Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

GHSA-r969-8v3h-23v9: Apache NiFi Code Injection vulnerability

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission for referencing remote resources, restricting configuration of these components to privileged users. The permission prevents unprivileged users from configuring Processors and Controller Services annotated with the new Reference Remote Resources restriction. Upgrading to Apache NiFi 1.23.0 is the recommended mitigation.

ghsa
Open in Source
#sql#vulnerability#apache#git#java#auth#maven
Hackers Deploy "SUBMARINE" Backdoor in Barracuda Email Security Gateway Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable

CVE-2023-38685: SECURITY: Hide restricted tags in noscript view · discourse/discourse@0736611

Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches.

GHSA-fx3v-4w3w-wpwr: Code injection in wix-embedded-mysql

wix-embedded-mysql v4.6.2 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument.

GHSA-wp6c-29r3-jqw9: SQL injection in jeecg-boot

jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData.

CVE-2023-39016: There's a code injection vulnerability of `com.frameworkset.common.poolman.util.SQLManager.createPool` · Issue #I7MH08 · bboss/bboss - Gitee

bboss-persistent v6.0.9 and below was discovered to contain a code injection vulnerability in the component com.frameworkset.common.poolman.util.SQLManager.createPool. This vulnerability is exploited via passing an unchecked argument.

CVE-2023-39021: My-CVE-Public-References/com_wix_wix-embedded-mysql at main · LetianYuan/My-CVE-Public-References

wix-embedded-mysql v4.6.1 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument.

CVE-2023-38992: SQL注入 · Issue #5173 · jeecgboot/jeecg-boot

jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData.

CVE-2023-31937: BugReport/php/Rail-Pass-Management-System/bug3-SQL-Injection-editid.md at main · DiliLearngent/BugReport

Sql injection vulnerability found in Rail Pass Management System v.1.0 allows a remote attacker to execute arbitrary code via the editid parameter of the edit-cateogry-detail.php file.

CVE-2023-31933: BugReport/php/Rail-Pass-Management-System/bug4-SQL-Injection-editid2.md at main · DiliLearngent/BugReport

Sql injection vulnerability found in Rail Pass Management System v.1.0 allows a remote attacker to execute arbitrary code via the editid parameter of the edit-pass-detail.php file.