What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-03-21 12:15:10 | CVE-2023-1314 (lien direct) | Une vulnérabilité a été découverte dans l'installateur de CloudFlared \\ ( | Vulnerability Guideline | ||
|
2023-03-21 11:15:10 | CVE-2023-27984 (lien direct) | Une vulnérabilité CWE-20: une mauvaise validation des entrées existe dans des rapports personnalisés qui pourraient entraîner l'exécution d'une macro, conduisant potentiellement à une exécution de code distante lorsqu'un utilisateur ouvre un fichier de rapport malveillant planté par un attaquant.Produits affectés: IGSS Data Server (IGSSDataserver.exe) (V16.0.0.23040 et Prior), IGSS Dashboard (Dashboard.EXE) (V16.0.0.23040 et précédent), Rapports personnalisés (RMS16.DLL) (V16.0.0.23040 et antérieure).
A CWE-20: Improper Input Validation vulnerability exists in Custom Reports that could cause a macro to be executed, potentially leading to remote code execution when a user opens a malicious report file planted by an attacker. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). |
Vulnerability Guideline | ||
|
2023-03-21 11:15:10 | CVE-2016-15029 (lien direct) | Une vulnérabilité a été trouvée dans Ydalb Mapicoin jusqu'à 1.9.0 et classifiée comme problématique.Cette vulnérabilité affecte le code inconnu du fichier webroot / stats.php.La manipulation du lien / recherche d'argument conduit à un script de site croisé.L'attaque peut être initiée à distance.La mise à niveau vers la version 1.10.0 est en mesure de résoudre ce problème.Le nom du patch est 67E87F0F0C1AC238FCD050F4C3DB298229BC9679.Il est recommandé de mettre à niveau le composant affecté.VDB-223402 est l'identifiant attribué à cette vulnérabilité.
A vulnerability has been found in Ydalb mapicoin up to 1.9.0 and classified as problematic. This vulnerability affects unknown code of the file webroot/stats.php. The manipulation of the argument link/search leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.10.0 is able to address this issue. The name of the patch is 67e87f0f0c1ac238fcd050f4c3db298229bc9679. It is recommended to upgrade the affected component. VDB-223402 is the identifier assigned to this vulnerability. |
Vulnerability Guideline | ||
 |
2023-03-21 10:00:00 | La FTC prolonge la date limite de six mois pour se conformer à certaines modifications des règles de sécurité des données financières (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In a highly connected, internet-powered world, transactions take place online, in person, and even somewhere in between. Given the frequency of digital information exchange on our devices, including smartphones and smart home gadgets, cybersecurity has never been more important for protecting sensitive customer information. In response, the US Federal Trade Commission has rolled out updated measures to ensure that customers’ details are fully protected. Due to supply chain issues and qualified employee shortages, however, the FTC has granted a six-month extension on the original deadline, so businesses and financial institutions now have more time to complete the required changes. This article will look at the updated federal data security measures and how they will impact businesses. Updated federal data security measures In November, the United States Federal Trade Commission announced that it would grant a six-month extension for companies that have yet to update their security measures in compliance with updated FTC standards. The new deadline for businesses and financial institutions to implement the required changes will be June 9, 2023. By that point, all businesses must have updated their policies and procedures in keeping with the Financial Data Security Rule, also known as the Safeguards Rule. Initial changes to the Safeguards Rule Initially, the Federal Trade Commission approved changes to the Safeguards Rule in October 2021. These changes included updated criteria for financial institutions, providing more specific requirements about which safeguards they must include in their information security programs. Some of these updates to the Safeguards Rule were implemented 30 days after the rule was published in the Federal Register, while other specific criteria were on track to be implemented on December 9, 2022. Why has the deadline been extended? The deadline has been extended to June 2023 due to reports presenting compelling arguments for postponing the required implementation. The Small Business Administration’s Office of Advocacy, for example, filed a letter addressed to the FTC. The letter stated that several factors would bar companies from effectively implementing these updated security requirements in the allotted time. Between supply chain issues that could cause delays in transporting essential equipment for the requisite security system upgrades, and a widespread shortage of qualified information security experts who could implement the changes on time, the letter from the SBA convincingly spelled out why businesses would need more time to complete the security system upgrades in compliance with FTC rules. The global COVID-19 pandemic further exacerbated these issues, making it difficult for small-scale businesses and financial institutions to meet the deadlines. The FTC voted unanimously to approve this deadline extension. Reasons for FTC data security rule updates The changes to the Financial Data Security Rule are meant to ensure that financial institutions put sufficient security measures in place to keep their customers’ personal information safe from any hacking attempts. Boosting the data security of financial institutions is vital to strengthening t | Guideline | ★★ | |
|
2023-03-21 09:15:11 | CVE-2023-27978 (lien direct) | A CWE-502: La désérialisation de la vulnérabilité des données non fiables existe dans le module de tableau de bord qui pourrait provoquer une interprétation des données de charge utile malveillante, conduisant potentiellement à l'exécution du code distant lorsqu'un attaquant demande à l'utilisateur d'ouvrir un fichier malveillant.Produits affectés: IGSS Data Server (IGSSDataserver.exe) (V16.0.0.23040 et Prior), IGSS Dashboard (Dashboard.EXE) (V16.0.0.23040 et précédent), Rapports personnalisés (RMS16.DLL) (V16.0.0.23040 et antérieure).
A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). |
Vulnerability Guideline | ||
|
2023-03-21 07:15:08 | CVE-2023-27982 (lien direct) | A CWE-345: une vérification insuffisante de la vulnérabilité d'authenticité des données existe dans le serveur de données qui pourrait provoquer la manipulation des fichiers de tableau de bord dans le répertoire du rapport du projet IGSS, lorsqu'un attaquant envoie des messages conçus spécifiques au port TCP du serveur de données, cela pourrait conduire à un code distantExécution lorsqu'une victime ouvre finalement un fichier de tableau de bord malveillant.Produits affectés: IGSS Data Server (IGSSDataserver.exe) (V16.0.0.23040 et Prior), IGSS Dashboard (Dashboard.EXE) (V16.0.0.23040 et précédent), Rapports personnalisés (RMS16.DLL) (V16.0.0.23040 et antérieure).
A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code execution when a victim eventually opens a malicious dashboard file. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). |
Vulnerability Guideline | ||
|
2023-03-21 06:15:13 | CVE-2023-27980 (lien direct) | A CWE-306: Authentification manquante pour la vulnérabilité des fonctions critiques existe dans l'interface TCP du serveur de données qui pourrait permettre la création d'un fichier de rapport malveillant dans le répertoire du rapport du projet IGSS, cela pourrait conduire à une exécution de code distante lorsqu'une victime ouvre finalement le rapport.Produits affectés: IGSS Data Server (IGSSDataserver.exe) (V16.0.0.23040 et Prior), IGSS Dashboard (Dashboard.EXE) (V16.0.0.23040 et précédent), Rapports personnalisés (RMS16.DLL) (V16.0.0.23040 et avant)
A CWE-306: Missing Authentication for Critical Function vulnerability exists in the Data Server TCP interface that could allow the creation of a malicious report file in the IGSS project report directory, this could lead to remote code execution when a victim eventually opens the report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior) |
Vulnerability Guideline | ||
|
2023-03-21 00:15:10 | CVE-2012-10009 (lien direct) | Une vulnérabilité a été trouvée dans un plugin 404 en forme jusqu'à 1,0,2.Il a été classé comme critique.La page de vérification de la fonction est affectée du fichier 404like.php.La manipulation du mot de recherche d'argument conduit à l'injection SQL.Il est possible de lancer l'attaque à distance.La mise à niveau vers la version 1.0.2 est en mesure de résoudre ce problème.Le nom du patch est 2C4B589D27554910AB1FD104DDBEC9331B540F7F.Il est recommandé de mettre à niveau le composant affecté.L'identifiant de cette vulnérabilité est VDB-223404.
A vulnerability was found in 404like Plugin up to 1.0.2. It has been classified as critical. Affected is the function checkPage of the file 404Like.php. The manipulation of the argument searchWord leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 1.0.2 is able to address this issue. The name of the patch is 2c4b589d27554910ab1fd104ddbec9331b540f7f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-223404. |
Vulnerability Guideline | ||
|
2023-03-20 21:15:10 | CVE-2022-43663 (lien direct) | Une vulnérabilité de conversion entière existe dans la fonctionnalité Sorbax64.dll Recvpacket de Welntintech Kinghistorian 35.01.00.05.Un paquet réseau spécialement conçu peut conduire à un débordement de tampon.Un attaquant peut envoyer un paquet malveillant pour déclencher cette vulnérabilité.
An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability. |
Vulnerability Guideline | ||
|
2023-03-20 21:15:10 | CVE-2022-45124 (lien direct) | Une vulnérabilité de divulgation d'informations existe dans la fonctionnalité d'authentification des utilisateurs de Welntintech Kinghistorian 35.01.00.05.Un paquet réseau spécialement conçu peut entraîner une divulgation d'informations sensibles.Un attaquant peut renifler le trafic réseau pour tirer parti de cette vulnérabilité.
An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability. |
Vulnerability Guideline | ||
|
2023-03-20 16:15:12 | CVE-2023-0876 (lien direct) | Le plugin WP Meta SEO WordPress avant 4.5.3 n'autorise pas plusieurs actions AJAX, permettant aux utilisateurs à faible privile de faire des mises à jour vers certaines données et à conduisir à une vulnérabilité de redirection arbitraire.
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability. |
Guideline | ||
|
2023-03-20 16:15:12 | CVE-2023-0875 (lien direct) | Le plugin WP Meta SEO WordPress avant 4.5.3 ne désinfecte pas et n'échappe pas correctement les entrées dans les requêtes SQL, conduisant à une vulnérabilité d'injection SQL aveugle qui peut être exploitée par les utilisateurs abonnés +.
The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users. |
Vulnerability Guideline | ||
|
2023-03-20 16:15:12 | CVE-2023-0937 (lien direct) | Le plugin WordPress de l'unité VK All in One All en One avant 9.87.1.0 n'échappe pas au paramètre $ _Server [\\ 'request_uri \'] avant de le récupérer dans un attribut, ce qui pourrait conduire à des scripts transversaux réfléchis dans les anciens navigateurs Web.
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER[\'REQUEST_URI\'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers |
Guideline | ||
 |
2023-03-20 14:23:25 | Rapid7 Appoints Jaya Baloo as Chief Security Officer (lien direct) | Rapid7 nomme Jaya Baloo en tant que directeur de la sécurité
Le nouveau CSO apporte plus de 20 ans d'expérience dans la direction et la contribution à la sécurisation de l'architecture du réseau à Rapid7
-
nouvelles commerciales
Rapid7 Appoints Jaya Baloo as Chief Security Officer New CSO Brings More than 20 Years of Experience in Leading and Contributing to Secure Network Architecture to Rapid7 - Business News |
Guideline | ★★ | |
 |
2023-03-20 11:00:44 | Detecting Malicious Packages on PyPI: Malicious package on PyPI use phishing techniques to hide its malicious intent (lien direct) | >By, Ori Abramovsky Highlights: Check Point CloudGuard Spectralops detected a malicious phishing account on PyPI, the leading Python package index. Users installing the account packages were exposed to a malicious actor, probably a PII stealer. Once detected, we alerted PyPI on these packages. Soon after the packages were removed by the PyPI team. Intro PyPI… | Guideline | ★ | |
|
2023-03-20 10:15:11 | CVE-2023-1507 (lien direct) | A vulnerability has been found in SourceCodester E-Commerce System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /ecommerce/admin/category/controller.php of the component Category Name Handler. The manipulation of the argument CATEGORY leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223411. | Vulnerability Guideline | ||
|
2023-03-20 10:15:11 | CVE-2023-1506 (lien direct) | A vulnerability, which was classified as critical, was found in SourceCodester E-Commerce System 1.0. Affected is an unknown function of the file login.php. The manipulation of the argument U_USERNAME leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223410 is the identifier assigned to this vulnerability. | Guideline | ||
|
2023-03-20 10:00:00 | Italian agency warns ransomware targets known VMware vulnerability (lien direct) | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. News broke in early February that the ACN, Italy’s National Cybersecurity Agency, issued a warning regarding a VMware vulnerability discovered two years ago. Many organizations hadn’t yet patched the issue and became the victims of a new ransomware called ZCryptor. The malicious software wreaked havoc on Italian and European businesses by encrypting users’ files and demanding payment for the data to be unencrypted. The ACN urges VMware users to ensure their systems are backed up and updated with the most recent security patches available. With ransomware on the rise, it’s crucial that businesses take the necessary steps to protect their data and applications. ESXiArgs ransomware attacks Ransomware is a type of malware or malicious software that enables unauthorized users to restrict access to an organization’s files, systems, and networks. But it doesn’t stop there. In exchange for the keys to the kingdom, attackers will typically require a large sum in the form of cryptocurrency. There are many ways that ransomware is executed on a target system. In this case, the attacker infiltrated VMware’s ESXi hypervisor code and held entire servers for ransom. According to reports most victims were required to pay almost $50,000 USD in Bitcoin to restore access to entire business systems. The nature of these attacks lead experts to believe that this is not the work of ransomware gangs, and is more likely being executed by a smaller group of threat actors. But that doesn’t mean the damage was any less alarming. Exploiting known vulnerabilities Hackers were able to infect over 2000 machines in only twenty-four hours on a Friday afternoon before the start of the weekend. But how were they able to work so fast? As soon as software developers and providers publish fixes for specific vulnerabilities, threat actors are already beginning their plan of attack. Fortunately, the ESXiArgs vulnerability was patched two years ago (CVE-2021-21974.) Organizations that have not run this patch are at risk of becoming a victim of the latest ransomware. Unfortunately, Florida’s Supreme Court, the Georgia Institute of Technology, Rice University, and many schools across Hungary and Slovakia have also become victims of this newest ransomware attack. CISA guidance for affected systems The US Cybersecurity and Infrastructure Security Agency (CISA) issued recovery guidance for the 3,800 servers around the world affected by the ESXiArgs ransomware attacks: Immediately update all servers to the latest VMware ESXi version. Disable Service Location Protocol (SLP) to harden the hypervisor. Make sure the ESXi hypervisor is never exposed to the public internet. The CISA also offers a script on its GitHub page to reconstruct virtual machine metadata from unaffected virtual disks. What organi | Ransomware Malware Vulnerability Threat Patching Guideline | ★★★ | |
|
2023-03-20 09:15:12 | CVE-2023-1502 (lien direct) | A vulnerability was found in SourceCodester Alphaware Simple E-Commerce System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file function/edit_customer.php. The manipulation of the argument firstname/mi/lastname with the input a' RLIKE SLEEP(5) AND 'dAbu'='dAbu leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-223406 is the identifier assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-20 09:15:12 | CVE-2023-1503 (lien direct) | A vulnerability classified as critical has been found in SourceCodester Alphaware Simple E-Commerce System 1.0. This affects an unknown part of the file admin/admin_index.php. The manipulation of the argument username/password with the input admin' AND (SELECT 8062 FROM (SELECT(SLEEP(5)))meUD)-- hLiX leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223407. | Vulnerability Guideline | ||
|
2023-03-20 09:15:12 | CVE-2023-1505 (lien direct) | A vulnerability, which was classified as critical, has been found in SourceCodester E-Commerce System 1.0. This issue affects some unknown processing of the file /ecommerce/admin/settings/setDiscount.php. The manipulation of the argument id with the input 201737 AND (SELECT 8973 FROM (SELECT(SLEEP(5)))OoAD) leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223409 was assigned to this vulnerability. | Guideline | ||
|
2023-03-20 09:15:12 | CVE-2023-1504 (lien direct) | A vulnerability classified as critical was found in SourceCodester Alphaware Simple E-Commerce System 1.0. This vulnerability affects unknown code. The manipulation of the argument email/password with the input test1%40test.com ' AND (SELECT 6077 FROM (SELECT(SLEEP(5)))dltn) AND 'PhRa'='PhRa leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223408. | Vulnerability Guideline | ||
|
2023-03-20 05:15:12 | CVE-2022-4933 (lien direct) | A vulnerability, which was classified as critical, has been found in ATM Consulting dolibarr_module_quicksupplierprice up to 1.1.6. Affected by this issue is the function upatePrice of the file script/interface.php. The manipulation leads to sql injection. The attack may be launched remotely. Upgrading to version 1.1.7 is able to address this issue. The name of the patch is ccad1e4282b0e393a32fcc852e82ec0e0af5446f. It is recommended to upgrade the affected component. VDB-223382 is the identifier assigned to this vulnerability. | Guideline | ||
|
2023-03-20 05:15:11 | CVE-2015-10096 (lien direct) | A vulnerability, which was classified as critical, was found in Zarthus IRC Twitter Announcer Bot up to 1.1.0. This affects the function get_tweets of the file lib/twitterbot/plugins/twitter_announcer.rb. The manipulation of the argument tweet leads to command injection. It is possible to initiate the attack remotely. Upgrading to version 1.1.1 is able to address this issue. The name of the patch is 6b1941b7fc2c70e1f40981b43c84a2c20cc12bd3. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223383. | Vulnerability Guideline | ||
|
2023-03-19 20:15:19 | CVE-2023-1500 (lien direct) | A vulnerability, which was classified as problematic, has been found in code-projects Simple Art Gallery 1.0. Affected by this issue is some unknown functionality of the file adminHome.php. The manipulation of the argument about_info leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223400. | Vulnerability Guideline | ||
|
2023-03-19 20:15:19 | CVE-2023-1501 (lien direct) | A vulnerability, which was classified as critical, was found in RockOA 2.3.2. This affects the function runAction of the file acloudCosAction.php.SQL. The manipulation of the argument fileid leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223401 was assigned to this vulnerability. | Guideline | ||
|
2023-03-19 20:15:19 | CVE-2023-1498 (lien direct) | A vulnerability classified as critical has been found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file messages.php of the component Newsletter Log Handler. The manipulation of the argument title leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223398 is the identifier assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-19 20:15:19 | CVE-2023-1499 (lien direct) | A vulnerability classified as critical was found in code-projects Simple Art Gallery 1.0. Affected by this vulnerability is an unknown functionality of the file adminHome.php. The manipulation of the argument reach_city leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223399. | Vulnerability Guideline | ||
|
2023-03-19 19:15:20 | CVE-2023-1497 (lien direct) | A vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script 1.0. It has been rated as critical. This issue affects some unknown processing of the file uploaderm.php. The manipulation of the argument submit leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223397 was assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-19 00:15:12 | CVE-2023-1495 (lien direct) | A vulnerability classified as critical was found in Rebuild up to 3.2.3. Affected by this vulnerability is the function queryListOfConfig of the file /admin/robot/approval/list. The manipulation of the argument q leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is c9474f84e5f376dd2ade2078e3039961a9425da7. It is recommended to apply a patch to fix this issue. The identifier VDB-223381 was assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-18 23:15:11 | CVE-2023-1493 (lien direct) | A vulnerability was found in Max Secure Anti Virus Plus 19.0.2.1. It has been rated as problematic. This issue affects some unknown processing in the library MaxProctetor64.sys of the component IoControlCode Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223379. | Vulnerability Guideline | ||
|
2023-03-18 23:15:11 | CVE-2023-1492 (lien direct) | A vulnerability was found in Max Secure Anti Virus Plus 19.0.2.1. It has been declared as problematic. This vulnerability affects unknown code in the library MaxProc64.sys of the component IoControlCode Handler. The manipulation of the argument SystemBuffer leads to denial of service. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. VDB-223378 is the identifier assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-18 23:15:11 | CVE-2023-1494 (lien direct) | A vulnerability classified as critical has been found in IBOS 4.5.5. Affected is an unknown function of the file ApiController.php. The manipulation of the argument emailids leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223380. | Vulnerability Guideline | ||
|
2023-03-18 22:15:11 | CVE-2023-1489 (lien direct) | A vulnerability has been found in Lespeed WiseCleaner Wise System Monitor 1.5.3.54 and classified as critical. Affected by this vulnerability is an unknown functionality in the library WiseHDInfo64.dll of the component IoControlCode Handler. The manipulation leads to improper access controls. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223375. | Vulnerability Guideline | ||
|
2023-03-18 22:15:11 | CVE-2023-1490 (lien direct) | A vulnerability was found in Max Secure Anti Virus Plus 19.0.2.1 and classified as critical. Affected by this issue is some unknown functionality in the library SDActMon.sys of the component IoControlCode Handler. The manipulation leads to improper access controls. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223376. | Vulnerability Guideline | ||
|
2023-03-18 22:15:11 | CVE-2023-1491 (lien direct) | A vulnerability was found in Max Secure Anti Virus Plus 19.0.2.1. It has been classified as critical. This affects an unknown part in the library MaxCryptMon.sys of the component IoControlCode Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-223377 was assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-18 21:15:11 | CVE-2023-1486 (lien direct) | A vulnerability classified as problematic was found in Lespeed WiseCleaner Wise Force Deleter 1.5.3.54. This vulnerability affects unknown code in the library WiseUnlock64.sys of the component IoControlCode Handler. The manipulation leads to improper access controls. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223372. | Vulnerability Guideline | ||
|
2023-03-18 21:15:11 | CVE-2023-1485 (lien direct) | A vulnerability classified as problematic has been found in SourceCodester Young Entrepreneur E-Negosyo System 1.0. This affects an unknown part of the file /bsenordering/index.php of the component GET Parameter Handler. The manipulation of the argument category with the input alert(222) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223371. | Vulnerability Guideline | ||
|
2023-03-18 21:15:11 | CVE-2023-1487 (lien direct) | A vulnerability, which was classified as problematic, has been found in Lespeed WiseCleaner Wise System Monitor 1.5.3.54. This issue affects some unknown processing in the library WiseHDInfo64.dll of the component IoControlCode Handler. The manipulation leads to denial of service. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The identifier VDB-223373 was assigned to this vulnerability. | Guideline | ||
|
2023-03-18 21:15:11 | CVE-2023-1488 (lien direct) | A vulnerability, which was classified as problematic, was found in Lespeed WiseCleaner Wise System Monitor 1.5.3.54. Affected is an unknown function in the library WiseHDInfo64.dll of the component IoControlCode Handler. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. VDB-223374 is the identifier assigned to this vulnerability. | Guideline | ||
|
2023-03-18 10:15:11 | CVE-2023-1482 (lien direct) | A vulnerability, which was classified as problematic, was found in HkCms 2.2.4.230206. This affects an unknown part of the file /admin.php/appcenter/local.html?type=addon of the component External Plugin Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223365 was assigned to this vulnerability. | Guideline | ||
|
2023-03-18 10:15:11 | CVE-2023-1483 (lien direct) | A vulnerability has been found in XiaoBingBy TeaCMS up to 2.0.2 and classified as critical. This vulnerability affects unknown code of the file /admin/getallarticleinfo. The manipulation of the argument searchInfo leads to sql injection. The attack can be initiated remotely. VDB-223366 is the identifier assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-18 10:15:11 | CVE-2023-1484 (lien direct) | A vulnerability was found in xzjie cms up to 1.0.3 and classified as critical. This issue affects some unknown processing of the file /api/upload. The manipulation of the argument uploadFile leads to unrestricted upload. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-223367. | Vulnerability Guideline | ||
|
2023-03-18 09:15:11 | CVE-2023-1479 (lien direct) | A vulnerability classified as critical has been found in SourceCodester Simple Music Player 1.0. Affected is an unknown function of the file save_music.php. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223362 is the identifier assigned to this vulnerability. | Vulnerability Guideline | ||
|
2023-03-18 09:15:11 | CVE-2023-1481 (lien direct) | A vulnerability, which was classified as problematic, has been found in SourceCodester Monitoring of Students Cyber Accounts System 1.0. Affected by this issue is some unknown functionality of the file modules/balance/index.php?view=balancelist of the component POST Parameter Handler. The manipulation of the argument id with the input ">alert(111) leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223364. | Vulnerability Guideline | ||
|
2023-03-18 09:15:11 | CVE-2023-1480 (lien direct) | A vulnerability classified as critical was found in SourceCodester Monitoring of Students Cyber Accounts System 1.0. Affected by this vulnerability is an unknown functionality of the file login.php of the component POST Parameter Handler. The manipulation of the argument un leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223363. | Vulnerability Guideline | ||
|
2023-03-17 22:15:11 | CVE-2023-28115 (lien direct) | Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2. | Vulnerability Guideline | ||
|
2023-03-17 15:15:12 | CVE-2023-1475 (lien direct) | A vulnerability, which was classified as critical, has been found in SourceCodester Canteen Management System 1.0. This issue affects the function query of the file createuser.php. The manipulation of the argument uemail leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-223337 was assigned to this vulnerability. | Guideline | ||
|
2023-03-17 15:15:12 | CVE-2023-26040 (lien direct) | Discourse is an open-source discussion platform. Between versions 3.1.0.beta2 and 3.1.0.beta3 of the `tests-passed` branch, editing or responding to a chat message containing malicious content could lead to a cross-site scripting attack. This issue is patched in version 3.1.0.beta3 of the `tests-passed` branch. There are no known workarounds. | Guideline | ||
|
2023-03-17 15:15:11 | CVE-2023-1474 (lien direct) | A vulnerability classified as critical was found in SourceCodester Automatic Question Paper Generator System 1.0. This vulnerability affects unknown code of the file users/question_papers/manage_question_paper.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223336. | Vulnerability Guideline |
To see everything:
Our RSS (filtrered)
