Security
Headlines
HeadlinesLatestCVEs

Tag

#docker

CVE-2023-48949: Fuzzer: Virtuoso 7.2.11 crashed at box_add · Issue #1173 · openlink/virtuoso-opensource

An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

CVE
Open in Source
#sql#dos#docker
CVE-2023-48952: Fuzzer: Virtuoso 7.2.11 crashed at box_deserialize_reusing · Issue #1175 · openlink/virtuoso-opensource

An issue in the box_deserialize_reusing function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

CVE-2023-48948: Fuzzer: Virtuoso 7.2.11 crashed at box_div · Issue #1176 · openlink/virtuoso-opensource

An issue in the box_div function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

By Deeba Ahmed The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. This is a post from HackRead.com Read the original post: OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

etcd-browser 87ae63d75260 Directory Traversal

etcd-browser version 87ae63d75260 suffers from a directory traversal vulnerability.

CVE-2023-49313: GitHub - horsicq/XMachOViewer: XMachOViewer is a Mach-O viewer for Windows, Linux and MacOS

A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data.

ownCloud vulnerability can be used to extract admin passwords

A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

CVE-2023-48023: Ray, Versions 2.6.3, 2.8.0

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

GHSA-v4v2-8h88-65qj: Attribute Injection leading to XSS(Cross-Site-Scripting)

### Summary Google Analytics element Attribute Injection leading to XSS ### Details Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. ![image](https://user-images.githubusercontent.com/110759348/282278047-667b774b-421f-449a-8f95-3f3906ae4216.png) ### PoC 1. Run the latest version of the louislam/uptime-kuma container and initialize the account password. 2. Create a new status page. 3. Edit the status page and change the Google Analytics ID to following payload(it only works for firefox. Any attribute can be injected, but this seems the most intuitive): ``` 123123" onafterscriptexecute=alert(window.name+1),eval(window.name) a="x ``` 4. Click Save and return to the interface. XSS occurs. screenshots: ![image](https://user-images.githubusercontent.com/110759348/282287393-4874974f-9416-4941-9c2e-a92ee2412197.png) ![9d0603e634fb7da2e83a0a...