Malicious RestrictionManger can be used to verify Tranche Members

Lines of code Vulnerability details The ability to file a new Restriction Manger after deployment can actually be utilized by a rouge ward and deploy a malicious version of the RestrictionManger that implements almost the same thing as the originals, but just tweaked to return the SUCCESSMESSAGE...

CVE-2022-30280

/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application even if it implements a CSRF token for the random GET request does not ever verify a CSRF token. With a litt...

Cross site request forgery (csrf)

/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application even if it implements a CSRF token for the random GET request does not ever verify a CSRF token. With a litt...

CVE-2022-30280

/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application even if it implements a CSRF token for the random GET request does not ever verify a CSRF token. With a litt...

CVE-2022-30280

Nokia NetAct 22 exposes a CSRF vulnerability at /SecurityManagement/html/createuser.jsf that lets remote attackers create users with arbitrary, including administrative, privileges. The app does not verify CSRF tokens, enabling exploitation via social engineering; impact ranges from unauthorized ...

Friday Squid Blogging: Chromatophores

Neat: Chromatophores are tiny color-changing cells in cephalopods. Watch them blink back and forth from purple to white on this squids skin in an Instagram video taken by Drew Chicone… Its completely hypnotic to watch these tiny cells flash with color. Its as if the squid has a little sky full of...

Improper access control

Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to affect the availability of the device by changing settings of the device such as the IP address based on missing access control...

Crying Out Cloud: a magical podcast for cloud security enthusiasts

Join us for game-changing news, unique Wiz insights, and battle-tested advice from industry experts. Stay ahead of the cloud curve with our latest episodes and navigate the complex world of cloud security...

3 Shifts in the Cyber Threat Landscape

The threat landscape is always changing and these three major shifts are already underway. Learn to recognize them to protect your organization from cyber threats...

The Uniquely American Future of US Authoritarianism

The GOP-fueled far right differs from similar movements around the globe, thanks to the country’s politics, electoral system, and changing demographics...

CVE-2023-25594

A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of this vulnerability allows an attacker to...

Design/Logic Flaw

A vulnerability in the web-based management interface of ClearPass Policy Manager allows an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of this vulnerability allows an attacker to complete...

SUSE CVE-2022-35229

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict...

PT-2023-13408 · Dell · Powerpath Management Appliance

Name of the Vulnerable Software and Affected Versions: PowerPath Management Appliance versions 3.0 through 3.3 Description: The issue allows an unauthenticated non-privileged user to potentially exploit the Cross-site Request Forgery vulnerability and perform any privileged state-changing actions...

[M-04] Balance manipulation when contract is paused

Lines of code Vulnerability details Impact State-changing methods missing the whenNotPaused modifier, is a security hole. Even when contract is paused increaseTotalBalance and decreaseTotalBalance methods can be called internally. Therefore, medium severity matches. Proof of Concept function...

CVE-2023-23078

Cross site scripting XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets...

1-phase governor changing in Fed

Lines of code Vulnerability details Impact Mistake in calling this function setting 0-address or just wrong address will lead to full control loosing Tools Used vs code Recommended Mitigation Steps Do 2-phase changing like in DolaBorrowingRights.setPendingOperator and...

CVE-2022-39056 Changing Information Technology Inc. RAVA certificate validation system - SQL Injection

RAVA certificate validation system has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify and delete database...

Changing Information Technology RAVA certificate validation system 路径遍历漏洞

Changing Information Technology RAVA certificate validation system Panorama Software RAVA certificate validation system website is a credential validation system from the Chinese company Changing Information Technology. A path traversal vulnerability exists in the Changing Information Technology...

Changing Information Technology RAVA certificate validation system SQL注入漏洞

Changing Information Technology RAVA certificate validation system Panorama Software RAVA certificate validation system website is a credential validation system from China-based Changing Information Technology. The Panorama Software RAVA certificate validation system suffers from a SQL injection...