Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Summary
The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character.
Details
When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying /api/v1/user/accept-invite API endpoint does not implement the same password policy validations.
Impact
This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password.
Patches
The vulnerability has been patched in Fides version 2.50.0. Users are advised to upgrade to this version or later to secure their systems against this threat.
Workarounds
There are no workarounds.
Severity
This vulnerability has been assigned a severity of LOW.
Using CVSS v3.1 it could be scored as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (5.7 Medium/Moderat...
November 27th, 2024 (5 months ago)
|
|
|
Description: Summary
lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.
Details
visit https://chat-preview.lobehub.com/
click settings -> llm -> openai
fill the OpenAI API Key you like
fill the proxy address that you want to attack (e.g. a domain that resolved to a local ip addr like 127.0.0.1.xip.io) (the address will concat the path "/chat/completions" which can be bypassed with sharp like "http://172.23.0.1:8000/#")
then lobe will echo the ssrf result
The jwt token header X-Lobe-Chat-Auth strored proxy address and OpenAI API Key, you can modify it to scan internal network in your target lobe-web.
PoC
POST /api/chat/openai HTTP/2
Host: chat-preview.lobehub.com
Cookie: LOBE_LOCALE=zh-CN; LOBE_THEME_PRIMARY_COLOR=undefined; LOBE_THEME_NEUTRAL_COLOR=undefined; _ga=GA1.1.86608329.1711346216; _ga_63LP1TV70T=GS1.1.1711346215.1.1.1711346244.0.0.0
Content-Length: 158
Sec-Ch-Ua: "Google Chrome";v="123", "Not:A-Brand";v="8", "Chromium";v="123"
X-Lobe-Chat-Auth: eyJhbGciOiJIUzI1NiJ9.eyJhY2Nlc3NDb2RlIjoiIiwiYXBpS2V5IjoiMSIsImVuZHBvaW50IjoiaHR0cDovLzEyNy4wLjAuMS54aXAuaW86MzIxMCIsImlhdCI6MTcxMTM0NjI1MCwiZXhwIjoxNzExMzQ2MzUwfQ.ZZ3v3q9T8E6llOVGOA3ep5OSVoFEawswEfKtufCcwL4
Content-Type: application/json
X-Lobe-Trace: eyJlbmFibGVkIjpmYWxzZX0=
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, ...
November 27th, 2024 (5 months ago)
|
|
|
Description: Impact
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due to improper sanitization of the URL parameters, allowing the URL bar's contents to be injected and reflected into the HTML page. An attacker could craft a malicious URL to execute arbitrary JavaScript in the browser of a victim who visits the link.
Who is impacted?
Any application utilizing this authentication library is vulnerable. Users of the application are at risk if they can be lured into clicking on a crafted malicious link.
Patches
The vulnerability has been patched in 2.5.5 by ensuring proper sanitization and escaping of user input in the affected URL parameters.
Users are strongly encouraged to upgrade to the following versions:
Workarounds
If upgrading is not immediately possible, users can implement the following workarounds:
Employ a Web Application Firewall (WAF) to block malicious requests containing suspicious URL parameters.
Apply input validation and escaping directly within the application’s middleware or reverse proxy layer, specifically targeting the affected parameters.
References
OWASP Cross-Site Scripting (XSS) Cheat Sheet: https://owasp.org/www-community/attacks/xss/
References
https://github.com/DapperDuckling/keycloak-connector/security/advisories/GHSA-w5rq-g9r6-vrcg
https://nvd.nist.gov/vuln/detail/CVE-2024-53843
https://github.com/advisories/GHSA-w5rq-g9r6-vrcg
November 27th, 2024 (5 months ago)
|
|
|
Description: Summary
sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log
Impact
This bug impacts clients using any variation of KeylessVerifier.verify()
The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "verifying" a bundle without any proof the signing event was logged.
This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors.
The signer's identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass.
sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.
Steps To Reproduce
Build the java sigstore-cli at v1.0.0
git clone --branch v1.0.0 [email protected]:sigstore/sigstore-java
cd sigstore-java
./gradlew :sigstore-cli:build
tar -xf sigstore-cli/build/distributions/sigstore-cli-1.0.0-SNAPSHOT.tar --strip-components 1
Create two random blobs
dd bs=1 count=50 </dev/urandom > blob1
dd bs=1 count=50 </dev/urandom > blob2
Sign each blob using the cli
./bin/sigstore-cli sign --bund...
November 27th, 2024 (5 months ago)
|
|
|
Description: Impact
Existing lakeFS users who have issued credentials to users who have been deleted.
Creating a new user with the same username, that user will inherit all of the previous user's credentials lakeFS needs to delete user credentials upon user deletion.
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
A possible workaround will be not to reuse usernames that were previously deleted
References
Are there any links users can visit to find out more?
References
https://github.com/treeverse/lakeFS/security/advisories/GHSA-hh33-46q4-hwm2
https://nvd.nist.gov/vuln/detail/CVE-2024-43784
https://github.com/treeverse/lakeFS/releases/tag/v1.33.0
https://github.com/advisories/GHSA-hh33-46q4-hwm2
November 27th, 2024 (5 months ago)
|
|
|
Description: Impact
Patches
1.31.1, 1.30.6, 1.29.8
Workarounds
set enable_criu_support = false
References
Are there any links users can visit to find out more?
References
https://github.com/cri-o/cri-o/security/advisories/GHSA-7p9f-6x8j-gxxp
https://nvd.nist.gov/vuln/detail/CVE-2024-8676
https://github.com/cri-o/cri-o/commit/e8e7dcb7838d11b5157976bf3e31a5840bb77de7
https://access.redhat.com/security/cve/CVE-2024-8676
https://bugzilla.redhat.com/show_bug.cgi?id=2313842
https://github.com/advisories/GHSA-7p9f-6x8j-gxxp
November 27th, 2024 (5 months ago)
|
|
|
Description: Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-51058
https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b
https://github.com/saravana-hackz/vulnerability-research/tree/main/CVE-2024-51058
https://github.com/tecnickcom/TCPDF
https://github.com/advisories/GHSA-rmv2-8jjc-23xw
November 27th, 2024 (5 months ago)
|
|
|
Description: CISA released six Industrial Control Systems (ICS) advisories on November 26, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-24-331-01 Schneider Electric PowerLogic PM55xx and PowerLogic PM8ECC
ICSA-24-331-02 Schneider Electric PowerLogic P5
ICSA-24-331-03 Schneider Electric EcoStruxure Control Expert, EcoStruxure Process Expert, and Modicon M340, M580 and M580 Safety PLCs
ICSA-24-331-04 Hitachi Energy MicroSCADA Pro/X SYS600
ICSA-24-331-05 Hitachi Energy RTU500 Scripting Interface
ICSMA-24-200-01 Philips Vue PACS (Update A)
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
November 27th, 2024 (5 months ago)
|
|
|
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 7.4
ATTENTION: Exploitable remotely
Vendor: Hitachi Energy
Equipment: RTU500 Scripting Interface
Vulnerability: Improper Certificate Validation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to spoof the identity of the service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Hitachi Energy are affected:
RTU500 Scripting Interface: Version 1.0.1.30
RTU500 Scripting Interface: Version 1.0.2
RTU500 Scripting Interface: Version 1.1.1
RTU500 Scripting Interface: Version 1.2.1
RTU500 Scripting Interface: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295
Hitachi Energy is aware of a reported vulnerability in the RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a certification authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service.
CVE-2023-1514 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Wor...
November 27th, 2024 (5 months ago)
|
|
|
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 6.1
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: PowerLogic P5
Vulnerability: Use of a Broken or Risky Cryptographic Algorithm
2. RISK EVALUATION
If an attacker has physical access to the device, it is possible to reboot the device, cause a denial of service condition, or gain full control of the relay by abusing a specially crafted reset token.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected:
Schneider Electric PowerLogic P5: Versions 01.500.104 and prior
3.2 Vulnerability Overview
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
A vulnerability exists, which could cause denial of service, a device reboot, or an attacker to gain full control of the relay. When a specially-crafted reset token is entered into the front panel of the device, an exploit exists due to the device's utilization of a risky cryptographic algorithm.
CVE-2024-5559 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric CPCERT reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users can apply to r...
November 27th, 2024 (5 months ago)
|