Lucene search
K

99 matches found

The Hacker News
The Hacker News
added 2024/07/08 3:42 p.m.35 views

New APT Group "CloudSorcerer" Targets Russian Government Entities

A previously undocumented advanced persistent threat APT group dubbed CloudSorcerer has been observed targeting Russian government entities by leveraging cloud services for command-and-control C2 and data exfiltration. Cybersecurity firm Kaspersky, which discovered the activity in May 2024, said...

7.5AI score
Exploits0
The Hacker News
The Hacker News
added 2024/05/03 12:35 p.m.13 views

Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications

Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control C&C infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of...

7.7AI score
Exploits0
Veracode
Veracode
added 2024/02/27 9:45 a.m.26 views

Information Disclosure

microsoft/microsoft-graph-core is vulnerable to Information Disclosure. The vulnerability is due to the inclusion of test code that enables the use of the phpInfo function, specifically through the GetPhpInfo.php script, which can expose sensitive system information if the server is misconfigured...

5.4CVSS6.9AI score0.02203EPSS
Exploits0References10Affected Software1
Snyk
Snyk
added 2024/01/02 10:45 p.m.3 views

Improper Authentication

Overview omniauth-microsoftgraph is an omniauth provider for new Microsoft Graph API. Affected versions of this package are vulnerable to Improper Authentication due to missing validation of the email attribute. An attacker can take over accounts by exploiting the trust placed in the email as a...

9.8CVSS6.7AI score0.00904EPSS
Exploits1References2
NVD
NVD
added 2024/01/02 10:15 p.m.59 views

CVE-2024-21632

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

9.8CVSS8.9AI score0.00904EPSS
Exploits1References3
Prion
Prion
added 2024/01/02 10:15 p.m.18 views

Information disclosure

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

7.5CVSS6.9AI score0.00904EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2024/01/02 9:54 p.m.4 views

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

8.6CVSS9AI score0.00904EPSS
Exploits1References3
OSV
OSV
added 2024/01/02 9:54 p.m.33 views

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

8.6CVSS8.9AI score0.00904EPSS
Exploits1References5
CVE
CVE
added 2024/01/02 9:54 p.m.83 views

CVE-2024-21632

The CVE-2024-21632 entry concerns omniauth-microsoft_graph, an Omniauth strategy for Microsoft Graph. Before version 2.0.0, it did not validate the user email attribute (nor provided an option to do so), exposing risk of nOAuth misconfiguration when email is used as a trusted user identifier and ...

9.8CVSS9.2AI score0.00904EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2024/01/02 9:54 p.m.65 views

CVE-2024-21632 omniauth-microsoft_graph vulnerable to account takeover (nOAuth)

omniauth-microsoftgraph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases...

8.6CVSS9.6AI score0.00904EPSS
Exploits1References3
CNNVD
CNNVD
added 2024/01/02 12:0 a.m.6 views

Omniauth::MicrosoftGraph License Issues Vulnerability

Omniauth::MicrosoftGraph is an Omniauth policy for the Microsoft Graph Api from the individual developer Peter Philips. An authorization issue vulnerability exists in versions of Omniauth::MicrosoftGraph prior to 2.0.0, which stems from a failure to validate the legitimacy of a user's email...

9.8CVSS6.7AI score0.00904EPSS
Exploits1References4
Veracode
Veracode
added 2023/12/06 1:50 p.m.28 views

Information Disclosure

microsoft/microsoft-graph is vulnerable to Information Disclosure. The vulnerability exists in the phpinfo function of GetPhpInfo.php, allowing an attacker to access unauthorized system information such as configuration details, modules, and environment variables. This vulnerability is only...

5.4CVSS6.5AI score0.02203EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2023/12/05 11:15 p.m.27 views

CVE-2023-49283

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...

5.4CVSS0.02203EPSS
Exploits0References5
Prion
Prion
added 2023/12/05 11:15 p.m.23 views

Design/Logic Flaw

msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The...

5CVSS6.9AI score0.02203EPSS
Exploits0References5Affected Software1
Prion
Prion
added 2023/12/05 11:15 p.m.37 views

Design/Logic Flaw

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...

5CVSS7AI score0.02203EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2023/12/05 10:57 p.m.20 views

GHSA-7MC6-X925-7QVX Test code in published microsoft-graph-beta package exposes phpinfo()

Impact The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system...

5.3CVSS8.6AI score0.78428EPSS
Exploits5References7
Github Security Blog
Github Security Blog
added 2023/12/05 10:57 p.m.57 views

Test code in published microsoft-graph-beta package exposes phpinfo()

Impact The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system...

10CVSS6.2AI score0.78428EPSS
Exploits5References7Affected Software1
OSV
OSV
added 2023/12/05 10:46 p.m.58 views

GHSA-MHHP-C3CM-2R86 Test code in published microsoft-graph-core package exposes phpinfo()

Impact The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system...

5.4CVSS7.5AI score0.78428EPSS
Exploits5References9
Github Security Blog
Github Security Blog
added 2023/12/05 10:46 p.m.67 views

Test code in published microsoft-graph-core package exposes phpinfo()

Impact The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system...

10CVSS6.2AI score0.78428EPSS
Exploits5References9Affected Software1
OSV
OSV
added 2023/12/05 10:46 p.m.44 views

GHSA-CGWQ-6PRQ-8H9Q Test code in published microsoft-graph package exposes phpinfo()

Impact The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information. The...

5.4CVSS7.4AI score0.02203EPSS
Exploits0References8
Rows per page
Query Builder