Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-8xq9-g7ch-35hg: Parse Server's custom object ID allows to acquire role privileges

### Impact If the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. ### Patches Improved validation for custom user object IDs. Session tokens for existing users with an object ID that exploits the vulnerability are now rejected. ### Workarounds - Disable custom object IDs by setting `allowCustomObjectId: false` or not setting the option which defaults to `false`. - Use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix `role:`. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg - https://github.com/parse-community/parse-server/pull/9317 (fix for Parse Server 7) - https://github.com/parse-community/parse-server/pull/9318 (fix for Parse Server 6)

ghsa
#vulnerability#web#git#auth
Ubuntu Security Notice USN-7054-1

Ubuntu Security Notice 7054-1 - It was discovered that unzip did not properly handle unicode strings under certain circumstances. If a user were tricked into opening a specially crafted zip file, an attacker could possibly use this issue to cause unzip to crash, resulting in a denial of service, or possibly execute arbitrary code.

Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

Vehicle Service Management System 1.0 WYSIWYG Code Injection

Vehicle Service Management System version 1.0 suffers from a WYSIWYG code injection vulnerability.

GHSA-8h22-6qwx-q4w9: OpenStack Ironic fails to verify checksums of supplied image_source URLs

In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of checksum validation of supplied image_source URLs when configured to convert images to a raw format for streaming.

Vehicle Service Management System 1.0 Code Injection

Vehicle Service Management System version 1.0 suffers from a PHP code injection vulnerability.

Transport Management System 1.0 Arbitrary File Upload

Transport Management System version 1.0 suffers from an arbitrary file upload vulnerability.

Transport Management System 1.0 Code Injection

Transport Management System version 1.0 suffers from a PHP code injection vulnerability.

ManageEngine ADManager 7183 Password Hash Disclosure

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.