Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

CVE-2022-28378: cms/CHANGELOG.md at develop · craftcms/cms

Craft CMS before 3.7.29 allows XSS.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#ios#android#mac#windows#google#amazon#redis#js#git#java
CVE-2021-20238: Invalid Bug ID

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.

CVE-2021-20238: unauthenticated access to Machine Config Server ignition config

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.

CVE-2021-35117: March 2022 Security Bulletin | Qualcomm

An Out of Bounds read may potentially occur while processing an IBSS beacon, in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music

CVE-2022-28223: Post auth RCE based in malicious LUA plugin script upload SCADA controllers located in Russia

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

CVE-2022-27432: Cross Site Request Forgery (CSRF)

A Cross-Site Request Forgery (CSRF) in Pluck CMS v4.7.15 allows attackers to change the password of any given user by exploiting this feature leading to account takeover.

CVE-2022-26280: The libarchive lib exist a READ memory access Vulnerability · Issue #1672 · libarchive/libarchive

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

CVE-2022-0427: Arbitrary POST request as victim user from HTML injection in Jupyter notebooks (#347284) · Issues · GitLab.org / GitLab

Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover

CVE-2021-45490: 3CX Client Missing TLS Validation ≈ Packet Storm

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.