Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

Red Hat Security Advisory 2024-4245-03

Red Hat Security Advisory 2024-4245-03 - An update for python3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a remote SQL injection vulnerability.

Packet Storm
#sql#vulnerability#linux#red_hat#js
Red Hat Security Advisory 2024-4244-03

Red Hat Security Advisory 2024-4244-03 - An update for python3.11-PyMySQL is now available for Red Hat Enterprise Linux 8. Issues addressed include a remote SQL injection vulnerability.

GHSA-j59v-vgcr-hxvf: GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer's Server Status page and REST API (at `/geoserver/rest/about/status`) lists *all* environment variables and Java properties to *any* GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example: * Data stores defined with [parameterized catalog settings][catalog] (`-DALLOW_ENV_PARAMETRIZATION=true`) which need a password or access key. * GeoServer's official Docker image [uses environment variables to configure PostgreSQL JNDI resources, including credentials][docker-jndi] (`POSTGRES_HOST`, `POSTGRES_USERNAME`, `POSTGRES_PASSWORD`) Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process, such as: * GeoServer `admin` and master (`root`) passwords * Tomcat management application password * HTTPS/TLS cer...

GHSA-c2hr-cqg6-8j6r: ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-c2hr-cqg6-8j6r - https://github.com/parse-community/parse-server/pull/9167 (fix for Parse Server 7) - https://github.com/parse-community/parse-server/pull/9168 (fix for Parse Server 6) ### Credits - Smile Thanapattheerakul of Trend Micro (finder) - Manuel Trezza (coordinator)

Simple Laboratory Management System 1.0 SQL Injection

Simple Laboratory Management System version 1.0 suffers from a remote time-based SQL injection vulnerability.

Azon Dominator Affiliate Marketing Script SQL Injection

Azon Dominator Affiliate Marketing Script suffers from a remote SQL injection vulnerability.

Xhibiter NFT Marketplace 1.10.2 SQL Injection

Xhibiter NFT Marketplace version 1.10.2 suffers from a remote SQL injection vulnerability.

Customer Support System 1.0 Cross Site Scripting

Customer Support System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to Ahmed Abba in November of 2020.

CISA's Flags Memory-Unsafe Code in Major Open Source Projects

Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.

Ubuntu Security Notice USN-5616-3

Ubuntu Security Notice 5616-3 - USN-5615-1 fixed several vulnerabilities in SQLite. This update provides the corresponding fix for CVE-2020-35525 for Ubuntu 14.04 LTS. It was discovered that SQLite incorrectly handled INTERSEC query processing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.