#git

By Deeba Ahmed The vulnerabilities stem from the way Jenkins handles user-supplied data. This is a post from HackRead.com Read the original post: Excessive Expansion Vulnerabilities Leave Jenkins Servers Open to Attacks

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation Vendor: Hitron Systems Equipment: DVR Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to affect the availability of the product through exploitation of an improper input validation vulnerability and default credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Hitron Systems DVR, a digital video recorder, are affected: DVR HVR-4781: Versions 1.03 through 4.02 DVR HVR-8781: Versions 1.03 through 4.02 DVR HVR-16781: Versions 1.03 through 4.02 DVR LGUVR-4H: Versions 1.02 through 4.02 DVR LGUVR-8H: Versions 1.02 through 4.02 DVR LGUVR-16H: Versions 1.02 through 4.02 3.2 Vulnerability Overview 3.2.1 IMPROPER INPUT VALIDATION CWE-20 An improper input validation vulnerability exists in Hitron Systems DVR HVR-4781 versions 1.03 thro...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Service Platform Vulnerability: Improper Verification of Cryptographic Signature 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to retrieve user information and modify settings without any authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Smart Security Manager, a software management platform, are affected: FactoryTalk Service Platform: Versions prior to v6.4 3.2 Vulnerability Overview 3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347 A vulnerability exists in the affected product that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. If exploited, a malicious user could potentially retrieve user informatio...

By Uzair Amir The recent green light given to a Bitcoin Exchange-Traded Fund (ETF) by regulatory authorities in the U.S. is… This is a post from HackRead.com Read the original post: What the Bitcoin ETF Approval Mean for the Crypto Market

Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.

An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.

Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnet's infrastructure was dismantled in April 2022. A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month. "The new version of Zloader made significant changes to the loader

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the `child_process` exec function without input sanitization. If (attacker-controlled) user input is given to the `mac_address_for` function of the package, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.

Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.