Keycloak vulnerable to impersonation via logout token exchange

Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions...

Enforce and Report on PCI DSS v4 Compliance with Rapid7

The PCI Security Standards Council PCI SSC is a global forum that connects stakeholders from the payments and payment processing industries to craft and facilitate adoption of data security standards and relevant resources that enable safe payments worldwide. According to the PCI SSC website, “PC...

CVE-2024-21068

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle...

CVE-2024-21108

CVE-2024-21108 (Oracle VM VirtualBox Core) affects Oracle VM VirtualBox prior to 7.0.16. The vulnerability allows a low-privilege attacker who can log on to the infrastructure where VirtualBox runs to compromise the VirtualBox instance, potentially leading to unauthorized read access to a subset ...

FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations

The U.S. Federal Trade Commission FTC has ordered mental telehealth company Cerebral from using or disclosing personal medical data for advertising purposes. It has also been fined more than $7 million over charges that it revealed users' sensitive personal health information and other data to...

ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.4 - Missing Authorization

Description The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pmuploadcoverimage function in all versions up to, and including, 5.8.3. This makes it possible for...

CVE-2024-28927

CVE-2024-28927 is a Microsoft OLE DB Driver for SQL Server Remote Code Execution vulnerability. Public docs identify the affected component as the Microsoft OLE DB Driver for SQL Server, with remediation provided via security updates KB5037572 (OLDB Driver 18.x, SQL Server 18.7.0002.0) and KB5037...

CVE-2023-6522

Incorrect Use of Privileged APIs vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3914...

ROS-20240404-01

A vulnerability in the Grafana web-based data submission tool is related to authentication bypass via spoofing. Exploitation of the vulnerability could allow an attacker acting remotely to gain full access to a user's account A vulnerability in the Grafana monitoring and surveillance platform is...

CVE-2024-29432

Alldata v0.4.6 was discovered to contain a SQL injection vulnerability via the tablename parameter at /data/masterdata/datas...

RosarioSIS cross site scripting vulnerability

DISPUTED A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been...

CVE-2024-29432

Alldata v0.4.6 was discovered to contain a SQL injection vulnerability via the tablename parameter at /data/masterdata/datas...

Employee Management System 1.0 - (txtfullname) and (txtphone) SQL Injection Vulnerability

Exploit Title: Employee Management System 1.0 - txtfullname and txtphone SQL Injection Exploit Author: Yevhenii Butenko Vendor Homepage: https://www.sourcecodester.com Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html Version: 1.0 Tested on: Debian CVE :...

Data Security Fears: Congress Bans Staff Use of Microsoft’s AI Copilot

By Waqas Microsoft has acknowledged the concerns! This is a post from HackRead.com Read the original post: Data Security Fears: Congress Bans Staff Use of Microsofts AI Copilot...

BIT-MOODLE-2024-25981 Msa-24-0004: forum export did not respect activity group settings

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers...

How to back up your iPhone to a Mac

They say the only backup you ever regret is the one you didnt make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things youve lost, or to fix things that have failed. One of the most cost effective ways to backup your iPhone is to save backups to your Ma...

The vulnerability of the formSetFirewallCfg() function (/goform/SetFirewallCfg) in the Tenda AC15 router software allows a attacker to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the formSetFirewallCfg function /goform/SetFirewallCfg of the Tenda AC15 router’s software lies in the issue of the operation exceeding the buffer boundaries in memory when processing the firewallEn parameter. Exploiting this vulnerability allows an attacker to compromise the...

PT-2024-23267 · Armember · Armember

Name of the Vulnerable Software and Affected Versions: ARMember versions 4.0.26 and earlier Description: The issue is related to the deserialization of untrusted data. This can potentially lead to security risks. There is no information provided about the estimated number of potentially affected...

PT-2024-2509 · Arm +3 · Mbed Crypto +4

Name of the Vulnerable Software and Affected Versions: Mbed TLS versions 2.18.0 through 2.28.x before 2.28.8 Mbed TLS versions 3.x before 3.6.0 Mbed Crypto affected versions not specified Description: The PSA Crypto API in Mbed TLS and Mbed Crypto mishandles shared memory, which can be exploited ...

Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by...