Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-v642-mh27-8j6m: MantisBT may disclose project names to unauthorized users

### Impact Due to insufficient access-level checks on the Wiki redirection page, any user can reveal private Projects' names, by accessing wiki.php with sequentially incremented IDs. ### Patches Patch under development. The vulnerability will be fixed in MantisBT version 2.25.8. ### Workarounds Disable wiki integration ( `$g_wiki_enable = OFF;`) ### References - https://mantisbt.org/bugs/view.php?id=32981

ghsa
Open in Source
#vulnerability#git#php#auth
CVE-2023-45901: dreamer_cms/There is a csrf in the newly added column of column management.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin\/category\/add.

CVE-2023-45904: dreamer_cms/There is a csrf vulnerability in the variable management modification function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /variable/update.

CVE-2023-45903: dreamer_cms/There is a csrf vulnerability in the label management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/label/delete.

CVE-2023-45905: dreamer_cms/There is a csrf vulnerability in variable management with added functionality.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/add.

CVE-2023-45907: dreamer_cms/There is a csrf vulnerability in the variable management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/delete.

CVE-2023-45902: dreamer_cms/There is a csrf in the attachment management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/attachment/delete.

CVE-2023-45906: dreamer_cms/There is a csrf in the user added function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/user/add.

Top 6 Mistakes in Incident Response Tabletop Exercises

Avoid these errors to get the greatest value from your incident response training sessions.

GHSA-3m5q-q39v-xf8f: nocodb SQL Injection vulnerability

## Summary Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. ## Product nocodb/nocodb ## Tested Version [0.109.2](https://github.com/nocodb/nocodb/releases/tag/0.109.2) ## Details ### SQL injection in `SqliteClient.ts` (`GHSL-2023-141`) By supplying a specially crafted payload to the given below parameter and endpoint, an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injections, an attacker may need to use time-based payloads which would include a function to delay execution for a given number of seconds. The response time indicates, whether the result of the query execution was true or false. Depending on the result, the HTTP response will be returned after a given number of seconds, indicating TRUE, or immediately, indicating FALSE. In that way, an attacker can reveal the data present in the database. The [`triggerList`](https://github.com/nocodb/nocodb...