5606 matches found
CVE-2023-37250
Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This...
CVE-2023-37250
Unity Parsec includes a TOCTOU race condition that allows a local attacker to escalate to SYSTEM when installed in per-user mode. The issue arises from loading DLLs from a user-owned directory without guaranteed integrity verification. Affected: Parsec Loader up to version 8; Parsec Loader 9 fixe...
PT-2023-25855 · Unity +1 · Unity Parsec +1
Name of the Vulnerable Software and Affected Versions: Unity Parsec versions prior to 9 Parsec Loader versions prior to 9 Description: The issue is a Time-of-check-to-time-of-use TOCTOU race condition that allows local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per Use...
CVE-2023-37250
Unity Parsec has a TOCTOU race condition that permits local attackers to escalate privileges to SYSTEM if Parsec was installed in "Per User" mode. The application intentionally launches DLLs from a user-owned directory but intended to always perform integrity verification of those DLLs. This...
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons
An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems. Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze...
Cross-site Scripting (XSS)
external-svg-loader is vulnerable to Cross-site Scripting XSS. The vulnerability exists due to the lack of input sanitization in the renderBody function of svg-loader.js, which allows an attacker to inject and execute malicious JavaScript through a maliciously crafted SVG...
Siemens EFI Boot Guard Code Execution Vulnerability
Siemens EFI Boot Guard is a simple UEFI boot loader from Siemens Germany. A code execution vulnerability exists in Siemens EFI Boot Guard versions prior to 0.15, which stems from insufficient input validation and cleanup, and can be exploited by an attacker to execute arbitrary code in privileged...
@maggioli-design-system/mds-icon (=2.0.0-rc.1), esto-es-una-prueba-ui-components (=1.0.0) potentially affected by CVE-2023-40013 via external-svg-loader (>=1.4.0 <=1.6.8)
external-svg-loader NPM version =1.4.0, =1.6.8 is affected by a known vulnerability. The following packages have a transitive dependency on external-svg-loader and may be impacted: - @maggioli-design-system/mds-icon =2.0.0-rc.1 - esto-es-una-prueba-ui-components =1.0.0 Source cves: CVE-2023-40013...
GHSA-XC2R-JF2X-GJR8 external-svg-loader Cross-site Scripting vulnerability
Summary According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS. Details When trying to...
external-svg-loader Cross-site Scripting vulnerability
Summary According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS. Details When trying to...
CVE-2023-40013
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...
Cross site scripting
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...
UBUNTU-CVE-2023-39950
efibootguard is a simple UEFI boot loader with support for safely switching between current and updated partition sets. Insufficient or missing validation and sanitization of input from untrustworthy bootloader environment files can cause crashes and probably also code injections into bgsetenv or...
CVE-2023-39950
Technical details for CVE-2023-39950 are not publicly available in the provided documents. Monitor for updates from vendors and security advisories.
CVE-2023-40013
CVE-2023-40013 affects the external-svg-loader / SVG Loader JS library. The vulnerability arises from insufficient input sanitization when injecting fetched SVGs, allowing crafted SVGs to bypass sanitization and trigger Cross-site Scripting (XSS). Affected behavior: external sites that accept use...
CVE-2023-40013 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...
CVE-2023-40013 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...
CVE-2023-40013 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in external-svg-loader
SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...
Malicious code in ynf-core-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 448630b3766e8205c4a13bc9ba0261d3683efc228644c118134e4262037c3219 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-1465 Malicious code in ynf-core-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 448630b3766e8205c4a13bc9ba0261d3683efc228644c118134e4262037c3219 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...