#apache

This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11...

Computer Laboratory Management System version 1.0 suffers from an insecure direct object reference vulnerability.

Blood Bank version 1.0 suffers from a persistent cross site scripting vulnerability.

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

BioTime versions 8.5.5 and 9.0.1 suffer from directory traversal and file write vulnerabilities. This exploit also achieves remote code execution on version 8.5.5.

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable. This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway. You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if dock...

By Uzair Amir With the increasing popularity of Apache Kafka as a distributed streaming platform, ensuring its high availability has become… This is a post from HackRead.com Read the original post: Best Practices for Kafka Management to Ensure High Availability

Task Management System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

### Summary _A file upload path traversal vulnerability has been identified in the application, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques._ ### Installation Configuration - Grav CMS 1.10.44 - Apache web server - php-8.2 ### Details _**Vulnerable code location:**_ grav/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php/checkFileMetadata() method_ public function checkFileMetadata(array $metadata, string $filename = null, array $settings = null): string { // Add the defaults to the settings. $settings = $this->getUploadSettings($settings); // Destination is always needed (but it can be set in defaults). $self = $settings['self'] ?? f...