EUVD-2023-25488

Malicious code in bioql PyPI...

CVE-2023-21320

In Device Policy, there is a possible way to verify if a particular admin app is registered on the device due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

Citrix Virtual Apps and Desktops - Unable to EDIT Published DualAdmin APP-V application in WebStudio

Admin cannot edit some of the published applications. Affected applications: Dual Admin APP-V Applications Error displayed: More details: Action Name: APPApplicationPropertiesException: StudioErrorId : UnknownError Error Source : CitrixAppVService Sdk Error Message : Cannot process command becaus...

A week in security (June 17 – June 23)

Last week on Malwarebytes Labs: Microsoft Recall delayed after privacy and security concerns Almost everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13 43% of couples experience pressure to share logins and locations,...

Cross site scripting

A vulnerability, which was classified as problematic, was found in SourceCodester Petrol Pump Management Software 1.0. Affected is an unknown function of the file /admin/app/profilecrud.php. The manipulation of the argument username leads to cross site scripting. It is possible to launch the atta...

Petrol Pump Management Software Code Issue Vulnerability

Petrol Pump Management Software is a gasoline pump management software by mayurik individual developer. A code issue vulnerability exists in Petrol Pump Management Software version 1.0, which stems from an unrestricted upload issue in the /admin/app/product.php file...

PT-2023-29660 · Growi · Growi

Name of the Vulnerable Software and Affected Versions: GROWI versions prior to v3.5.0 Description: A stored cross-site scripting issue exists in the App Settings /admin/app page and the Markdown Settings /admin/markdown page. If exploited, an arbitrary script may be executed on the web browser of...

PT-2023-31487 · Growi · Growi

Name of the Vulnerable Software and Affected Versions: GROWI versions prior to v6.0.0 Description: A stored cross-site scripting issue exists in the App Settings /admin/app page, the Markdown Settings /admin/markdown page, and the Customize /admin/customize page. This could allow an arbitrary...

CVE-2023-21320

In Device Policy, there is a possible way to verify if a particular admin app is registered on the device due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

Malwarebytes Admin update: New Detection screens to manage threats!

We released version 1.2 of the Malwarebytes Admin app for iOS and Android last week, adding new Detection features make it easier to see and manage threats. Designed as a companion to the Nebula console, Malwarebytes Admin allows administrators to quickly review, investigate, and resolve security...

MSPM0L1306-HAL (>=0.1.0 <=0.1.6), a4 (>=0.0.1 <=0.0.4) +840 more potentially affected by unknown CVE via atomic-polyfill (=1.0.3)

atomic-polyfill CARGO version =1.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on atomic-polyfill and may be impacted: - MSPM0L1306-HAL =0.1.0, =0.0.1, =0.0.3, =0.23.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.4.1, =0.5.2 and more...

CVE-2020-36005

AppCMS 2.0.101 in /admin/app.php has an arbitrary file deletion vulnerability which allows attackers to delete arbitrary files on the site...

CVE-2019-2193

In WelcomeActivity.java and related files, there is a possible permissions bypass due to a partially provisioned Device Policy Client. This could lead to local escalation of privilege, leaving an Admin app installed with no indication to the user, with User execution privileges needed. User...

CVE-2018-3671

Escalation of privilege in Intel Saffron admin application before 11.4 allows an authenticated user to access unauthorized information...

Directory traversal

Directory traversal vulnerability in MetInfo 5.3.17 allows remote attackers to read information from any ini format file via the ffilename parameter in a fingerprintdo action to admin/app/physical/physical.php...

Android System Google Admin app exposed 0day vulnerabilities, can bypass the sandbox-vulnerability warning-the black bar safety net

MWR Labs researchers discovered a 0day vulnerability exists in the Android system of the Google Admin app to handle some URL in the way that, by the vulnerability the attacker can bypass the Android sandbox mechanism. The vulnerability principle For the Google Android security team, this month is...

Android Zero Day in Admin App Can Bypass Sandbox

The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox. The...