Security
Headlines
HeadlinesLatestCVEs

Tag

#docker

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

DARKReading
Open in Source
#vulnerability#web#microsoft#cisco#php#oauth#auth#docker
OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

By Deeba Ahmed The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. This is a post from HackRead.com Read the original post: OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

etcd-browser 87ae63d75260 Directory Traversal

etcd-browser version 87ae63d75260 suffers from a directory traversal vulnerability.

CVE-2023-49313: GitHub - horsicq/XMachOViewer: XMachOViewer is a Mach-O viewer for Windows, Linux and MacOS

A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data.

ownCloud vulnerability can be used to extract admin passwords

A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

CVE-2023-48023: Ray, Versions 2.6.3, 2.8.0

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

GHSA-v4v2-8h88-65qj: Attribute Injection leading to XSS(Cross-Site-Scripting)

### Summary Google Analytics element Attribute Injection leading to XSS ### Details Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. ![image](https://user-images.githubusercontent.com/110759348/282278047-667b774b-421f-449a-8f95-3f3906ae4216.png) ### PoC 1. Run the latest version of the louislam/uptime-kuma container and initialize the account password. 2. Create a new status page. 3. Edit the status page and change the Google Analytics ID to following payload(it only works for firefox. Any attribute can be injected, but this seems the most intuitive): ``` 123123" onafterscriptexecute=alert(window.name+1),eval(window.name) a="x ``` 4. Click Save and return to the interface. XSS occurs. screenshots: ![image](https://user-images.githubusercontent.com/110759348/282287393-4874974f-9416-4941-9c2e-a92ee2412197.png) ![9d0603e634fb7da2e83a0a...

CVE-2023-46575: Meshery The Kubernetes and Cloud Native Manager - an extensible developer platform

A SQL injection vulnerability in Meshery before 0.6.179 allows a remote attacker to obtain sensitive information and execute arbitrary code via the order parameter.

Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. “These encoded Kubernetes configuration secrets were uploaded to public repositories,” Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week. Some of those impacted include two top blockchain

Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

By Deeba Ahmed Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems. This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw