CyberAlerts

CVE-2023-50259

Description: Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The `testslack` request handler in `medusa/server/web/home/handler.py` does not validate the user-controlled `slack_webhook` variable and passes it to the `notifiers.slack_notifier.test_notify` method, then `_notify_slack` and finally `_send_slack` method, which sends a POST request to the user-controlled URL on line 103 in `/medusa/notifiers/slack.py`, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue.

CVSS: MEDIUM (5.3)

EPSS Score: 0.16%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-50246

jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c

Description: jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue.

CVSS: MEDIUM (6.2)

EPSS Score: 0.04%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-5010

Student Information System v1.0 - Multiple Authenticated SQL Injections (SQLi)

Description: Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'coursecode' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49799

Server-Side Request Forgery in nuxt-api-party

Description: `nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs.

CVSS: HIGH (7.5)

EPSS Score: 0.14%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49280

Data leak of password hash through xwiki change request

Description: XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.

CVSS: HIGH (7.7)

EPSS Score: 0.12%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49119

Description: Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.

CVSS: LOW (0.0)

EPSS Score: 0.05%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49097

ZITADEL vulnerable account takeover via malicious host header injection

Description: ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9.

CVSS: HIGH (8.1)

EPSS Score: 0.22%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49095

nexkey allows arbitrary users to impersonate any remote user due to missing signature validation

Description: nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2.

CVSS: HIGH (8.6)

EPSS Score: 0.05%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49092

RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels

Description: RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

CVSS: MEDIUM (5.9)

EPSS Score: 0.14%

Source: CVE

November 28th, 2024 (5 months ago)

CVE-2023-49091

Jwttoken in Cosmos server never expires after password changed and logging out

Description: Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0.

CVSS: HIGH (8.8)

EPSS Score: 0.25%

Source: CVE

November 28th, 2024 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2023-50259	Blind SSRF in /home/testslack endpoint Description: Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The `testslack` request handler in `medusa/server/web/home/handler.py` does not validate the user-controlled `slack_webhook` variable and passes it to the `notifiers.slack_notifier.test_notify` method, then `_notify_slack` and finally `_send_slack` method, which sends a POST request to the user-controlled URL on line 103 in `/medusa/notifiers/slack.py`, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue. CVSS: MEDIUM (5.3) EPSS Score: 0.16% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-50246	jq has heap-buffer-overflow vulnerability in the function decToString in decNumber.c Description: jq is a command-line JSON processor. Version 1.7 is vulnerable to heap-based buffer overflow. Version 1.7.1 contains a patch for this issue. CVSS: MEDIUM (6.2) EPSS Score: 0.04% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-5010	Student Information System v1.0 - Multiple Authenticated SQL Injections (SQLi) Description: Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'coursecode' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database. CVSS: CRITICAL (9.8) EPSS Score: 0.04% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49799	Server-Side Request Forgery in nuxt-api-party Description: `nuxt-api-party` is an open source module to proxy API requests. nuxt-api-party attempts to check if the user has passed an absolute URL to prevent the aforementioned attack. This has been recently changed to use the regular expression `^https?://`, however this regular expression can be bypassed by an absolute URL with leading whitespace. For example `\nhttps://whatever.com` which has a leading newline. According to the fetch specification, before a fetch is made the URL is normalized. "To normalize a byte sequence potentialValue, remove any leading and trailing HTTP whitespace bytes from potentialValue.". This means the final request will be normalized to `https://whatever.com` bypassing the check and nuxt-api-party will send a request outside of the whitelist. This could allow us to leak credentials or perform Server-Side Request Forgery (SSRF). This vulnerability has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should revert to the previous method of detecting absolute URLs. CVSS: HIGH (7.5) EPSS Score: 0.14% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49280	Data leak of password hash through xwiki change request Description: XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default. CVSS: HIGH (7.7) EPSS Score: 0.12% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49119	Description: Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. CVSS: LOW (0.0) EPSS Score: 0.05% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49097	ZITADEL vulnerable account takeover via malicious host header injection Description: ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the users password and take over his account. Accounts with MFA or Passwordless enabled can not be taken over by this attack. This issue has been patched in versions 2.41.6, 2.40.10 and 2.39.9. CVSS: HIGH (8.1) EPSS Score: 0.22% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49095	nexkey allows arbitrary users to impersonate any remote user due to missing signature validation Description: nexkey is a microblogging platform. Insufficient validation of ActivityPub requests received in inbox could allow any user to impersonate another user in certain circumstances. This issue has been patched in version 12.122.2. CVSS: HIGH (8.6) EPSS Score: 0.05% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49092	RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels Description: RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer. CVSS: MEDIUM (5.9) EPSS Score: 0.14% Source: CVE November 28th, 2024 (5 months ago)
CVE-2023-49091	Jwttoken in Cosmos server never expires after password changed and logging out Description: Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.0. CVSS: HIGH (8.8) EPSS Score: 0.25% Source: CVE November 28th, 2024 (5 months ago)