Apache Superset vulnerable to Exposure of Sensitive Information
An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API. This issue affects Apache Superset version 1.3.0 up to 2.0 ...
Continue Reading
July 07, 2023
gRPC connection termination issue
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disco ...
Continue Reading
July 07, 2023
gRPC connection termination issue
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disco ...
Continue Reading
July 07, 2023
Nextcloud: Mail app stores cleartext password in database until OAUTH2 setup is done
## Summary: The Mail app usually stores the user password encrypted. For XOAUTH2 the encrypted access token is stored in the same columns. However, during the time of the setup, XOAUTH2 accounts have ...
Continue Reading
July 01, 2023
[SECURITY] [DLA 2858-1] libzip security update
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-2858-1 [email protected] https://www.debian.org/lts/security/ ...
Continue Reading
July 01, 2023
CVE-2021-4191
An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumerat ...
Continue Reading
July 01, 2023
Improper Access Control in Onionshare
Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's [ ...
Continue Reading
July 01, 2023
nv-websocket-client allows attackers to spoof SSL/TLS servers via an arbitrary valid certificate
The Java WebSocket client nv-websocket-client does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which a ...
Continue Reading
July 01, 2023
CVE-2022-25313
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. #### Notes Author| Note ---|--- [sbeattie]() | paraview uses ...
Continue Reading
July 01, 2023
CVE-2023-23602
A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from insi ...
Continue Reading
June 30, 2023
