python: Python: Command-line option injection in webbrowser.open() via crafted URLs

A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...

CPython 安全漏洞

CPython is a Python interpreter implemented in C language by the Python Foundation. CPython has a security vulnerability that stems from the webbrowser.open API accepting leading dashes in URLs. This could allow certain web browsers to treat these URLs as command-line options, resulting in securi...

CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

BIT-MINIO-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

GHSA-2PXW-R47W-4P8C Privilege Escalation on Linux/MacOS

Impact An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3::: permission, as well as enabled Console API access. Patches commit...

Privilege Escalation on Linux/MacOS

Impact An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3::: permission, as well as enabled Console API access. Patches commit...

Privilege Escalation

github.com/minio/minio is vulnerable to Privilege Escalation. An attacker is able to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To achieve this, the attacker needs credentials with arn:aws:s3::: permission and...

CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

UBUNTU-CVE-2023-28434

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

CVE-2023-28434 MinIO is vulnerable to privilege escalation on Linux/MacOS

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials wit...

minio -- Server Side Request Forgery

Minio developers report: Thanks to @phith0n from our community upon a code review, discovered an SSRF Server Side Request Forgery in our Browser API implementation. We have not observed this report/attack in the wild or reported elsewhere in the community at large. All users are advised to upgrad...

CVE-2018-18497

Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This...

CVE-2018-18497

Limitations on the URIs allowed to WebExtensions by the browser.windows.create API can be bypassed when a pipe in the URL field is used within the extension to load multiple pages as a single argument. This could allow a malicious WebExtension to open privileged about: or file: locations. This...