HSEC-2024-0003 process: command injection via argument list on Windows

process: command injection via argument list on Windows The process library on Windows is vulnerable to a command injection vulnerability, via cmd.exe's interpretation of arguments. Programs that invoke batch files .bat, .cmd and pass arguments whose values are affected by program inputs may be...

EUVD-2022-43546

Malicious code in bioql PyPI...

EUVD-2022-43555

Malicious code in bioql PyPI...

EUVD-2022-30439

Malicious code in bioql PyPI...

CVE-2024-10469 CERT/CC VINCE versions before 3.0.9 allows authenticated user to access User Management view.

VINCE versions before 3.0.9 is vulnerable to exposure of User information to authenticated users...

CERT/CC: CVE-2024-3596 RADIUS Protocol Spoofing Vulnerability

...

New R Programming Vulnerability Exposes Projects to Supply Chain Attacks

A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS R Data Serialization file such that it results in code execution when loaded and referenced. The flaw, assigned the CVE identifier CVE-2024-27322 CVSS...

Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks

A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are...

Disrupting AMD SEV-SNP on Linux® With Interrupts

AMD ID: AMD-SB-3008 Potential Impact: N/A Severity: N/A Summary Researchers from ETH Zurich have shared with AMD a paper titled “Heckler: Disrupting AMD SEV-SNP with Interrupts.” In their paper, the researchers report that a malicious hypervisor can potentially break confidentiality and integrity...

Apache Superset - Elevation of Privilege

Overview An attacker with access to the SQL Lab and the abuser and abuserrole tables can elevate his privileges to become administrator. Details On a more general level, diverse tables who are supposed to be only readable can be modified using the WITH … AS and RETURNING keywords. Modification of...

Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account

Overview Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems. Description Every five hours t...

New Python URL Parsing Flaw Could Enable Command Execution Attacks

A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution. "urlparse has a parsing problem when the...

Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution

Overview Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. Description Freewill Solutions IFIS new...

CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability

...

CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability

...

KLA48553 Multiple vulnerabilities in Microsoft Windows

Multiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, spoof user interface, cause denial of service, bypass security restrictions. Below is a complete list of...

CVE-2022-40257

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field...

CVE-2022-40248

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field...

CVE-2022-40257

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via a crafted email with HTML content in the Subject field...

CVE-2022-40248

An HTML injection vulnerability exists in CERT/CC VINCE software prior to 1.50.4. An authenticated attacker can inject arbitrary HTML via form using the "Product Affected" field...