119 matches found
CVE-2023-37265 Incorrect identification of source IP addresses in CasaOS
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as root on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS...
You can expand your version of well in Aquifer.boreWell() with unpredictable results
Lines of code Vulnerability details Impact boreWell takes an implementation parameter. This parameter is not checked in any way. Thus, the user can pass any of his parameters and expand his well option. This can lead to unpredictable consequences. Proof of Concept 1. The user creates his own...
Malicious ad for USPS fishes for banking credentials
We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails. Threat actors continue to abuse a...
CVE-2023-27043
The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is...
CVE-2022-39355 Discourse Patreon vulnerable to improper validation of email during Patreon authentication
Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number...
The benefits of taking an intent-based approach to detecting Business Email Compromise
BEC is a multi-stage attack. Adversaries first identify targets, then they establish rapport with the victim before exploiting them for whatever their end goal is. In the case of BEC, a threat actor can impersonate any employee in the organization to trick targets. A policy that checks for...
nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...
USN-5617-1 xen vulnerabilities
It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use th...
nodejs-got: missing verification of requested URLs allows redirects to UNIX sockets
A flaw was found in the got package for node.js. Requested URLs are not verified and allow open redirection to a local UNIX socket...
GHSA-W8HX-F868-PVCH Openstack Neutron has Insufficient Verification of IPv6 addresses
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some...
Openstack Neutron has Insufficient Verification of IPv6 addresses
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some...
GHSA-3QH2-MCCC-Q5M6 Keycloak Open Redirect
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack...
CVE-2021-39909
The CVE-2021-39909 entry concerns GitLab Enterprise Edition (EE) and describes a lack of email address ownership verification in the CODEOWNERS feature across affected lines: EE from 11.3 up to before 14.2.6, EE 14.3 up to before 14.3.4, and EE 14.4 up to before 14.4.1. This absence can allow an ...
CVE-2021-39909
Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE starting from 11.3 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 allows an attacker to bypass CODEOWNERS Merge Request approval...
CVE-2020-19767
A lack of target address verification in the destroycontract function of 0xRACER 1.0 allows attackers to steal tokens from victim users via a crafted script...
CVE-2020-19769
A lack of target address verification in the BurnMe function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script...
CVE-2020-19768
A lack of target address verification in the selfdestructs function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script...
CVE-2020-19768
A lack of target address verification in the selfdestructs function of ICOVO 1.0 allows attackers to steal tokens from victim users via a crafted script...
CVE-2020-19769
A lack of target address verification in the BurnMe function of Rob The Bank 1.0 allows attackers to steal tokens from victim users via a crafted script...
CVE-2020-19767
A lack of target address verification in the destroycontract function of 0xRACER 1.0 allows attackers to steal tokens from victim users via a crafted script...