Yet Another Reverse Proxy (YARP) Denial of Service Vulnerability

...

PT-2023-3138 · Microsoft · Yet Another Reverse Proxy

Name of the Vulnerable Software and Affected Versions: Yet Another Reverse Proxy YARP affected versions not specified Description: The issue is related to insufficient input validation in Yet Another Reverse Proxy YARP, which can be exploited by a remote attacker to cause a denial of service...

Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle AitM phishing and business email compromise BEC attack, Microsoft has revealed. "The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and...

Improper Certificate Validation

org.keycloak:keycloak-services is vulnerable to Improper Certificate Validation. The flaw relies on enabling Revalidate Client Certificate and not validating the reverse proxy before Keycloak. An attacker is able to choose the server-validated certificate, resulting in authentication bypass...

CVE-2023-33977

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

Cross site scripting

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

CVE-2023-33977

Kiwi TCMS is affected by CVE-2023-33977 (stored XSS via unrestricted file upload) in versions prior to 12.4. The root cause is incomplete upload validation that can permit uploading potentially dangerous files, enabling arbitrary JavaScript execution in the browser. An additional issue involves N...

CVE-2023-33977 Stored cross site scripting (XSS) via unrestricted file upload in Kiwi TCMS

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

CVE-2023-33977 Stored cross site scripting (XSS) via unrestricted file upload in Kiwi TCMS

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

GHSA-2FQM-M4R2-FH98 kiwitcms vulnerable to stored cross-site scripting via unrestricted file upload

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. Th...

PT-2023-8827 · Nginx +1 · Nginx +1

Name of the Vulnerable Software and Affected Versions: Kiwi TCMS versions prior to 12.4 Description: The issue is related to the lack of protection of the web page structure in Kiwi TCMS, allowing a remote attacker to upload arbitrary attachments to test plans and test cases. Earlier versions of...

CVE-2023-33193 Emby Server Proxy Header Spoofing Vulnerability

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system,...

Emby Server 环境问题漏洞

Emby Server is a powerful media server for individual developers. The product can be used primarily for integrated multimedia editing such as video audio and photos. A security vulnerability exists in Emby Server versions prior to 4.7.12, which originates from a determination that may affect...

Duplicate Advisory: Keycloak vulnerable to untrusted certificate validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5cc8-pgp5-7mpm. This link is maintained to preserve external references. Original Advisory A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be...

Spring Boot Welcome Page Denial of Service

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the condition...

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If...

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If...

CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If...

Default configuration

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If...

CVE-2023-20883

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache...