PT-2023-6558 · Django +6 · Django +6

Name of the Vulnerable Software and Affected Versions: Django versions 3.2 before 3.2.22 Django versions 4.1 before 4.1.12 Django versions 4.2 before 4.2.6 Description: The issue is related to the django.utils.text.Truncator chars and words methods when used with html=True, which can be subject t...

CLSA-2023-1696351712 Fix CVE(s): CVE-2022-48541

SECURITY UPDATE: a memory leak that allows remote attackers to perform a denial of service via the "identify -help" command - debian/patches/CVE-2022-48541.patch: added missing calls to destroy methods - CVE-2022-48541...

The vulnerability of the SolarWinds Orion Platform’s network monitoring software lies in the use of dangerous methods or functions, allowing a malicious actor to execute arbitrary commands with privileges of NETWORK SERVICE.

The vulnerability of the SolarWinds Orion Platform’s network monitoring software is related to the use of dangerous methods or functions. Exploiting this vulnerability could allow a hacker to execute arbitrary commands with privileges of NETWORK SERVICE...

GHSA-5RV5-6H4R-H22V opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Summary Autoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details HTTP method for requests can be easily set by an attacker to be random and long. PoC Send many...

opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

Summary Autoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. Details HTTP method for requests can be easily set by an attacker to be random and long. PoC Send many...

Exploit for Deserialization of Untrusted Data in Progress Ws_Ftp_Server

WSFTP-CVE-2023-40044 Repository with everything I have track...

pydash Command Injection vulnerability

This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke and pydash.collections.invokemap accept dotted paths Deep Path Strings to target a nested Python object, relative to the original source object. These paths can be used to target...

PrestaShop Security Breach

PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides multiple payment methods, short message alerts, and product image scaling. A security vulnerability exists in PrestaShop that stems from allowing low privileged users to disable some...

PT-2023-36039 · Oracle · Java

Name of the Vulnerable Software and Affected Versions: Java affected versions not specified Description: A security exception crash has been reported. The crash involves the com.github.javaparser.GeneratedJavaParser.Expression and specific methods within java.base/sun.nio.cs.CESU 8$Encoder,...

PT-2023-20523

Name of the Vulnerable Software and Affected Versions pydash versions prior to 6.0.0 Description The issue affects pydash methods such as pydash.objects.invoke and pydash.collections.invoke map, which accept dotted paths to target nested Python objects. These paths can be used to target internal...

Security update for Cadence (moderate)

openSUSE Security Update: Security update for Cadence Announcement ID: openSUSE-SU-2023:0270-1 Rating: moderate References: 1213330 1213983 1213985 Affected Products: openSUSE Backports SLE-15-SP4 An update that contains security fixes can now be installed. Description: This update for Cadence...

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. "Since drones or Unmanned Aerial Vehicles UAVs have been an integral tool used by the Ukrainian military, malware-lace...

Simplified Event Externalization with Spring Modulith

Transactional service methods are a common pattern in Spring applications. These methods trigger a state transition important to the business. This usually involves a core domain abstraction, such as an aggregate and its corresponding repository. A stereotypical example of such an arrangement mig...

Debian: Security Advisory (DLA-3575-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-34575

SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail methods...

2023 OWASP Top-10 Series: API8:2023 Security Misconfiguration

Welcome to the 9th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API8:2023 Security Misconfiguration. In this series we are taking an in-depth look at each category – the details, the impact and...

CVE-2023-42405

SQL injection vulnerability in FIT2CLOUD RackShift v1.7.1 allows attackers to execute arbitrary code via the sort parameter to taskService.list, bareMetalService.list, and switchService.list...

RackShift SQL Injection Vulnerability

RackShift is an open source bare metal server management platform that covers bare metal server discovery, out-of-band management, RAID configuration, firmware updates, operating system installation and more. A security vulnerability exists in RackShift v1.7.1 that allows an attacker to execute...

CVE-2023-4104

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.16.1 Linux...

CVE-2023-4104

An invalid Polkit Authentication check and missing authentication requirements for D-Bus methods allowed any local user to configure arbitrary VPN setups. This bug only affects Mozilla VPN on Linux. Other operating systems are unaffected. This vulnerability affects Mozilla VPN 2.16.1 Linux...