1002 matches found
ISPConfig 3.2.11 PHP Code Injection
------------------------------------------------------------------------ ISPConfig = 3.2.11 languageedit.php PHP Code Injection Vulnerability ------------------------------------------------------------------------ - Software Link: https://www.ispconfig.org - Affected Versions: Version 3.2.11 and...
Cross Site Scripting (XSS)
nautobot is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper usage of Django's marksafe API during the rendering of user-generated content, including personalized links, job buttons, and computed fields. This introduces a vulnerability that allows users with the abilit...
RHEL 8 : fwupd (RHSA-2023:7189)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:7189 advisory. The fwupd packages provide a service that allows session software to update device firmware. Security Fixes: fwupd: world readable password in...
A week in security (November 06 – November 12)
Last week on Malwarebytes Labs: Defeating Little Brother requires a new outlook on privacy: Lock and Code S04E23 Medical research data Advarra stolen after SIM swap Okta breach happened after employee logged into personal Google account Introducing ThreatDown: A new chapter for Malwarebytes...
X (Formerly Twitter): Cross-Domain Leakage of X Username / UserID due to Dynamically Generated JS File
The vulnerability allowed the retrieval of a user's X username and user ID from a dynamically generated JavaScript file hosted on Twitter. An attacker could force a victim to import the file from a malicious website, bypassing the Same-Origin Policy and exposing the user's sensitive information...
CVE-2023-41345 ASUS RT-AX55 - command injection - 1
ASUS RT-AX55’s authentication-related function has a vulnerability of insufficient filtering of special characters within its token-generated module. An authenticated remote attacker can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the...
New Report: Child Sexual Abuse Content and Online Risks to Children on the Rise
Certain online risks to children are on the rise, according to a recent report from Thorn, a technology nonprofit whose mission is to build technology to defend children from sexual abuse. Research shared in the Emerging Online Trends in Child Sexual Abuse 2023 report, indicates that minors are...
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure
Electrolink FM/DAB/TV Transmitter controlloLogin.js Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W...
CVE-2023-4148
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
WordPress Lead Generated Plugin < 1.25 Object Injection Vulnerability
The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:leadgenerated:leadgenerated"; ifdescription...
Cross site scripting
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting XSS. Since the Export Chat feature...
element-web -- Cross site scripting in Export Chat feature
Matrix Developers reports: The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS...
Fastify 跨站请求伪造漏洞
Fastify is an OpenJS Foundation open source web framework for Node.js. A security vulnerability exists in Fastify oauth2 that stems from the use of statically generated state parameters in all user requests...
New video provides a behind-the-scenes look at Talos ransomware hunters
Welcome to this weeks edition of the Threat Source newsletter. AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create childrens books for you. There...
Remote Code Execution (RCE)
Overview Affected versions of this package are vulnerable to Remote Code Execution RCE. A vulnerability exists in .NET source generator for P/Invokes that can lead to generated code freeing uninitialized memory and crashing. Remediation Upgrade Microsoft.NETCore.App.Runtime.osx-arm64 to version...
coulomb.umontpellier.fr Cross Site Scripting vulnerability OBB-3381050
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
CVE-2023-25751
CVE-2023-25751 affects Firefox and Thunderbird: root cause is incorrect code generation during JIT code invalidation when following an iterator, which could lead to a potentially exploitable crash. Affected: Firefox <=111 and Firefox ESR <=102.8/9, Thunderbird
A week in security (May 22-28)
Last week on Malwarebytes Labs: Update now: 9 vulnerabilities impact Cisco Small Business Series ChatGPT: Cybersecurity friend or foe? Webinar recap: EDR vs MDR for business success Identity crisis: How an anti-porn crusade could jam the Internet, featuring Alec Muffett: Lock and Code S04E11...
WordPress Unspecified Vulnerability (May 2023) - Linux
WordPress is prone to an unspecified vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress";...
Acceptance of Extraneous Untrusted Data With Trusted Data
Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the processing of shortcodes in user-generated content. An attacker can manipulate...