Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-44397: The gateway filter of CloudExplorer Lite uses a controller with path. startwith matching/API/, which can cause permission bypass

CloudExplorer Lite is an open source, lightweight cloud management platform. Prior to version 1.4.1, the gateway filter of CloudExplorer Lite uses a controller with path starting with `matching/API/`, which can cause a permission bypass. Version 1.4.1 contains a patch for this issue.

CVE
#vulnerability#git#auth
CVE-2023-46478: GitHub - mr-xmen786/CVE-2023-46478

An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter.

CVE-2023-45956: IoT-Fuzz/Govee LED Strip Vulnerability Report.pdf at main · IoT-Fuzz/IoT-Fuzz

An issue discovered in Govee LED Strip v3.00.42 allows attackers to cause a denial of service via crafted Move and MoveWithOnoff commands.

CVE-2023-42323: douhaocms/README.md at main · mnbvcxz131421/douhaocms

Cross Site Request Forgery (CSRF) vulnerability in DouHaocms v.3.3 allows a remote attacker to execute arbitrary code via the adminAction.class.php file.

GHSA-frgf-8jr5-j2jv: memory leak flaw was found in ruby-magick

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

CVE-2020-36767: alert leads to code execution on Linux · Issue #25498 · servo/servo

tinyfiledialogs (aka tiny file dialogs) before 3.8.0 allows shell metacharacters in titles, messages, and other input data.

CVE-2023-43649: Merge pull request from GHSA-fw9x-cqjq-7jx5 · baserproject/basercms@874c554

baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.

CVE-2023-42804: refactor (bbb-web): set presentation mapping as it is in nginx by gustavotrott · Pull Request #15960 · bigbluebutton/bigbluebutton

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

CVE-2023-42803: fix (bbb-web): improvements on presentations upload by GuiLeme · Pull Request #15990 · bigbluebutton/bigbluebutton

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.

CVE-2023-47104: tiny file dialogs (cross-platform C C++) / Git

tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters.