Security
Headlines
HeadlinesLatestCVEs

Tag

#google

Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. Tenable has given the vulnerability the name ConfusedFunction. "An attacker could escalate their privileges to the Default Cloud Build Service Account and

The Hacker News
Open in Source
#xss#vulnerability#web#ios#google#oracle#auth#The Hacker News
New Chrome Feature Scans Password-Protected Files for Malicious Content

Google said it's adding new security warnings when downloading potentially suspicious and malicious files via its Chrome web browser. "We have replaced our previous warning messages with more detailed ones that convey more nuance about the nature of the danger and can help users make more informed decisions," Jasika Bawa, Lily Chen, and Daniel Rubery from the Chrome Security team said. To that

Google Will Not Remove Third-Party Cookies From Chrome

Cookies aren't going away, after all. After years of saying it will do so, Google has decided to not remove third-party cookies from Chrome.

GHSA-v8wx-v5jq-qhhw: The Argo CD web terminal session does not handle the revocation of user permissions properly

Argo CD v2.11.3 and before, discovering that even if the user's ```p, role:myrole, exec, create, */*, allow``` permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. ## Description Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user ```p, role:myrole, exec, create, */*, allow```, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user ```p, role:myrole, exec, create, */*, allow``` permissions, which may still lead to the leakage of sensitive information...

SLiMS CMS 2.0 SQL Injection

SLiMS CMS version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

StarTask CRM 1.9 SQL Injection

StarTask CRM version 1.9 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

UBM CMS 1.2 Insecure Direct Object Reference

UBM CMS version 1.2 suffers from an insecure direct object reference vulnerability.

TAIF LMS 5.8.0 Shell Upload

TAIF LMS version 5.8.0 suffers from a remote shell upload vulnerability.