Insurance Management System SQL注入漏洞

Insurance Management System is an insurance management system from the personal developer Angel Jude Reyes Suarez. Insurance Management System 1.0 is vulnerable to SQL injection, which could be exploited by attackers to obtain information about data in the target system...

bind: Lame cache can be abused to severely degrade resolver performance

A flaw was found in the way bind processes broken responses from authoritative servers. This caching mechanism could be abused by an attacker to significantly degrade resolver performance...

bluez: memory leak in the SDP protocol

BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdpcstateallocbuf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object...

Glovo: Django debug enabled showing information about system, database, configuration files

Summary: Hi team, This subdomain pulpo.it.glovoint.com is a Django application running with debug mode turned on DEBUG = True . One of the main features of debug mode is the display of detailed error pages to help developers. If your app raises an exception when DEBUG is True, Django will display...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 with details below Vulnerability Details CVEID: CVE-2022-23773 DESCRIPTION: An unspecified error with not treating branches with semantic-version names a...

Bad Actors Are Maximizing Remote Everything

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of...

CVE-2021-41162 Cross-site Scripting in Combodo iTop

Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the ajax.render.php?operation=wizardhelper page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known...

libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c

There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability...

Windows-Specific Relative Path Traversal vulnerability in StaticDir server

Description The fix released in version 0.19.1 does not completely fix the relative path traversal vulnerability on Windows hosts. An attacker can access files outside of the configured directory root. This is due to Windows supporting the \ character as a path separator. Proof of Concept With a...

madlib-object-utils安全漏洞

madlib-object-utils is an application. A set of utility functions for working with objects. A security vulnerability exists in madlib-object-utils that allows an attacker to merge object prototypes into it...

openSIS SQL Injection Vulnerability (CNVD-2022-85100)

Open Solutions For Education openSIS is an open source student information management system from Open Solutions For Education. openSIS version 8.0 has a SQL injection vulnerability that originates from the parameter studentid in /modules/eligibility/Student.php that can be used for SQL injection...

Samsung SMR 缓冲区错误漏洞

Samsung SMR is a system patch package from South Korea's Samsung Samsung. Samsung SMR contains a heap buffer overflow vulnerability that can be exploited by attackers to execute code...

Kraden: Found Origin IP's Lead To Access To kraden.com

Summary: Discovered that the kraden.com site exposed its Non-Cloudflare IP which could allow bypassing of anti-DDoS mechanisms. Description:Your origin servers are not blocking access from non-Cloudflare servers. This way crawlers can find your origin servers' IPs by checking random IPs until the...

Spring Framework RCE, Mitigation Alternative

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcats side. While the vulnerability is not in...

CVE-2022-22963

A flaw was found in Spring Cloud Function via the spring.cloud.function.routing-expression header that is modified by the attacker to contain malicious expression language code. The attacker is able to call functions that should not normally be accessible, including runtime exec calls. Mitigation...

Google Android 安全漏洞

Google Android is a Linux-based open-source operating system from the U.S. Google Android has a security vulnerability that stems from a lack of permission checks in the settings that can read Bluetooth device names without proper permissions, which can be used by attackers to obtain sensitive...

CVE-2022-27658

Under certain conditions, SAP Innovation management - version 2.0, allows an attacker to access information which could lead to information gathering for further exploits and attacks...

CVE-2022-25571

CVE-2022-25571 concerns Bluedon Information Security Technologies Co., Ltd. Internet Access Detector v1.0. The vulnerability is described as an information leak that allows attackers to access the contents of the password file via unspecified vectors. Documented impact notes refer to confidential...

Security Bulletin: Vulnerability in Apache Log4j affects IBM Netcool Performance Manager

Summary Apache-Log4j - CVE-2021-4104, Apache-Log4j - CVE-2022-23302, Apache-Log4j - CVE-2022-23305, Apache-Log4j - CVE-2022-23307 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|--- TNPM|...

How Web Applications Are Attacked Through APIs

Happy Pi Day, everyone! As a technician, pi is a number that represents a constant. This constant reflects the ongoing cyberthreats that put enterprise assets at continuous risk as digital transformation and the resultant attack surface grow in parallel. Whether it’s a simple identity theft hack...