185 matches found
tRPC vs GraphQL
Deciphering the Cloud Conundrum: An Introduction to tRPC & GraphQL The dynamic domain of cloud technology presents a couple of instrumental methodologies in the arena of APIs: tRPC and GraphQL. Each serves as a potent asset for developers in crafting applications that are resilient, scalable, and...
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
GO-2023-2383 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
CVE-2023-45285
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
PT-2023-8188 · Go +9 · Go +9
Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.21.5 Go versions prior to 1.20.12 Description: The issue is related to the use of the "go get" command to fetch modules with the ".git" suffix. If the module is unavailable via secure protocols, it may fallback to the...
CVE-2023-5654
The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...
2023 OWASP Top-10 Series: API7:2023 Server Side Request Forgery
Welcome to the 8th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API7:2023 Server Side Request Forgery SSRF. In this series we are taking an in-depth look at each category – the details, the...
CVE-2023-33365
A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server...
[SECURITY] Fedora 37 Update: perl-CPAN-2.36-1.fc37
The CPAN module automates or at least simplifies the make and install of perl modules and extensions. It includes some primitive searching capabilities and knows how to use LWP, HTTP::Tiny, Net::FTP and certain external download clients to fetch distributions from the net...
CVE-2021-36393
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses...
JSA10470 - Pre-authentication CGI script fails to fully validate all parameters
Edit: 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. CGI scripts accessible during pre-authentication may fail to verify the validity of values supplied as parameters. This could lead to the arbitrary fetching of ".exe" files from the...
GSD-2023-1001731 netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
netfilter: nftpayload: incorrect arithmetics when fetching VLAN header bits This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v6.1.7 by commit...
Arsenal - Recon Tool installer
Arsenal is a Simple shell script Bash used to install the most important tools and requirements for your environment and save time in installing all these tools. Tools in Arsenal Name | description ---|--- Amass | The OWASP Amass Project performs network mapping of attack surfaces and external...
CVE-2022-40816
Zammad 5.2.1 is vulnerable to Incorrect Access Control. Zammad's asset handling mechanism has logic to ensure that customer users are not able to see personal information of other users. This logic was not effective when used through a web socket connection, so that a logged-in attacker would be...
Full Read Server-Side Request Forgery (SSRF)
Description In the recipe edit page, is possible to upload an image directly or via an URL provided by the user. The function that handles the fetching and saving of the image via the URL doesn't have any URL verification, which allows to fetch internal services. \ \ Furthermore, after the resour...
[SECURITY] Fedora 35 Update: meg-0.2.4-6.fc35
Fetch many paths for many hosts without killing the hosts...
CVE-2022-2353 Cross-Site Request Forgery (CSRF) in microweber/microweber
Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user...
Malicious Package
Overview example-data-fetching is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...
Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts...
Local file inclusion
Description https://app.diagrams.net/embed2.js?&fetch= is used to fetch data and i tried to perform ssrf by extracting google cloud metadata but was unable to do but i am still able to fetch server files like /etc/passwd. Proof of Concept 1. Visit https://app.diagrams.net/embed2.js?&fetch= 2. Ent...