CVE-2023-35938 User access not updated with privilege change in Tuleap

Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to Private without restricted, restricted users that are project administrators keep this access right. Restricted users tha...

CVE-2023-36467

CVE-2023-36467 concerns AWS data.all, an open-source data marketplace framework. The connected sources confirm that versions 1.2.0 through 1.5.1 are vulnerable to remote code execution when an authenticated user injects Python commands into the Template field during data pipeline configuration. T...

The vulnerability of the application development environment for ISaGRAF programmable logic controllers arises from the use of an unreliable search path during the loading of dynamic libraries. This allows a hacker to execute arbitrary code.

The vulnerability in the application development environment for ISaGRAF Runtime Rockwell Automation relates to the use of an unreliable search path during the loading of dynamic libraries. Exploiting this vulnerability allows a local attacker to execute arbitrary code...

SUSE: Security Advisory (SUSE-SU-2023:2624-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Code injection

AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages aws-cdk-lib 2.0.0 until 2.80.0 and @aws-cdk/aws-eks 1.57.0 until 1.202.0, eks.Cluster and eks.FargateCluster...

CVE-2023-35165 AWS CDK EKS overly permissive trust policies

AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages aws-cdk-lib 2.0.0 until 2.80.0 and @aws-cdk/aws-eks 1.57.0 until 1.202.0, eks.Cluster and eks.FargateCluster...

Improved Testcontainers Support in Spring Boot 3.1

There's been support for Testcontainers in Spring Boot for some time now, and Spring Boot 3.1 improves it further. But first, let's take a look at what Testcontainers is and how it's usually used. Testcontainers is an open source framework for providing throwaway, lightweight instances of...

AWS Cloud Development Kit 安全漏洞

AWS Cloud Development Kit is an open source software development framework for defining cloud infrastructure in code and configuring it via AWS CloudFormation. A security vulnerability exists in AWS Cloud Development Kit that stems from two roles created by eks.Cluster and eks.FargateCluster that...

The vulnerability of Microsoft Visual Studio, a software development tool, and the Microsoft.NET platform allows attackers to enhance their privileges.

The vulnerability of Microsoft Visual Studio, a software development tool, and the Microsoft.NET platform is related to deficiencies in access control. Exploiting this vulnerability can allow attackers to enhance their privileges...

CVE-2023-34110 Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on t...

Information Exposure

gatsby is vulnerable to Information Exposure. The vulnerability exists due to a lack of local file validation in file-code-frame or original-stack-frame, which allows an attacker to access sensitive information in the system if gatsby is run in development mode...

WordPress BookIt 2.3.7 Authentication Bypass

On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for...

SUSE: Security Advisory (SUSE-SU-2023:2552-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

@98kb/ecr-image-tagger-construct (>=1.0.0 <=1.0.2), @akamaistro/cdktf (>=1.0.1 <=1.8.0) +1081 more potentially affected by CVE-2023-35165 via aws-cdk-lib (>=2.0.0 <=2.7.0)

aws-cdk-lib NPM version =2.0.0, =1.0.0, =1.0.1, =0.0.1, =0.0.1, =0.0.1, =2.0.0, =0.1.0, =0.2.0, =2.1.0, =2.2.0, =2.3.6, =2.1.0, =2.1.0, =2.0.0-beta, =2.2.0 and more Source cves: CVE-2023-35165 Source advisory: OSV:GHSA-RX28-R23P-2QC3...

PT-2023-25176 · Amazon · @Aws-Cdk/Aws-Eks +2

Name of the Vulnerable Software and Affected Versions: aws-cdk-lib versions 2.0.0 through 2.80.0 @aws-cdk/aws-eks versions 1.57.0 through 1.202.0 Description: The issue concerns the AWS Cloud Development Kit AWS CDK, an open-source software development framework. In the affected packages,...

The vulnerability of the Autodesk FBX Software Developer Kit allows a perpetrator to execute arbitrary code.

The vulnerability of the Autodesk FBX Software Developer Kit is related to writing beyond buffer boundaries in memory. Exploiting this vulnerability can allow an attacker to execute arbitrary code...

CVE-2023-34459 OpenZeppelin Contracts's MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the verifyMultiProof, verifyMultiProofCalldata, procesprocessMultiProof, or processMultiProofCalldat functions are in use, it is possible to construct merkle trees that...

CVE-2023-34459

OpenZeppelin Contracts (versions 4.7.0–4.9.1) are affected by a multiproof forgery issue when using verifyMultiProof/verifyMultiProofCalldata/processMultiProof/processMultiProofCalldata. If the merkle tree includes a node with value 0 at depth 1 under the root, a adversarial or certain benign tre...

Activities in the Cybercrime Underground Require a New Approach to Cybersecurity

As Threat Actors Continuously Adapt their TTPs in Today's Threat Landscape, So Must You Earlier this year, threat researchers at Cybersixgill released the annual report, The State of the Cybercrime Underground. The research stems from an analysis of Cybersixgill's collected intelligence items...

angular: XSS vulnerability

A flaw was found in the angular/core package. Affected versions of this package are vulnerable to Cross-site scripting XSS in development, with Server-side rendering SSR enabled...