pydash Command Injection vulnerability

This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke and pydash.collections.invokemap accept dotted paths Deep Path Strings to target a nested Python object, relative to the original source object. These paths can be used to target...

PT-2023-36039 · Oracle · Java

Name of the Vulnerable Software and Affected Versions: Java affected versions not specified Description: A security exception crash has been reported. The crash involves the com.github.javaparser.GeneratedJavaParser.Expression and specific methods within java.base/sun.nio.cs.CESU 8$Encoder,...

PrestaShop Security Breach

PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides multiple payment methods, short message alerts, and product image scaling. A security vulnerability exists in PrestaShop that stems from allowing low privileged users to disable some...

PT-2023-20523

Name of the Vulnerable Software and Affected Versions pydash versions prior to 6.0.0 Description The issue affects pydash methods such as pydash.objects.invoke and pydash.collections.invoke map, which accept dotted paths to target nested Python objects. These paths can be used to target internal...

Security update for Cadence (moderate)

openSUSE Security Update: Security update for Cadence Announcement ID: openSUSE-SU-2023:0270-1 Rating: moderate References: 1213330 1213983 1213985 Affected Products: openSUSE Backports SLE-15-SP4 An update that contains security fixes can now be installed. Description: This update for Cadence...

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. "Since drones or Unmanned Aerial Vehicles UAVs have been an integral tool used by the Ukrainian military, malware-lace...

Simplified Event Externalization with Spring Modulith

Transactional service methods are a common pattern in Spring applications. These methods trigger a state transition important to the business. This usually involves a core domain abstraction, such as an aggregate and its corresponding repository. A stereotypical example of such an arrangement mig...

Debian: Security Advisory (DLA-3575-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-34575

SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail methods...

2023 OWASP Top-10 Series: API8:2023 Security Misconfiguration

Welcome to the 9th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API8:2023 Security Misconfiguration. In this series we are taking an in-depth look at each category – the details, the impact and...

CVE-2023-42405

SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the sort parameter to taskService.list, bareMetalService.list, and switchService.list...

RackShift SQL Injection Vulnerability

RackShift is an open source bare metal server management platform that covers bare metal server discovery, out-of-band management, RAID configuration, firmware updates, operating system installation and more. A security vulnerability exists in RackShift v1.7.1 that allows an attacker to execute...

CVE-2023-4104

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.16.1 Linux...

CVE-2023-4104

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.16.1 Linux...

A history of ransomware: How did it get this far?

Today's ransomware is the scourge of many organizations. But where did it start? If we define ransomware as malware that encrypts files to extort the owner of the system, then the first malware that could be classified as ransomware is the 1989 AIDS Trojan. However, while it encrypted filenames a...

Oracle Linux 7 : python-twisted-web (ELSA-2020-1091)

The remote Oracle Linux 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2020-1091 advisory. 12.1.0-6 - Fix CVE-2019-12387 HTTP Header Injection Resolves: rhbz1721518 Tenable has extracted the preceding description block directly from the Oracle Linux...

GHSA-G58X-57FV-86JH Jenkins Google Login Plugin non-constant time token comparison

Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token...

Jenkins Google Login Plugin non-constant time token comparison

Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token...

CVE-2023-41936

Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token...

CVE-2023-41936

Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token...