CVE-2023-25074 Competency access levels not enforced in the server

Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 MR1, vEL8.80 prior to vEL8.80.1192 MR2, vEL8.70 prior to vEL8.70.2185 MR4, vEL8.60 prior to...

CVE-2023-22428

Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 MR2, vEL8.70 prior to vEL8.70.2185 MR4, vEL8.60 prior to vEL8.60.2347 MR6, vEL8.50 prior to vEL8.50.2831MR8, vEL8.40 a...

abi-ds-utils (=1.0.1), acceldata-o2a (=1.0.0) +231 more potentially affected by CVE-2023-22888 via apache-airflow (>=1.10.1 <=2.5.3)

apache-airflow PYPI version =1.10.1, =0.8.44.4, =1.4.0.3.post4, =1.4.0.3.post3, =0.1.0rc3, =0.1.0, =0.2.9b1, =1.0.7, =0.4.0, =0.1.0a1, =0.5.1, =0.1.1, =0.1.1, =1.10.6 and more Source cves: CVE-2023-22888 Source advisory: OSV:GHSA-5946-8P38-VFFP...

Dark Web Genesis Market for Sale: Operators Seek Buyers for Defunct Enterprise

By Habiba Rashid Who would buy Genesis Market, which some speculate to be an FBI honeypot operation? This is a post from HackRead.com Read the original post: Dark Web Genesis Market for Sale: Operators Seek Buyers for Defunct Enterprise...

DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors

The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security...

CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million

Cybersecurity researchers have exposed the workings of a scam ring called CryptosLabs that's estimated to have made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate's massive fake investment scheme...

An Overview of the Different Versions of the Trigona Ransomware

The Trigona ransomware is a relatively new ransomware family that began activities around late October 2022 — although samples of it existed as early as June 2022. Since then, Trigona’s operators have remained highly active, and in fact have been continuously updating their ransomware binaries...

Sql injection

Xibo is a content management system CMS. An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafte...

CVE-2023-33179 Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter

Xibo is a content management system CMS. An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafte...

Incorrect shift in assembly

Lines of code Vulnerability details Impact Shift operators shlx, y, shrx, y, sarx, y in Solidity assembly apply the shift operation of x bits on y and not the other way around, which may be confusing. Check if the values in a shift operation are reversed. Proof of Concept File:...

Cyberweapons Manufacturer QuaDream Shuts Down

Following a report on its activities, the Israeli spyware company QuaDream has shut down. This was QuadDream: Key Findings Based on an analysis of samples shared with us by Microsoft Threat Intelligence, we developed indicators that enabled us to identify at least five civil society victims of...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-41903]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git caused by an integer overflow when processing the padding operators CVE-2022-41903. Git is included as part of the Base OS used by our service images. Please read the details f...

bootloader doesn't add tighter gas limit to the IAccount.validateTransaction call

Lines of code Vulnerability details Impact As mentioned in the competition details: Important, while the bootloader is out of scope, we may reward an additional bounty for valid bugs found in it by our judgement! As mentioned in the dev document, , there are some limitations of the verification a...

Denial Of Service (DoS)

modsecurity-crs:buster is vulnerable to Denial of Service DoS attacks. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with nested repetition operators...

K04713734: BIND vulnerability CVE-2018-5741

Security Advisory Description To provide fine-grained controls over the ability to use Dynamic DNS DDNS to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the ke...

SUSE CVE-2017-6441

The zvalgetlongfuncex in Zend/zendoperators.c in PHP 7.1.2 allows attackers to cause a denial of service NULL pointer dereference and application crash via crafted use of "declareticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do n...

SUSE CVE-2018-18073

Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object...

SUSE CVE-2019-3839

It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscrip...

SUSE CVE-2019-6116

In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution...

SUSE CVE-2019-11387

An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with nested repetition operators...