194 matches found
Microsoft Edge (Chromium) < 118.0.2088.46 Multiple Vulnerabilities
The version of Microsoft Edge installed on the remote Windows host is prior to 118.0.2088.46. It is, therefore, affected by multiple vulnerabilities as referenced in the October 13, 2023 advisory. - Use after free in Site Isolation in Google Chrome prior to 118.0.5993.70 allowed a remote attacker...
Account takeover via password reset
Description An attacker could predict all future password reset tokens due to the use of RandomStringUtils.randomAlphanumeric in PasswordService. An attacker could crack the random number generator RNG seed from a password reset token, then perform password resets on their and the victim’s...
Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain
Cisco Talos discovered 17 vulnerabilities 63 CVEs in the Milesight UR32L router and five vulnerabilities six CVEs in the Milesight MilesightVPN remote access solution software. An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN. This post...
IDOR 漏洞使得攻击者可以在一个组织内任意添加、删除、修改工作空间
Proof of Concept 1 系统中存在两个组织,team1和team2 2 用户user1是 team1 的管理员, 不是team2的管理员 3 用户1在team1中创建工作空间,名为workspace1. 4 用户1使用burpsuit拦截请求,在请求中将team1的ID换成team2的ID 5 查看请求,结果显示成功,用户1可以在team2中任意创建工作空间。 复现视频:https://1drv.ms/v/s!Avwg5C1eKVA4gispbgvOYQkvQ9KP?e=4yimBo...
GHSA-7X45-PHMR-9WQP Arbitrary file write in mindsdb when Extracting Tarballs retrieved from a remote location
Summary An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip variant. Details Unpacking files using the...
Arbitrary file write in mindsdb when Extracting Tarballs retrieved from a remote location
Summary An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip variant. Details Unpacking files using the...
CVE-2023-0460
The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXTINCLUDECODE | Context.CONTEXTIGNORESECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App’s...
GHSA-MHGM-52VG-PVVC Privilege escalation in Strongbox
Impact An attacker with read-only access to a Strongbox secret could craft a valid encrypted secret same id/version. It also makes the audit logs from KMS less useful. The issue is caused by a bug in the underlying AWS Encryption SDK. By default, the encrypted secrets are stored in DynamoDB and a...
Replayable signature in the mintReceipt function
Lines of code Vulnerability details Description In the mintReceipt function there is a check of the claimSignerAddress signature: if keccak256abi.encodePackedmsg.sender, questId != hash revert InvalidHash; if recoverSignerhash, signature != claimSignerAddress revert AddressNotSigned; The signatur...
Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen
The Imperva Red Team recently disclosed a vulnerability, dubbed CVE-2022-3656, affecting over 2.5 billion users of Google Chrome and Chromium-based browsers. This vulnerability allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials. Introduction Chrome is...
PT-2023-32992 · Phpxmlrpc · Phpxmlrpc
Name of the Vulnerable Software and Affected Versions: phpxmlrpc affected versions not specified Description: The issue can be exploited when specific methods such as Wrapper::buildClientWrapperCode, Wrapper::wrapXmlrpcServer, Wrapper::wrapXmlrpcMethod, or Wrapper::buildWrapMethodSource are used...
Unsigned tokenGasPriceFactor parameter
Lines of code Vulnerability details Description For the calculation of the amount of the token to be paid to the relayer tokenGasPriceFactor value is used. The corresponding logic is the following: payment = gasUsed + baseGas gasPrice / tokenGasPriceFactor; requiretransferTokengasToken, receiver,...
Griefing attacks on handleOps and multiSend logic
Lines of code Vulnerability details Description The handleOps function executes an array of UserOperation. If at least one user operation fails the whole transaction will revert. That means the error on one user ops will fully reverts the other executed ops. The multiSend function reverts if at...
GHSA-78M5-JPMF-CH7V GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Summary Unsafe extracting using shutil.unpackarchive from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. Details Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destination file path is...
GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Summary Unsafe extracting using shutil.unpackarchive from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination. Details Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destination file path is...
Unauthorized access to settings update, logs , history, delete etc of repositories
Hey, Attack Scenario: Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having...
Approve front-running attack in DBR.sol
Lines of code Vulnerability details Impact An attacker could front-run an approve transaction to get an overall bigger amount approved. Proof of Concept This is the approve function of the DBR token. function approveaddress spender, uint256 amount public virtual returns bool...
Chat Bubble < 2.3 - Unauthenticated Stored Cross-Site Scripting
The plugin does not sanitise and escape some contact parameters, which could allow unauthenticated attackers to set Stored Cross-Site Scripting payloads in them, which will trigger when an admin view the related contact message PoC Setup: - In the General Settings of the plugin, check the "Show...
Injection into the mintlist merkle tree
Lines of code Vulnerability details Description There is claimGobbler function in ArtGobblers contract. It accepts proof as an array of bytes32 values and uses such a proof for the check whether msg.sender is available to claim a gobbler. But there is no check on the length of the proof, so it is...
Virual defacement allows attacker to display any message of his choice
Description This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is...