Privilege Escalation

github.com/openshift/hive is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the Hive ClusterDeployments resource, which, under certain conditions, allows a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing...

CVE-2024-25133

A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod...

Developer account body snatchers pose risks to the software supply chain

By Jaeson Schultz. Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software...

Developer account body snatchers pose risks to the software supply chain

Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software supply chain becau...

GSD-2022-1000008 faker.js 6.6.6 is broken and the developer has wiped the original GitHub repo

faker.js had it's version updated to 6.6.6 in NPM which reports it as having 2,571 dependent packages that rely upon it and the GitHub repo has been wiped of content. This appears to have been done intentionally as the repo only has a single commit so it was likjely deleted, recreated and a singl...

GSD-2022-1000007 colors.js 1.4.1 has an infinite loop added by the primary developer

colors.js had an infinite loop added by the primary developer in version 1.4.1 and 6.6.6 which was released on GitHub and NPM which reports it as having 3,179 dependent packages that rely upon it. Additionally the GitHub repo was wiped of all files. This appears to have been done intentionally in...

NPM Library (ua-parser-js) Hijacked: What You Need to Know

Last Update: October 27, 2021 For approximately 4 hours on Friday, October 22, 2021, a widely utilized NPM package, ua-parser-js, was embedded with a malicious script intended to install a coinminer and harvest user/credential information. This package is used “to detect Browser, Engine, OS, CPU,...

CVE-2021-33216

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account...

Design/Logic Flaw

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account...

PT-2021-20086 · Commscope · Commscope Ruckus Iot Controller

Name of the Vulnerable Software and Affected Versions: CommScope Ruckus IoT Controller versions 1.7.1.0 and earlier Description: An issue exists in the CommScope Ruckus IoT Controller, where an undocumented backdoor allows shell access via a developer account. This backdoor enables unauthorized...

TikTok: CSRF To Add New App In Developer Account And Bypassing Json Format

The researcher found a CSRF issue allowing a malicious user to add arbitrary applications to a developer's account...

X (Formerly Twitter): Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)

Summary: Twitter app-names which are shown in the Tweet source label are supposed to be unique and because of that they must not include invisible unicode characters. However, you can use the mongolian vowel separator in these app-name, which allows to fake a app-name. Description: Every tweet ha...

CVE-2020-3131

A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service DoS condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability is due to...

Input validation

A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service DoS condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability is due to...

CVE-2020-3131 Cisco Webex Teams Adaptive Cards Denial of Service Vulnerability

A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service DoS condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability is due to...

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

CVE-2018-11804

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

Someone Hijacks A Popular Chrome Extension to Push Malware

Phishers have recently hacked an extension for Google Chrome after compromising the Chrome Web Store account of German developer team a9t9 software and abused to distribute spam messages to unsuspecting users. Dubbed Copyfish, the extension allows users to extract text from images, PDF documents...

Designed to pit people up! The outlaws are a large number of the abuse of Apple's iOS enterprise certificate-vulnerability warning-the black bar safety net

Not molecule by abuse or the purchase of the corporate certificate packing illegal Apps through itms:services://?, the Online install ipa ,across the Appstore in the form, spread a large number of jurisprudence involved in gambling applications, designed to pit the Chinese people! Include...

CVE-2012-5820

The developer-account sample code in Google AdMob does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...