Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-5053: GitHub - projectworldsofficial/hospital-management-system-in-php: This is Hospital Management System Hospital management system is one of the best software that manages various activities in hospital

Hospital management system version 378c157 allows to bypass authentication. This is possible because the application is vulnerable to SQLI.

CVE
Open in Source
#sql#git#php#auth
CVE-2023-43323: GitHub - ahrixia/CVE-2023-43323: mooSocial v3.1.8 is vulnerable to external service interaction on post function.

mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].

CVE-2023-43226: GitHub - zzq66/cve: poc

An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVE-2023-43663: Uninstall modules from backoffice, even with low rights

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions

A new malicious campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code

GHSA-6jmf-2pfc-q9m7: PrestaShop allows users to uninstall modules from backoffice, even with low rights

### Impact Any module can be disabled or uninstalled from back office, even with low user right. ### Patches 8.1.2 ### Workarounds none ### References

GHSA-gvrg-62jp-rf7j: PrestaShop allows employee without any access rights to list all installed modules

### Impact In BO, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights ### Patches Fixed on 8.1.2 ### Workarounds ### References

Ubuntu Security Notice USN-6369-2

Ubuntu Security Notice 6369-2 - USN-6369-1 fixed a vulnerability in libwebp. This update provides the corresponding update for Ubuntu 18.04 LTS. It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code.

GHSA-2g8p-j2r6-vqpj: October Cross-site Scripting vulnerability

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.

GHSA-7vff-rv2f-cj79: Subrion CMS Cross-site Scripting vulnerability

A Cross-site scripting (XSS) vulnerability in Reference ID from the panel Transactions, of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Reference ID' parameter.