PT-2023-27902 · Unknown · Apollo Router

Name of the Vulnerable Software and Affected Versions: Apollo Router versions 1.28.0 through 1.29.0 Description: The Apollo Router is subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. This can be triggered...

Important: Red Hat Security Advisory: subscription-manager security update

An update for subscription-manager is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Candlepin Security Breach

Candlepin is a collection of tools that allow companies to manage software subscriptions. A security vulnerability exists in Candlepin that stems from a security flaw in the authorization checking of the server component...

GHSA-GGGM-66RH-PP98 Incorrect Permission Checking for GraphQL Subscriptions

Summary CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Access to information you should not have access to when the permissions rely on $CURRENTUSER for filtering. Details The permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL...

CVE-2023-38503 Directus has Incorrect Permission Checking for GraphQL Subscriptions

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters i.e. usercreated IS $CURRENTUSER are not properly checked when using GraphQL subscription resulting in unauthorized users getting event o...

Directus 信息泄露漏洞

Directus is a real-time Api and application dashboard. It is used to manage Sql database content. An information disclosure vulnerability exists in Directus versions prior to 10.3.0 through 10.5.0, which stems from improper permission checking of GraphQL subscriptions, resulting in an information...

PT-2023-26483 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions 10.3.0 through 10.4.x Description: The issue concerns the improper checking of permission filters when using GraphQL subscriptions, resulting in unauthorized users receiving events they should not have access to. This affect...

WordPress WooCommerce Subscriptions Plugin <= 5.1.2 is vulnerable to Insecure Direct Object References (IDOR)

Software WooCommerce Subscriptions Type Plugin Vulnerable versions = 5.1.2 Fixed in 5.1.3 OWASP Top 10 A5: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-35914 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID 00ef3fa8d5b4 Credits...

CVE-2023-1430

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...

CVE-2023-1430

CVE-2023-1430 affects the FluentCRM plugin for WordPress. The vulnerability arises from using an MD5 hash without a salt to authorize unsubscription and subscription management, allowing unauthenticated attackers (with knowledge of a subscriber’s email) to unsubscribe or modify subscriptions. Aff...

CVE-2023-34226

In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible...

CVE-2023-34226

In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible...

Cross site scripting

In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible...

CVE-2023-34226

In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible...

CVE-2023-34226

CVE-2023-34226 affects JetBrains TeamCity prior to version 2023.05, where a reflected cross-site scripting (XSS) flaw was disclosed on the Subscriptions page. The issue arises from improper input handling that allows untrusted input to be reflected in the UI, enabling potential user‑driven script...

CVE-2023-34226

In JetBrains TeamCity before 2023.05 reflected XSS in the Subscriptions page was possible...

PT-2023-24751 · Jetbrains · Teamcity

Name of the Vulnerable Software and Affected Versions: JetBrains TeamCity versions prior to 2023.05 Description: The issue is related to reflected XSS in the Subscriptions page. Recommendations: For versions prior to 2023.05, update to version 2023.05 or later to resolve the issue...

CVE-2023-31453

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised ...

Apache InLong 安全漏洞

Apache InLong is the United States Apache Apache Foundation's one-stop massive data integration framework. An authorization issue vulnerability exists in Apache InLong versions 1.2.0 through 1.6.0. The vulnerability stems from improper privilege management. An attacker can exploit the vulnerabili...

ChatGPT Scams Are Infiltrating Apple's App Store and Google Play

An explosion of interest in OpenAI’s sophisticated chatbot means a proliferation of “fleeceware” apps that trick users with sneaky in-app subscriptions...