Sage Group Sage X3 操作系统命令注入漏洞

Sage Group Sage X3 is an application from Sage Group, Inc. an enterprise resource planning product developed for mature organizations. An operating system command injection vulnerability exists in Sage Group Sage X3, where an authenticated user with developer access could pass operating system...

HM Multiple Roles < 1.3 - Arbitrary Role Change

The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by eith...

KLA12245 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface. Below is a complete list of vulnerabilities: 1. A remote code execution vulnerability in Visual Studio Code can be...

JVN#89054582: WordPress Plugin "Software License Manager" vulnerable to cross-site request forgery

WordPress Plugin "Software License Manager" provided by Tips and Tricks HQ contains a cross-site request forgery vulnerability CWE-352. Impact If a user with an administrative privilege views a malicious page while logged in, unintended operations may be performed. Solution Update the plugin Upda...

CVE-2021-33216

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account...

Design/Logic Flaw

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account...

OPENSUSE-SU-2021:0949-1 Security update for opera

This update for opera fixes the following issues: Update to version 77.0.4054.146 - CHR-8458 Update chromium on desktop-stable-91-4054 to 91.0.4472.114 - DNA-92171 Create active linkdiscovery service - DNA-92388 Fix and unskip WorkspacesEmoji.testChooseEmojiAsWorkspaceIcon when possible - DNA-931...

OPENSUSE-SU-2021:0948-1 Security update for opera

This update for opera fixes the following issues: Update to version 77.0.4054.146 - CHR-8458 Update chromium on desktop-stable-91-4054 to 91.0.4472.114 - DNA-92171 Create active linkdiscovery service - DNA-92388 Fix and unskip WorkspacesEmoji.testChooseEmojiAsWorkspaceIcon when possible - DNA-931...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. The module did not properly validate user access for data creation in certain circumstances...

Google now requires app developers to verify their address and use 2FA

Google on Monday announced new measures for the Play Store, including requiring developer accounts to turn on 2-Step Verification 2SV, provide an address, and verify their contact details later this year. The new identification and two-factor authentication requirements are a step towards...

Cryptominers Slither into Python Projects in Supply-Chain Campaign

A group of cryptominers was found to have infiltrated the Python Package Index PyPI, which is a repository of software code created in the Python programming language. Similar to other repositories like GitHub, npm and RubyGems, PyPI is part of the software supply chain. It offers a place where...

Swift-Attack - Unit Tests For Blue Teams To Aid With Building Detections For Some Common macOS Post Exploitation Methods

Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods. I have included some post exploitation examples using both command line history and on disk binaries which should be easier for detection as well as post exploitation examples using API call...

JVN#93799513: WordPress plugin "Fudousan plugin" series vulnerable to cross-site scripting

Some of WordPress plugin "Fudousan plugin" series provided by nendeb contain a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who accessed the site using the product. Solution Update the plugin Update the plugin according to th...

Weak Password Vulnerability in Chien Wang CRM Customer Management System

Thousand Wonders Software is a professional software developer. A weak password vulnerability exists in the Chivan CRM customer management system, which can be exploited by attackers to obtain sensitive information...

Speculative Code Store Bypass (SCSB) and Floating-Point Value Injection (FPVI) Advisory - Lenovo Support US

No description provided...

Xxe

SilverStripe through 4.6.0-rc1 has an XXE Vulnerability in CSSContentParser. A developer utility meant for parsing HTML within unit tests can be vulnerable to XML External Entity XXE attacks. When this developer utility is misused for purposes involving external or user submitted data in custom...

Django path traversal vulnerability (CNVD-2022-31940)

Django is the Django Foundation's set of open source web application framework based on the Python language . The framework includes an object-oriented mapper, view system, template system, etc. Django has a path traversal vulnerability that stems from the fact that a user can use the:...

KLA12200 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges. Below is a complete list of vulnerabilities: 1. A denial of service vulnerability in ASP.NET can be exploited remotely to cause denial o...

Intel® Processors Software Developer Guidance Advisory

Summary: Potential security vulnerabilities in some Intel® Processors may allow information disclosure. Intel is releasing updated software developer prescriptive guidance to address these potential vulnerabilities. Vulnerability Details: CVEID: CVE-2021-0086 Description: Observable response...

Latvian Woman Charged for Her Role in Creating Trickbot Banking Malware

The U.S. Department of Justice DoJ on Friday charged a Latvian woman for her alleged role as a programmer in a cybercrime gang that helped develop TrickBot malware. The woman in question, Alla Witte, aka Max, 55, who resided in Paramaribo, Suriname, was arrested in Miami, Florida on February 6...