444 matches found
ALPINE-CVE-2022-20001
fish is a command line shell. fish version 3.1.0 through version 3.3.1 is vulnerable to arbitrary code execution. git repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands. When using the default configuration of fish, changing...
Experts Warn of Hacking Group Targeting Aviation and Defense Sectors
Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans RATs on compromised systems. The use...
CVE-2022-22552
Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker could potentially exploit this vulnerability to trick the victim into executing state changing operations...
Spoofing
Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker could potentially exploit this vulnerability to trick the victim into executing state changing operations...
CVE-2022-22552
Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker could potentially exploit this vulnerability to trick the victim into executing state changing operations...
CVE-2021-44161 Changing Information Technology Inc. MOTP(Mobile One Time Password) - SQL Injection
Changing MOTP Mobile One Time Password system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication...
Cross-Site Request Forgery (CSRF) in janeczku/calibre-web
Description CSRF on various endpoints Summary Pretty recently CSRF protection in calibre-web was implemented. However, there are some state-changing endpoints that accept GET requests instead of POST. The most impactful route so far, that allows to completely shutdown the server:...
Cross-Site Request Forgery (CSRF) in laravelio/laravel.io
Description This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread. Proof of Concept Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe Visit https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/unsubscribe Impact One...
Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
CSRF Set 1 modify invoice status Medium severity Description CSRF in saving invoices / modifying status of invoices pending and cancel only Proof of Concept The following state-changing endpoints are vulnerable to CSRF GET...
Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Description More unprotected CSRF endpoints that allows for state-changing operations. 1: GET /dashboard/moderation/1/approve 2: GET /requests/1/accept 3: GET /requests/1/reject 4: GET /requests/1/unclaim 5: GET /requests/1/reset Proof of Concept CLICK ME! Impact This vulnerability is capable of...
Cross-Site Request Forgery (CSRF) in pterodactyl/panel
Description Following state-changing endpoints are vulnerable to CSRF: 1: GET /admin/nodes/view/1/settings/token auto-generates token when token not generated yet 2: GET /admin/settings/mail/test The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to...
Cisco Umbrella 安全漏洞
Cisco Umbrella is a suite of cloud security platforms from Cisco. The platform prevents cyber threats such as phishing, malware and ransomware. Cisco Umbrella suffers from an enumeration vulnerability that stems from an overly descriptive error message appearing on the dashboard when a user...
CVE-2021-36850
Cross-Site Request Forgery CSRF vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin versions = 5.1.9. Affected parameters "posttitle", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state...
CVE-2021-36850 WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin versions = 5.1.9. Affected parameters "posttitle", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state...
#LetsTalkSecurity - Security at the Speed of Change
Let's Talk Security: Season 02 // Episode 05: Host, Rik Ferguson, interviews Vice President and Chief Information Security Officer for Carrier, Nicole Darden Ford. Together they discuss the changing cybersecurity landscape...
Nextcloud 授权问题漏洞
Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud Server that stems from a lack of privilege checking in Nextcloud Server, where tokens are able to change their ow...
CVE-2021-28958
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password...
CVE-2021-21549
Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Request Forgery Vulnerability in XMS. A non-privileged attacker could potentially exploit this vulnerability, leading to a privileged victim application user being tricked into sending state-changing requests to the vulnerable...
Authentication bypass in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
How XDR can enable your enterprise
Extended detection and response XDR provides enhanced visibility, detection, and response across your entire IT infrastructure—enabling you to be more resilient in the face of ever-changing attacks...