Chadha PHPKB Cross-Site Scripting Vulnerability (CNVD-2020-17363)

Chadha Software Technologies PHPKB Standard Multi-Language is a web-based, multi-language knowledge base management system from Chadha Software Technologies, India. A reflected cross-site scripting vulnerability exists in admin/manage-groups.php in Chadha PHPKB Standard Multi-Language version 9...

PT-2020-11905 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 8.3 through 12.8.1 Description: The issue allows certain non-members to access the Contribution Analytics page of a private group, resulting in information disclosure. Recommendations: For GitLab versions 8.3 through 12.8.1,...

PT-2020-11913 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 12.5 through 12.8.1 Description: The issue concerns Insecure Permissions in GitLab. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level. Recommendations: For...

CVE-2020-10426

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/manage-groups.php by adding a question mark ? followed by the payload...

Input validation

An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues...

CVE-2019-12433

An issue was discovered in GitLab Community and Enterprise Edition 11.7 through 11.11. It has Improper Input Validation. Restricted visibility settings allow creating internal projects in private groups, leading to multiple permission issues...

CVE-2019-12433

Removed by vendor...

Microsoft Exchange Server Flaw Exploited in APT Attacks

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges. The vulnerability in question CVE-2020-0688 exists in the control panel of...

Microsoft Exchange Server Flaw Exploited in APT Attacks

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges. The vulnerability in question CVE-2020-0688 exists in the control panel of...

BadBlood - Fills A Microsoft Active Directory Domain With A Structure And Thousands Of Objects

BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding...

Patrick Wardle: Apple Devices Hit With Recycled macOS Malware

SAN FRANCISCO – Advanced persistent threat APT groups are hitting Apple devices with malware that has been reverse engineered and redeployed for malicious acts. This technique is complicating attribution efforts, Patrick Wardle, security researcher with Jamf, said this week during RSA Conference...

[SECURITY] Fedora 30 Update: systemd-241-14.git18dd3fb.fc30

systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization capabilities, uses socket and D-Bus activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux control groups,...

Fedora: Security Advisory for systemd (FEDORA-2020-f8e267d6d0)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

GHSA-CMCX-XHR8-3W9P Denial of Service in uap-core when processing crafted User-Agent strings

Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core to gt;=...

M-Trends 2020: Insights From the Front Lines

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years—and more. One of the most exciting takeaways...

Linux: Unique primary groups for user accounts

The password file stores information about users such like username, UID, GID, etc. Users with same group can access and unintentionally or maliciously modify another user Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyrig...

Linux: Read /etc/group (KB)

The /etc/group file is a text file that defines the groups on the system. There is one entry per line, with the following format: - groupname:password:GID:userlist Note: This script only stores information for other Policy Controls. Copyright C 2020 Greenbone Networks GmbH Some text descriptions...

CVE-2013-4228

The OG access fields visibility fields implementation in Organic Groups OG module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via...

Spoofing

The OG access fields visibility fields implementation in Organic Groups OG module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via...

CVE-2013-4228

The OG access fields visibility fields implementation in Organic Groups OG module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via...