99 matches found
New APT Group "CloudSorcerer" Targets Russian Government Entities
A previously undocumented advanced persistent threat APT group dubbed CloudSorcerer has been observed targeting Russian government entities by leveraging cloud services for command-and-control C2 and data exfiltration. Cybersecurity firm Kaspersky, which discovered the activity in May 2024, said...
Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications
Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control C&C infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of...
Information Disclosure
microsoft/microsoft-graph-core is vulnerable to Information Disclosure. The vulnerability is due to the inclusion of test code that enables the use of the phpInfo function, specifically through the GetPhpInfo.php script, which can expose sensitive system information if the server is misconfigured...
Improper Authentication
Overview omniauth-microsoftgraph is an omniauth provider for new Microsoft Graph API. Affected versions of this package are vulnerable to Improper Authentication due to missing validation of the email attribute. An attacker can take over accounts by exploiting the trust placed in the email as a...
CVE-2024-21632
omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...
Information disclosure
omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...
CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)
omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...
CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)
omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...
CVE-2024-21632
The CVE-2024-21632 entry concerns omniauth-microsoft_graph, an Omniauth strategy for Microsoft Graph. Before version 2.0.0, it did not validate the user email attribute (nor provided an option to do so), exposing risk of nOAuth misconfiguration when email is used as a trusted user identifier and ...
CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)
omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...
Omniauth::MicrosoftGraph License Issues Vulnerability
Omniauth::MicrosoftGraph is an Omniauth policy for the Microsoft Graph Api from the individual developer Peter Philips. An authorization issue vulnerability exists in versions of Omniauth::MicrosoftGraph prior to 2.0.0, which stems from a failure to validate the legitimacy of a user's email...
Information Disclosure
microsoft/microsoft-graph is vulnerable to Information Disclosure. The vulnerability exists in the phpinfo function of GetPhpInfo.php, allowing an attacker to access unauthorized system information such as configuration details, modules, and environment variables. This vulnerability is only...
CVE-2023-49283
microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...
Design/Logic Flaw
msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The...
Design/Logic Flaw
microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...
GHSA-7MC6-X925-7QVX Test code in published microsoft-graph-beta package exposes phpinfo()
Impact The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system...
Test code in published microsoft-graph-beta package exposes phpinfo()
Impact The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system...
GHSA-MHHP-C3CM-2R86 Test code in published microsoft-graph-core package exposes phpinfo()
Impact The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system...
Test code in published microsoft-graph-core package exposes phpinfo()
Impact The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system...
GHSA-CGWQ-6PRQ-8H9Q Test code in published microsoft-graph package exposes phpinfo()
Impact The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information. The...