

An ls command with a lot of pretty colors and some other...

[SECURITY] Fedora 39 Update: rust-names-0.14.0-2.fc39

A random name generator with names suitable for use in container instances, project names, application instances,...

[SECURITY] Fedora 39 Update: rust-lino-0.10.0-9.fc39

A command line text editor with notepad like key...

[SECURITY] Fedora 39 Update: rust-desed-1.2.1-4.fc39

Sed script debugger. Debug and demystify your sed scripts with TUI...

[SECURITY] Fedora 39 Update: rust-cpc-1.9.3-3.fc39

Evaluates math expressions, with support for units and conversion between...

[SECURITY] Fedora 39 Update: rust-bat-0.24.0-5.fc39

A cat(1) clone with...

[SECURITY] Fedora 39 Update: ntpd-rs-1.1.2-2.fc39

Full-featured implementation of NTP with NTS...

[SECURITY] Fedora 39 Update: rust-asahi-wifisync-0.2.0-3.fc39

A tool to sync Wifi passwords with macos on ARM...

[SECURITY] Fedora 39 Update: rust-asahi-btsync-0.2.0-3.fc39

A tool to sync Bluetooth pairing keys with macos on ARM...

[SECURITY] Fedora 39 Update: maturin-1.5.1-2.fc39

Build and publish crates with pyo3, rust-cpython and cffi bindings as well as rust binaries as python...

[SECURITY] Fedora 39 Update: loupe-45.3-2.fc39

An image viewer application written with GTK 4, Libadwaita and Rust. Features: - Fast GPU accelerated image rendering with tiled rendering for SVGs - Extendable and sandboxed (expect SVG) image decoding - Support for more than 15 image formats by default - Extensive support for touchpad and...

Malicious code in stablecoin-evm (npm)

This package is considered malicious because it communicates with a domain associated with malicious activity and the package executes one or more commands associated with malicious...

Malicious code in xloportailcfn (npm)

This package is considered malicious because it communicates with a domain associated with malicious activity and the package executes one or more commands associated with malicious...

Explore AI-Driven Cybersecurity with Trend Micro, Using NVIDIA NIM

Discover Trend Micro's integration of NVIDIA NIM to deliver an AI-driven cybersecurity solution for next-generation data centers. Engage with experts, explore demos, and learn strategies for securing AI data centers and optimizing cloud...

Ticketmaster confirms customer data breach

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach. In a filing with the SEC, Live Nation said on May 20th it identified "unauthorized activity within a third-party cloud database environment containing Company...