{"vulnerability": "CVE-2023-4438", "sightings": [{"uuid": "f2af0a64-3c35-4056-806c-ee6cf8520209", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44381", "type": "seen", "source": "https://t.me/ctinow/157042", "content": "https://ift.tt/GhkQsIC\nCVE-2023-44381 | October CMS prior 3.4.15 Template injection (GHSA-q22j-5r3g-9hmh)", "creation_timestamp": "2023-12-20T14:46:34.000000Z"}, {"uuid": "f40c0029-033e-4151-a734-88336f6f32c4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44382", "type": "seen", "source": "https://t.me/ctinow/157041", "content": "https://ift.tt/XhpCdBj\nCVE-2023-44382 | October CMS prior 3.4.15 Safe Mode access control (GHSA-p8q3-h652-65vx)", "creation_timestamp": "2023-12-20T14:46:33.000000Z"}, {"uuid": "0cecdeb1-adf2-4719-a9b7-740087293bf7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44387", "type": "seen", "source": "https://t.me/cibsecurity/71684", "content": "\u203c CVE-2023-44387 \u203c\n\nGradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-05T22:13:13.000000Z"}, {"uuid": "72443efc-ab7d-4cc1-850e-f4c276dcb1e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44388", "type": "seen", "source": "https://t.me/cibsecurity/72380", "content": "\u203c CVE-2023-44388 \u203c\n\nDiscourse is an open source platform for community discussion. A malicious request can cause production log files to quickly fill up and thus result in the server running out of disk space. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 versions of Discourse. It is possible to temporarily work around this problem by reducing the `client_max_body_size nginx directive`. `client_max_body_size` will limit the size of uploads that can be uploaded directly to the server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-17T02:32:12.000000Z"}, {"uuid": "6d6927f7-6869-4e7c-856b-ce9d31ff1de9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44389", "type": "seen", "source": "https://t.me/cibsecurity/71647", "content": "\u203c CVE-2023-44389 \u203c\n\nZope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-05T00:13:42.000000Z"}, {"uuid": "61177751-369f-442a-be3a-481e555fdfe7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44384", "type": "seen", "source": "https://t.me/cibsecurity/71760", "content": "\u203c CVE-2023-44384 \u203c\n\nDiscourse-jira is a Discourse plugin allows Jira projects, issue types, fields and field options will be synced automatically. An administrator user can make an SSRF attack by setting the Jira URL to an arbitrary location and enabling the `discourse_jira_verbose_log` site setting. A moderator user could manipulate the request path to the Jira API, allowing them to perform arbitrary GET requests using the Jira API credentials, potentially with elevated permissions, used by the application.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-06T22:13:48.000000Z"}, {"uuid": "780ca0cf-d649-4116-b1a5-dd2f1fa32253", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4438", "type": "seen", "source": "https://t.me/cibsecurity/68871", "content": "\u203c CVE-2023-4438 \u203c\n\nA vulnerability has been found in SourceCodester Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/ajax/search_sales_report.php. The manipulation of the argument customer leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-237559.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-22T11:52:58.000000Z"}]}