EUVD-2023-1619

Malicious code in bioql PyPI...

CVE-2021-29484

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and m...

BIT-DISCOURSE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2023-41055

LibreY is a fork of LibreX, a framework-less and javascript-free privacy respecting meta search engine. LibreY is subject to a Server-Side Request Forgery SSRF vulnerability in the engines/google/text.php and engines/duckduckgo/text.php files in versions before commit...

Design/Logic Flaw

Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute...

CVE-2023-31133 Ghost vulnerable to disclosure of private API fields

Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute...

CVE-2023-31133 Ghost vulnerable to disclosure of private API fields

Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute...

Ghost vulnerable to information disclosure of private API fields

Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. GhostPro has already been patched. We can find no evidence that the issue was exploited on GhostPro prior to the patch being added. Self-hosters are...

CVE-2022-39241

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

Code injection

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2022-39241 Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest stable, beta, and test-passed versions are now patched. As a...

CVE-2021-43827

The CVE-2021-43827 issue concerns the discourse-footnote library used with Discourse. Affected behavior occurs when an inline footnote is wrapped in tags, producing a nested element in rendered HTML. Nokogiri strips the nested tag, leading to a JavaScript error on topic pages when code searches...

CVE-2021-43827 Inline footnotes wrapped in <a> tags can cause errors in discourse-footnotes

discourse-footnote is a library providing footnotes for posts in Discourse. Impact When posting an inline footnote wrapped in tags e.g. ^footnote, the resulting rendered HTML would include a nested , which is stripped by Nokogiri because it is not valid. This then caused a javascript error on top...

CVE-2021-32632

Pajbot is a Twitch chat bot. CVE-2021-32632 covers CSRF in Pajbot versions prior to 1.52, enabling modification of commands, modules, and banphrases via hidden iframes. Affected component: the web application lacks sufficient request validation, leading to cross-site forgery. Impact is defined as...

CVE-2021-29484

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and m...

Code injection

Ghost is a Node.js CMS. An unused endpoint added during the development of 4.0.0 has left sites vulnerable to untrusted users gaining access to Ghost Admin. Attackers can gain access by getting logged in users to click a link containing malicious code. Users do not need to enter credentials and m...

One-Click Microsoft Exchange On-Premises Mitigation Tool - March 2021

We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there...