Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Hacking the Human Mind: Exploiting Vulnerabilities in the 'First Line of Cyber Defense'

Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of

The Hacker News
Open in Source
#vulnerability#mac#apple#git#auth#The Hacker News
Governments May Spy on You by Requesting Push Notifications from Apple and Google

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden. "Push notifications are alerts sent by phone apps to users' smartphones," Wyden said. "These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of

GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

CVE-2023-48860: security_research/TOTOLINK-N300RT-RCE.md at main · xieqiang11/security_research

TOTOLINK N300RT version 3.2.4-B20180730.0906 has a post-authentication RCE due to incorrect access control, allows attackers can bypass front-end security restrictions and execute arbitrary code.

CVE-2023-48861: POC4/README.md at main · xieqiang11/POC4

DLL hijacking vulnerability in TTplayer version 7.0.2, allows local attackers to escalate privileges and execute arbitrary code via urlmon.dll.

CVE-2023-49225: 20231128 | Security Bulletins | Ruckus Wireless Support

A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section.

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

CVE-2023-48823: GaatiTrack Courier Management System 1.0 SQL Injection ≈ Packet Storm

A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login.

CVE-2023-48208: PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting ≈ Packet Storm

A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php.

CVE-2023-48825: PHPJabbers Availability Booking Calendar 5.0 HTML Injection ≈ Packet Storm

Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.