Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

Senayan Library Management System 9.0.0 Cross Site Scripting

Senayan Library Management System version 9.0.0 suffers from a cross site scripting vulnerability.

Packet Storm
Open in Source
#xss#vulnerability#web#mac#windows#apple#google#apache#git#php#auth#chrome#webkit#ssl
CVE-2022-3724: Crash in USB-HID dissector on Windows (#18384) · Issues · Wireshark Foundation / wireshark · GitLab

Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows

Iranian APT Targets US With Drokbk Spyware via GitHub

The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.

How Naming Can Change the Game in Software Supply Chain Security

A reliance on CPE names currently makes accurate searching for high-risk security vulnerabilities difficult.

Planet eStream Code Execution / SQL Injection / XSS / Broken Control

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Why is Robust API Security Crucial in eCommerce?

API attacks are on the rise. One of their major targets is eCommerce firms like yours.  APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world.  ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose

CVE-2022-38765: Canon Medical Software Security Updates

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-41947: Content Security Policy (CSP) - HTTP | MDN

DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated user to open the malicious file in a browser which would trigger the javascript code, resulting in a cross-site scripting (XSS) attack. DHIS2 administrators should upgrade to the following hotfix releases: 2.36.12.1, 2.37.8.1, 2.38.2.1, 2.39.0.1. Users unable to upgrade may add the following simple CSP rule in your web proxy to the vulnerable endpoints: `script-src 'none'`. This workaround will prevent all javascript from running on those endpoints.

CVE-2022-46153: Release v2.9.6 · traefik/traefik

Traefik is an open source HTTP reverse proxy and load balancer. In affected versions there is a potential vulnerability in Traefik managing TLS connections. A router configured with a not well-formatted TLSOption is exposed with an empty TLSOption. For instance, a route secured using an mTLS connection set with a wrong CA file is exposed without verifying the client certificates. Users are advised to upgrade to version 2.9.6. Users unable to upgrade should check their logs to detect the error messages and fix your TLS options.