collective.task 跨站脚本漏洞

collective.task is Collective open source a Plone task management tool . A cross-site scripting vulnerability exists in collective.task versions prior to 3.0.9, which stems from the function renderCell/AssignedGroupColumn in the file src/collective/task/browser/table.py, which is manipulated to...

Researchers Disclose Details of Critical 'CosMiss' RCE Flaw Affecting Azure Cosmos DB

Microsoft on Tuesday said it addressed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB that enabled full read and write access. The tech giant said the problem was introduced on August 12, 2022, and rectified worldwide on October 6, 2022, two days after responsible...

Rizin 缓冲区错误漏洞

Rizin is a free open source reverse engineering framework from the Rizin organization. It is used for analyzing binary files, disassembling code, debugging programs, as a forensic tool, as a scriptable command-line hex editor capable of opening disk files, and more. A buffer error vulnerability...

CVE-2022-2634

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed...

CVE-2022-2634

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed...

CVE-2022-2634 Digi ConnectPort X2D

An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed...

PT-2022-4007 · Digi · Digi Connectport X2E

Name of the Vulnerable Software and Affected Versions: Digi ConnectPort X2D affected versions not specified Description: The issue is related to errors in access control, allowing a remote attacker to execute arbitrary code by uploading specially crafted python files. This is due to the lack of...

Digi ConnectPort X2D 安全漏洞

The Digi ConnectPort X2D is a small gateway from Digi, Inc. It provides low-cost IP networking for RF devices and sensor networks. The Digi ConnectPort X2D suffers from a security vulnerability that stems from the web application's lack of device access protection and device privilege control...

Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706

Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple through Coordinated Vulnerability Disclosure CVD via Microsoft Security Vulnerability Research MSVR in October...

New Mac malware masquerades as iTerm2, Remote Desktop and other apps

Last week, security researcher Patrick Wardle released details of a new piece of malware masquerading as the legitimate app iTerm2. The malware was discovered earlier the same day by security researcher Zhi @CodeColorist on Twitter, and detailed on a Chinese-language blog. For those who dont spea...

CVE-2020-18703

XML External Entities XXE in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'...

Code Injection in ultralytics/yolov5

Description Arbitrary Code Excecution in ultralytics/yolov5. Yolov5 is a Object Detection model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of visi...

Code Injection in microsoft/nni

Description Arbitrary Code Excecution in microsoft/nni. An open source AutoML toolkit for automate machine learning lifecycle, including feature engineering, neural architecture search, model compression and hyper-parameter tuning. Technical Description This package was vulnerable to Arbitrary co...

Mozilla Firefox Security Advisories (MFSA2020-01, MFSA2020-02) - Windows

Mozilla Firefox is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:firefox";...

CVE-2008-4863

Untrusted search path vulnerability in BPYinterface in Blender 2.46 allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySysSetArgv function...

Design/Logic Flaw

DISPUTED Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system"cmd" or os.system"powershell", within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality...

CVE-2018-18748

Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system"cmd" or os.system"powershell", within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality...

CVE-2018-18748

Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system"cmd" or os.system"powershell", within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality...

CVE-2018-18603

360 Total Security 3.5.0.1033 allows a Sandbox Escape via an "import os" statement, followed by os.system"CMD" or os.system"PowerShell", within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue...

CVE-2018-18603

360 Total Security 3.5.0.1033 allows a Sandbox Escape via an "import os" statement, followed by os.system"CMD" or os.system"PowerShell", within a .py file. NOTE: the vendor's position is that this cannot be categorized as a vulnerability, although it is a security-related issue...