a-blog cms security breach

a-blog cms is a Japanese content management system CMS. A security vulnerability exists in a-blog cms, which stems from a relative path traversal vulnerability that could allow an attacker to delete arbitrary files on the server...

JVN#34565930: Multiple vulnerabilities in a-blog cms

a-blog cms provided by appleple inc. contains multiple vulnerabilities listed below. Improper input validation CWE-20 - CVE-2024-23180 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N| Base Score: 3.5 CVSS v2| AV:N/AC:M/Au:S/C:N/I:P/A:N| Base Score: 3.5...

Popup Box Pro < 7.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...

Popup Box Pro < 20.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a new popup and add the following payload in the Custom Content: alert1; Save,...

github.com/argoproj/argo-cd Cross-Site Request Forgery vulnerability

Impact The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.16 are vulnerable to a cross-server request forgery CSRF attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user in...

Design/Logic Flaw

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: comment2|safe. Use of the "safe" tag...

This Week in Spring - January 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the 16th of January already! We're closer to February than not! I can hardly believe it. As always, we've got a lot to cover so let's dive right into it. the Spring Authorization Server 1.3.0-m1 is now available this is...

CVE-2023-5905 DeMomentSomTres WordPress Export Posts With Images <= 20220825 - Subscriber+ unauthorized data export

The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as...

Voice Cloning with Very Short Samples

New research demonstrates voice cloning, in multiple languages, using samples ranging from one to twelve seconds. Research paper...

Akamai’s Perspective on January’s Patch Tuesday 2024

...

Noname Security Platform Updates: 3.25 Release

...

You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance

...

Make Git Your Single Source of Truth for Application and Infrastructure Delivery

...

Mandelo ssm_shiro_blog Access Control Error Vulnerability

ssmshiroblog is a blogging system for mandelo individual developers. An access control error vulnerability exists in Mandelo ssmshiroblog version 1.0, which stems from the presence of an unknown function in updateRoles in the component Backend, leading to incorrect access control...

PT-2024-15491 · Unknown · Mandelo Ssm Shiro Blog

Name of the Vulnerable Software and Affected Versions: Mandelo ssm shiro blog version 1.0 Description: A vulnerability has been found in the file updateRoles of the component Backend, leading to improper access controls. The manipulation of this vulnerability can be used to exploit the issue...

CVE-2023-5235

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the...

CVE-2023-5235

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the...

CVE-2023-5235 Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the...

Friday Squid Blogging—18th Anniversary Post: New Species of Pygmy Squid Discovered

Theyre Ryukyuan pygmy squid Idiosepius kijimuna and Hannans pygmy squid Kodama jujutsu. The second one represents an entire new genus. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. And, yes, this is the eighteenth anniversary of...

Improving Shor’s Algorithm

We dont have a useful quantum computer yet, but we do have quantum algorithms. Shors algorithm has the potential to factor large numbers faster than otherwise possible, which--if the run times are actually feasible--could break both the RSA and Diffie-Hellman public-key algorithms. Now, computer...