Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-cp8m-h777-g4p3: Improper Access Control in moodle

Separate Groups mode restrictions were not honored in the H5P attempts report, which would display users from other groups. By default this only provided additional access to non-editing teachers.

ghsa
Open in Source
#vulnerability#git
GHSA-jfrg-9hpq-9hvp: Improper Access Control in moodle

Separate Groups mode restrictions were not honored when performing a forum export, which would export forum data for all groups. By default this only provided additional access to non-editing teachers.

GHSA-7pjp-fm93-p6pj: Cross-Site Request Forgery in moodle

The link to update all installed language packs did not include the necessary token to prevent a CSRF risk.

GHSA-487g-3m3v-hjhq: Uncontrolled Resource Consumption in moodle

Insufficient file size checks resulted in a denial of service risk in the file picker's unzip functionality.

GHSA-xfg6-62px-cxc2: SQL injection in pgjdbc

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

Microsoft Windows Defender / Trojan.Win32/Powessere.G VBScript Detection Bypass

This is additional research regarding a mitigation bypass in Windows Defender. Back in 2022, the researcher disclosed how it could be easily bypassed by passing an extra path traversal when referencing mshtml but that issue has since been mitigated. However, the researcher discovered using multiple commas can also be used to achieve the bypass. This issue was addressed. The fix was short lived as the researcher found yet another third trivial bypass. Previously, the researcher disclosed 3 bypasses using rundll32 javascript, but this example leverages the VBSCRIPT and ActiveX engines.

InstantCMS 2.16.1 Cross Site Scripting

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

1 in 5 Youth Engage in Cybercrime, NCA Finds

By Waqas One in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act, NCA has revealed. This is a post from HackRead.com Read the original post: 1 in 5 Youth Engage in Cybercrime, NCA Finds

WonderCMS 4.3.2 Cross Site Scripting / Remote Code Execution

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

Exploring the Phenomenal Rise of Ethereum as a Digital Asset

By Uzair Amir In this exploration, we delve into the multifaceted layers of Ethereum’s meteoric rise, dissecting the technological breakthroughs, the… This is a post from HackRead.com Read the original post: Exploring the Phenomenal Rise of Ethereum as a Digital Asset