CVE-2023-37461 Path traversal in metersphere

Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a belongType value with a relative path like ../../../../ which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to...

Steps Involved In Penetration Testing And Their Methodology In Cybersecurity

By Owais Sultan Lets explore the steps involved in penetration testing and the methodology employed by cybersecurity professionals to conduct effective… This is a post from HackRead.com Read the original post: Steps Involved In Penetration Testing And Their Methodology In Cybersecurity...

SUSE SLED12 / SLES12 Security Update : installation-images (SUSE-SU-2023:2819-1)

The remote SUSE Linux SLED12 / SLEDSAP12 / SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:2819-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

PenTales: Old Vulns, New Tricks

At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlig...

CVE-2023-29449

JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles Admin and Superadmin. Administrative privileges should be typically granted ...

Microsoft Security Update Validation Report July 2023

Microsoft’s July 2023 security updates have passed Citrix testing the updates are listed below. The testing is not all-inclusive; all tests are executed against English only environments and issues may still be found upon implementation. Follow best practices for testing and installing software...

The Battle Against Business Logic Attacks: Why Traditional Security Tools Fall Short

As the digital landscape continues to evolve, so do the tactics utilized by bad actors that are seeking to exploit application vulnerabilities. Among the most insidious types of attacks are business logic attacks BLAs. Unlike known attacks, which can be identified by signatures or patterns, such ...

This Week in Spring - July 11th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in yummy, sunny Jakarta, Indonesia at the moment, preparing for a week of meetings and the SpringOne Tour Indonesia event later this week. I'll also be speaking in Kuala Lumpur, Malaysia on July 20th, 2023 . If you're in...

Design/Logic Flaw

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can ...

CVE-2023-35937

CVE-2023-35937 affects Metersphere before version 2.10.2 LTS, where several key APIs lack permission checks, allowing ordinary users to perform actions reserved for space/project administrators (e.g., updating a user as a space administrator). The issue is documented in multiple sources (NVD entr...

How Pen Testing can Soften the Blow on Rising Costs of Cyber Insurance

As technology advances and organizations become more reliant on data, the risks associated with data breaches and cyber-attacks also increase. The introduction of data privacy laws, such as the GDPR, has made it mandatory for organizations to disclose breaches of personal data to those affected. ...

How Pen Testing can Soften the Blow on Rising Costs of Cyber Insurance

As technology advances and organizations become more reliant on data, the risks associated with data breaches and cyber-attacks also increase. The introduction of data privacy laws, such as the GDPR, has made it mandatory for organizations to disclose breaches of personal data to those affected. ...

The vulnerability of the Microsoft Visual Studio software development tool and the Microsoft.NET platform, related to insufficient validation of input data, allows attackers to execute arbitrary code.

The vulnerability of the Microsoft Visual Studio software and the Microsoft.NET platform is related to insufficient testing of input data. Exploiting this vulnerability can allow an attacker to execute arbitrary code...

Exploit for OS Command Injection in Easynas

CVE-2023-0830: EasyNAS 1.1.0 Authenticated OS Command Injectio...

Injection, RCE (Remote Code Execution) in Bamboo

This High severity Injection and RCE Remote Code Execution vulnerability known as CVE-2023-22506 was introduced in version 8.0.0 of Bamboo Data Center. This Injection and RCE Remote Code Execution vulnerability, with a CVSS Score of 7.5, allows an authenticated attacker to modify the actions take...

manifest-confusion-check (>=0.1.0 <=0.1.8), manifest-confusion-dependency-package (=1.0.0) +1 more potentially affected by unknown CVE via darcyclarke-manifest-pkg (=2.1.15)

darcyclarke-manifest-pkg NPM version =2.1.15 is affected by a known vulnerability. The following packages have a transitive dependency on darcyclarke-manifest-pkg and may be impacted: - manifest-confusion-check =0.1.0, =0.1.8 - manifest-confusion-dependency-package =1.0.0 -...

HardHatC2 - A C# Command And Control Framework

A cross-platform, collaborative, Command & Control framework written in C, designed for red teaming and ease of use. HardHat is a multiplayer C .NET-based command and control framework. Designed to aid in red team engagements and penetration testing. HardHat aims to improve the quality of life...

Exploit for Code Injection in Apache Commons_Text

CVE-2022-42889 Text4Shell Testing Script This repository co...

A week in security (June 19 - 25)

Last week on Malwarebytes Labs: Microsoft Azure AD flaw can lead to account takeover 5 facts to know about the Royal ransomware gang Malwarebytes only vendor to win every MRG Effitas award in 2022 & 2023 UPS warns customers of phishing attempts after data accessed 6 tips for a cybersecure honeymo...

编号撤回

Sliver is Bishop Fox open source an open source cross-platform adversary simulation / red team framework. It can be used by organizations of all sizes to perform security testing. This CVE number has been withdrawn...