CVE-2021-33321

CVE-2021-33321 affects Liferay Portal 6.2.3–7.3.2 and Liferay DXP before 7.3. The root cause is an insecure default configuration where the portal.property login.secure.forgot.password should be defaulted to true, enabling remote attackers to enumerate user email addresses via the forgot-password...

PEEL-CSRF

The request appears to be vulnerable to cross-site request forgery CSRF attacks against unauthenticated functionality. This is unlikely to constitute a security vulnerability in its own right, however, it may facilitate the exploitation of other vulnerabilities affecting application users. The...

Default credentials

An insecure permissions issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. A user logged in using the default credentials can gain root access to the device, which provides permissions for all of t...

PT-2021-7768 · 3S Smart Software Solutions · Codesys Development System

Name of the Vulnerable Software and Affected Versions: CODESYS Development System versions 3.5.16 through 3.5.17 Description: A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality. This vulnerability can be triggered by a specially...

SUSE-SU-2021:2478-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.12.0 ESR Fixed: Various stability, functionality, and security fixes MFSA 2021-29 bsc1188275 CVE-2021-29970: Use-after-free in accessibility features of a document CVE-2021-30547: Out of bounds write in...

Cross-site scripting in anchorme

All versions of package anchorme are vulnerable to Cross-site Scripting XSS via the main functionality...

GHSA-W4WQ-RVMQ-77X7 Cross-site scripting in anchorme

All versions of package anchorme are vulnerable to Cross-site Scripting XSS via the main functionality...

M-vSlider <= 2.1.3 - Authenticated (admin+) SQL Injection

The update functionality in the rsliderpage uses an rsid POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. PoC POST /wp-admin/admin.php?page=rsliderpage=true HTTP/1.1 Host:...

Command injection

All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization...

`better-macro` has deliberate RCE to prove a point

better-macro is a fake crate which is "Proving A Point" that proc-macros can run arbitrary code. This is not a particularly novel or interesting observation. It currently opens https://github.com/raycar5/better-macro/blob/master/doc/hi.md which doesn't appear to have any malicious content, but...

RUSTSEC-2021-0077 `better-macro` has deliberate RCE to prove a point

better-macro is a fake crate which is "Proving A Point" that proc-macros can run arbitrary code. This is not a particularly novel or interesting observation. It currently opens https://github.com/raycar5/better-macro/blob/master/doc/hi.md which doesn't appear to have any malicious content, but...

CVE-2021-32786 Open Redirect in oidc_validate_redirect_url()

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers...

Stripe: Without verifying email and activate account, user can perform all action which are not supposed to be done

A researcher discovered that it was possible to access a subset of livemode dashboard functionality without verifying the account's email address. The livemode functionality in question was disabled in the UI, but could be accessed on the backend. Following this report, Stripe performed an intern...

Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers

A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser. The package in question, named "nodejsnetserver" and downloaded over 1,283 times since February 2019, was last...

Broken access control leads to protocol functionality freeze

Handle 0xRajeev Vulnerability details Impact The contracts use an access control pattern where the contract deployer is included in the onlyDAO modifier which is used for authorized access to critical functions. Such contracts also include a purgeDeployer function which renounces sets to...

IBM Jazz Foundation Cross-Site Scripting Vulnerability (CNVD-2021-53334)

A cross-site scripting vulnerability exists in IBM Jazz Foundation, a next-generation collaboration platform for software delivery technologies, which stems from a system that allows users to embed arbitrary JavaScript code in the Web UI to change the intended functionality, which could be used b...

SUSE-SU-2021:2393-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.12.0 ESR Fixed: Various stability, functionality, and security fixes MFSA 2021-29 bsc1188275 CVE-2021-29970 bmo1709976: Use-after-free in accessibility features of a document CVE-2021-30547 bmo1715766:...

Security update for MozillaFirefox (important)

openSUSE Security Update: Security update for MozillaFirefox Announcement ID: openSUSE-SU-2021:2393-1 Rating: important References: 1188275 Cross-References: CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 CVSS scores: CVE-2021-30547 NVD : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected...

Huawei EulerOS: Security Advisory for binutils (EulerOS-SA-2021-2212)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-36773

uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service unbounded recursion that can trigger memory consumption and a loss of all blocking functionality...