CVE-2021-34066

An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file...

Ship Ferry Ticket Reservation System 1.0 SQL Injection

Exploit Title: Ship Ferry Ticket Reservation System v1.0 SQL-Injection-Bypass-Authentication in /shipticketing/classes/Login.php. Author: nu11secur1ty Testing and Debugging: nu11secur1ty Date: 08.30.2021 Vendor:...

Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by Rational Business Developer. Rational Business Developer has addressed the applicable CVE. This issue was disclosed as part of the IBM Java SDK and Runtime...

Security Bulletin: IBM API Connect is impacted by a vulnerability in Drupal (201714)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details Third Party Entry: 201714 DESCRIPTION: Gutenberg module for Drupal could allow a remote attacker to bypass security restrictions, caused by improper validation of access rules in certain situations. By sendin...

Security Bulletin: IBM API Connect is impacted by a cross site scripting vulnerability in Drupal core SA-CORE-2021-002

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details Third Party Entry: 200544 DESCRIPTION: Drupal core is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the sanitization API. A remote authenticated attacker could...

CVE-2021-22252

A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers...

UBUNTU-CVE-2021-22252

A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers...

OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion

The plugin does not enforce path validation, authorisation and CSRF checks in the omgfajaxemptydir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. As an authenticated user, with a role as low as subscriber, viewing the admin the dashboard...

Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls

The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...

VulnCheck KEV: CVE-2016-5165

Cross-site scripting XSS vulnerability in the Developer Tools aka DevTools subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux allows remote attackers to inject arbitrary web script or HTML via the settings parameter in a...

Cross site scripting

MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine. With an overly broad...

Broken Object Level Authorization☝️ — What you need to know

Broken Object Level Authorization☝️ — What you need to know What is Broken Object Level Authorisation? Broken Object Level Authorisation all starts with an object. Objects should be looked at in the context of “Object Oriented Programming”, what I mean with that is objects are the things you think...

New AdLoad Variant Bypasses Apple's Security Defenses to Target macOS Systems

A new wave of attacks involving a notorious macOS adware family has evolved to leverage around 150 unique samples in the wild in 2021 alone, some of which have slipped past Apple's on-device malware scanner and even signed by its own notarization service, highlighting the malicious software ongoi...

WordPress Malware Camouflaged As Code

In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. ...

Vulnerabilities fixed in Microsoft Developer Tools

Microsoft has fixed vulnerabilities in its Developer products. The vulnerabilities allow a malicious party to launch attacks execute attacks that could lead to access to sensitive data, or Denial-of-Service, for example, through services and applications that make use of these vulnerable products...

KLA12257 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service. Below is a complete list of vulnerabilities: 1. An information disclosure vulnerability in .NET Core and Visual Studio can ...

CVE-2020-7389

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production...

CVE-2020-7389

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production...

Command injection

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production...

CVE-2020-7389 Sage X3 Syracuse Missing Authentication for Critical Function in Developer Environment

Sage X3 System CHAINE Variable Script Command Injection. An authenticated user with developer access can pass OS commands via this variable used by the web application. Note, this developer configuration should not be deployed in production...