Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-46853: Comparing 1.6.21...1.6.22 · memcached/memcached

In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used instead of \r\n.

CVE
Open in Source
#vulnerability#memcached#git
The Destruction of Gaza’s Internet Is Complete

As Israel increases its ground operation in Gaza, the last remaining internet and mobile connections have gone dark.

Securing Cloud Identities to Protect Assets and Minimize Risk

Preventative security should be driven by data and risk assessment, not compliance.

GHSA-r847-6w6h-r8g4: Flyte Admin SQL Injection in List Filters

### Impact List endpoints on Flyte Admin has a SQL vulnerability where a malicious user can send a REST requests with custom SQL statements as list filters. ### Workarounds The attacker needs to have access to the flyteadmin installation (typically either behind a VPN or authentication). ### References https://owasp.org/www-community/attacks/SQL_Injection#

GHSA-crg9-44h2-xw35: Apache ActiveMQ is vulnerable to Remote Code Execution

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.  Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

N. Korean Lazarus Group Targets Software Vendor Using Known Flaws

The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient, a known hacking tool used by the threat actor for

CVE-2023-46394: Stored xss vulnerability in gougucms version 4.08.18 · Issue #I88TC0 · 勾股开源/ThinkPHP6 勾股CMS - Gitee.com

A stored cross-site scripting (XSS) vulnerability in /home/user/edit_submit of gougucms v4.08.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the headimgurl parameter.

CVE-2023-46393: Any User Password Reset Vulnerability in gougucms 4.08.18 · Issue #I88TKH · 勾股开源/ThinkPHP6 勾股CMS - Gitee.com

gougucms v4.08.18 was discovered to contain a password reset poisoning vulnerability which allows attackers to arbitrarily reset users' passwords via a crafted packet.

Splunk edit_user Capability Privilege Escalation

Splunk suffers from an issue where a low-privileged user who holds a role that has the edit_user capability assigned to it can escalate their privileges to that of the admin user by providing a specially crafted web request. This is because the edit_user capability does not honor the grantableRoles setting in the authorize.conf configuration file, which prevents this scenario from happening. This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving remote code execution.

XAMPP 3.3.0 Buffer Overflow

XAMPP version 3.3.0 .ini unicode + SEH buffer overflow exploit.