What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-08-16 15:15:11 | CVE-2023-40341 (lien direct) | Une vulnérabilité de contrefaçon de demande croisée (CSRF) dans le plugin de Jenkins Blue Ocean 1.27.5 et plus tôt permet aux attaquants de se connecter à une URL spécifiée par l'attaquant, capturant les informations d'identification GitHub associées à un travail spécifié par l'attaquant.
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. |
Vulnerability | APT 32 | |
|
2023-07-12 08:15:09 | CVE-2020-36760 (lien direct) | Le plugin Ocean Extra pour WordPress est vulnérable à la contrefaçon de demande de site transversal dans les versions jusqu'à et comprenant 1.6.5].Cela est dû à la validation non pas manquante ou incorrecte sur la fonction add_core_extensions_bundle_validation ().Cela permet aux attaquants non authentifiés de valider les faisceaux d'extension via une demande forgée accordée qu'ils peuvent inciter un administrateur de site à effectuer une action telle que cliquer sur un lien.
The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to missing or incorrect nonce validation on the add_core_extensions_bundle_validation() function. This makes it possible for unauthenticated attackers to validate extension bundles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
APT 32 | ||
|
2023-04-06 14:15:07 | CVE-2023-23891 (lien direct) | Auth.(Contributeur +) Vulnérabilité des scripts croisés (XSS) dans le plugin supplémentaire OceanWP Ocean | Vulnerability | APT 32 | |
|
2023-03-30 12:15:07 | CVE-2023-24399 (lien direct) | Auth.(Contributeur +) Vulnérabilité des scripts croisés (XSS) dans le plugin supplémentaire OceanWP Ocean | Vulnerability | APT 32 | |
|
2023-03-13 17:15:12 | CVE-2023-0749 (lien direct) | The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones. | APT 32 | ||
|
2022-12-04 23:15:09 | CVE-2022-35730 (lien direct) | Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin | Vulnerability | APT 32 | |
|
2022-10-31 16:15:11 | CVE-2022-3374 (lien direct) | The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | Guideline | APT 32 | |
|
2022-06-20 11:15:08 | CVE-2021-25104 (lien direct) | The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue | Guideline | APT 32 | |
|
2022-05-17 15:15:09 | CVE-2022-30954 (lien direct) | Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. | APT 32 | ★★★★★ | |
|
2022-05-17 15:15:09 | CVE-2022-30952 (lien direct) | Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | APT 32 | ★★ | |
|
2022-05-17 15:15:09 | CVE-2022-30953 (lien direct) | A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. | Vulnerability | APT 32 | ★★★★ |
|
2021-11-24 16:15:14 | CVE-2021-41192 (lien direct) | Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory. | APT 32 | ||
|
2021-02-22 17:15:12 | CVE-2021-27228 (lien direct) | An issue was discovered in Shinobi through ocean version 1. lib/auth.js has Incorrect Access Control. Valid API Keys are held in an internal JS Object. Therefore an attacker can use JS Proto Method names (such as constructor or hasOwnProperty) to convince the System that the supplied API Key exists in the underlying JS object, and consequently achieve complete access to User/Admin/Super API functions, as demonstrated by a /super/constructor/accounts/list URI. | APT 32 |
1
We have: 13 articles.
We have: 13 articles.
To see everything:
Our RSS (filtrered)
