Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

ERPGo SaaS 3.9 CSV Injection

ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV injection attacks. This type of attack occurs when an attacker is able to manipulate the data that is imported or exported in a CSV file, in order to execute malicious code or gain unauthorized access to sensitive information. This vulnerability can be exploited by an attacker by injecting specially crafted data into a CSV file, which is then imported into the ERPGo system. This can potentially allow the attacker to gain access to sensitive information, such as login credentials or financial data, or to execute malicious code on the system.

Packet Storm
Open in Source
#vulnerability#web#windows#auth
CVE-2021-43444: GitHub - ONLYOFFICE/server: The backend server software layer which is the part of ONLYOFFICE Document Server and is the base for all other components

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key.

CVE-2022-41505: GitHub - hemant70072/Access-control-issue-in-TP-Link-Tapo-C200-V1.: Exploiting the UART shell to get the access of root shell and dumping the content of flash chip (firmware) in the SD card

An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/bin/sh value.

CVE-2023-24069: CVE-2023-24068 && CVE-2023-24069: Abusing Signal Desktop Client for fun and for Espionage

Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. Cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation. (Local filesystem access is needed by the attacker.)

CVE-2023-23314: File upload ssh authorized_keys causes RCE · Issue #90 · helloxz/zdir

An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file.

CVE-2022-46959: Back up files in any directory through directory traversal · Issue #56 · go-sonic/sonic

An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal.

Microsoft to end direct sale of Windows 10 licenses at the end of January

Categories: News Tags: windows 10 Tags: windows 11 Tags: microsoft Tags: license Tags: sale Tags: third party Tags: desktop Tags: upgrade Tags: hardware We take a look at reports that Microsoft will shortly be ending the direct sale of Windows 10 licenses. (Read more...) The post Microsoft to end direct sale of Windows 10 licenses at the end of January appeared first on Malwarebytes Labs.

A week in security (January 16—22)

Categories: News Tags: Google Tags: Rust Tags: Chromium Tags: Mailchimp Tags: SweepWizard Tags: bossware Tags: TikTok Tags: surveillance firm Tags: Voyager Labs Tags: TracketPacer Tags: Facebook Tags: Instagram Tags: Vice Society Tags: Liquor Control Board of Ontario Tags: Zoho ManageEngine Tags: GitHub Tags: LastPass Tags: Git flaw Tags: ransomware Tags: credit card fraud The most interesting security related news from the week of January 16-22. (Read more...) The post A week in security (January 16—22) appeared first on Malwarebytes Labs.