2754 matches found
org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
Impact An attacker with edit access on any document can be the user profile which is editable by default can move any attachment of any other document to this attacker-controlled document. This allows the attacker to access and possibly publish any attachment of which the name is known, regardles...
CVE-2023-46133 crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a...
Server side request forgery (ssrf)
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service WPS specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request...
CVE-2023-37910 org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document can be the use...
CVE-2023-37910 org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document can be the use...
GHSA-5873-6FWQ-463F stellar-strkey vulnerable to panic in SignedPayload::from_payload
Impact Panic vulnerability when a specially crafted payload is used. This is because of the following calculation: rust innerpayloadlen + 4 - innerpayloadlen % 4 % 4 If innerpayloadlen is 0xffffffff, 4 - innerpayloadlen % 4 % 4 = 1 so rust innerpayloadlen + 4 - innerpayloadlen % 4 % 4 = u32::MAX ...
PT-2023-6546 · Jenkins · Jenkins Multibranch Scan Webhook Trigger Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Multibranch Scan Webhook Trigger Plugin versions 1.0.9 and earlier Description: The issue is related to information disclosure. It potentially allows a remote attacker to gain unauthorized access to protected information. The problem...
PT-2023-8180 · Abo.Cms · Abo.Cms
Name of the Vulnerable Software and Affected Versions: ABO.CMS version 5.9.3 Description: The issue is related to a SQL Injection vulnerability in the Documents module of ABO.CMS, which allows remote attackers to execute arbitrary code via the d parameter. This vulnerability is due to the lack of...
PT-2023-20749 · Idweb · Idweb
Name of the Vulnerable Software and Affected Versions: IDWeb application versions 3.1.052 and earlier Description: The issue concerns an unauthenticated SQL injection in the GetExcursionDetails method. This allows unauthenticated attackers to extract or modify all data. Recommendations: For...
Fides JavaScript Injection Vulnerability in Privacy Center URL
Impact The Fides web application allows users to edit consent and privacy notices such as cookie banners. These privacy notices can then be served by other integrated websites, for example in cookie consent banners. One of the editable fields is a privacy policy URL and this input was found to no...
PT-2023-28987 · Geoserver · Geoserver
Name of the Vulnerable Software and Affected Versions: GeoServer versions prior to 2.22.5 GeoServer versions prior to 2.23.2 GeoServer version 2.20.5 GeoServer version 2.21.0 Description: The OGC Web Processing Service WPS specification in GeoServer allows processing of information from any serve...
PT-2023-29558 · Netis · Netis N3Mv2
Name of the Vulnerable Software and Affected Versions: Netis N3Mv2 version 1.0.1.865 Description: A command injection issue was discovered via the ntpServIP parameter in the Time Settings. This allows for potential exploitation. Recommendations: For Netis N3Mv2 version 1.0.1.865, consider...
tpoi.info Cross Site Scripting vulnerability OBB-3741520
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
SUSE-SU-2023:4041-1 Security update for php-composer2
This update for php-composer2 fixes the following issues: - CVE-2023-43655: Fixed a remote code execution issue that could be triggered if users published a web-accessible composer.phar file bsc1215859...
gapfa.org Cross Site Scripting vulnerability OBB-3736551
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
PT-2023-25364 · No Magic · Teamwork Cloud
Name of the Vulnerable Software and Affected Versions: Teamwork Cloud versions No Magic Release 2021x through No Magic Release 2022x Description: A Cross-Site Request Forgery CSRF vulnerability could allow an attacker to send a specifically crafted query to the server under certain conditions...
SA-2023-08-08-CVE-2023-35083
SECURITY ADVISORY 08-08-2023 Product Affected: Ivanti Endpoint Manager A vulnerability was recently discovered for EPM 2022 SU3 and all previous versions. We have a Hotfix available to remediate this vulnerability that can be found by going to CVE-2023-35083 Full details. Please log into the...
PT-2023-24025 · Nxlog · Nxlog Manager
Name of the Vulnerable Software and Affected Versions: NXLog Manager version 5.6.5633 Description: A Cross-Site Request Forgery CSRF issue allows an attacker to manipulate and delete user accounts within the platform by sending a specifically crafted query to the server. This is due to the lack o...
thebasementcanberra.com.au Cross Site Scripting vulnerability OBB-3704338
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
gucce.com.au Cross Site Scripting vulnerability OBB-3701284
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...