‘Callback’ Phishing Campaign Impersonates Security Firms

A new callback phishing campaign is impersonating prominent security companies to try to trick potential victims into making a phone call that will instruct them to download malware. Researchers at CrowdStrike Intelligence discovered the campaign because CrowdStrike is actually one of the...

ArgoCD 跨站脚本漏洞

Argo is an open source container-native workflow engine.ArgoCD is an application. A declarative GitOps continuous delivery tool for Kubernetes. It continuously monitors running applications and compares the current live state with the desired target state e.g., configuration in a Git repository,...

PT-2022-20529 · Argo Cd · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4 Description: The issue is a cross-site scripting XSS bug that could allow an attacker to inject arbitrary JavaScript in the "/auth/callback" page in a victim's browser...

ZEIT Next.js 代码问题漏洞

ZEIT Next.js is an open source web application framework from ZEIT based on Vue.js, Node.js, Webpack and Babel.js. NextAuth.js is the authentication for Next.js. A code issue vulnerability exists in Next.js NextAuth.js versions prior to 3.29.5 and prior to 4.5.0 that stems from a lack of validati...

attacker can perform griefing for process() in PromiseRouter by reverting calls to callback() in callbackAddress

Lines of code Vulnerability details Impact process in PromiseRouter is used for process stored callback function and anyone calls it gets callbackFee and it calls callback function of callbackAddress. but attacker set a callbackAddress that reverts on callback and cause process caller griefing...

CVE-2022-1789

With shadow paging enabled, the INVPCID instruction results in a call to kvmmmuinvpcidgva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference...

CVE-2021-42203

An issue was discovered in swftools through 20201222. A heap-use-after-free exists in the function swfFontExtractDefineTextCallback located in swftext.c. It allows an attacker to cause code execution...

CVE-2021-42199

An issue was discovered in swftools through 20201222. A heap buffer overflow exists in the function swfFontExtractDefineTextCallback located in swftext.c. It allows an attacker to cause code execution...

UBUNTU-CVE-2021-42199

An issue was discovered in swftools through 20201222. A heap buffer overflow exists in the function swfFontExtractDefineTextCallback located in swftext.c. It allows an attacker to cause code execution...

UBUNTU-CVE-2021-42203

An issue was discovered in swftools through 20201222. A heap-use-after-free exists in the function swfFontExtractDefineTextCallback located in swftext.c. It allows an attacker to cause code execution...

Swftools 缓冲区错误漏洞

Swftools is a set of utilities for working with Adobe Flash files SWF files. An out-of-bounds write vulnerability exists in Swftools 2020-12-22 and prior versions, which stems from a heap buffer overflow in function swfFontExtractDefineTextCallback located in swftext.c. The vulnerability is cause...

Swftools 资源管理错误漏洞

Swftools is a set of utilities for working with Adobe Flash files SWF files. A post-release use vulnerability exists in Swftools 2020-12-22 and prior versions, which stems from a heap-based post-release reuse issue in the function swfFontExtractDefineTextCallback located in swftext.c. The...

BathToken.sol#_deposit() attacker can mint more shares with re-entrancy from hookable tokens

Lines of code Vulnerability details BathToken.soldeposit calculates the actual transferred amount by comparing the before and after balance, however, since there is no reentrancy guard on this function, there is a risk of re-entrancy attack to mint more shares. Some token standards, such as ERC77...

CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...

GHSA-5PQ5-9PHV-Q5J3 CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...

CVE-2022-31261

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker ca...

CVE-2022-31261

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker ca...

CVE-2022-31261

An XXE issue was discovered in Morpheus through 5.2.16 and 5.4.x through 5.4.4. A successful attack requires a SAML identity provider to be configured. In order to exploit the vulnerability, the attacker must know the unique SAML callback ID of the configured identity source. A remote attacker ca...

Morpheus Data Morpheus 代码问题漏洞

Morpheus Data Morpheus is a powerful self-service engine from Morpheus Data USA, Inc. that delivers enterprise agility, control and efficiency. A security vulnerability exists in Morpheus Data Morpheus version 5.2.16 and version 5.4.x prior to version 5.4.4, which stems from the discovery of an X...

GHSA-PCHF-755W-JJ6V QooxDoo XSS in Callback Parameter

Cross-site scripting XSS vulnerability in framework/source/resource/qx/test/jsonpprimitive.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to inject arbitrary web script or HTML via the callback parameter...