{"vulnerability": "cve-2023-4366", "sightings": [{"uuid": "0aad85cf-a4de-4a07-bae6-3cdede98f1d5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43666", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/72304", "content": "\u203c CVE-2023-43666 \u203c\n\nInsufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,\u00c2\u00a0General user can view all user data like Admin account.Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.[1]\u00c2\u00a0 https://github.com/apache/inlong/pull/8623\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-16T12:36:35.000000Z"}, {"uuid": "f4c2e571-2431-4ce1-91ed-5003bbc81133", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43665", "type": "seen", "source": "https://t.me/arpsyndicate/4254", "content": "#ExploitObserverAlert\n\nCVE-2024-27351\n\nDESCRIPTION: Exploit Observer has 48 entries in 6 file formats related to CVE-2024-27351. In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.", "creation_timestamp": "2024-03-16T21:03:26.000000Z"}, {"uuid": "fe9cd535-effd-426a-8775-e0f2c9d3606d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43661", "type": "seen", "source": "https://t.me/cibsecurity/72144", "content": "\u203c CVE-2023-43661 \u203c\n\nCachet, the open-source status page system. Prior to the 2.4 branch, a template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Commit 6fb043e109d2a262ce3974e863c54e9e5f5e0587 of the 2.4 branch contains a patch for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-10-12T00:17:39.000000Z"}, {"uuid": "8dbe34aa-1aed-4e98-bc66-f9291d2901ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43662", "type": "seen", "source": "https://t.me/cibsecurity/71248", "content": "\u203c CVE-2023-43662 \u203c\n\nShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-29T02:37:11.000000Z"}, {"uuid": "fd250cb6-dafe-4ffe-904b-8dc7d2fcacbe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43664", "type": "seen", "source": "https://t.me/cibsecurity/71225", "content": "\u203c CVE-2023-43664 \u203c\n\nPrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-28T22:37:02.000000Z"}, {"uuid": "856bc54c-05d9-4beb-a82c-cf8d8f3487da", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43663", "type": "seen", "source": "https://t.me/cibsecurity/71224", "content": "\u203c CVE-2023-43663 \u203c\n\nPrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-28T22:37:01.000000Z"}, {"uuid": "99a3fd57-1e2f-422f-9e08-25f185f0ae91", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43669", "type": "seen", "source": "https://t.me/cibsecurity/70873", "content": "\u203c CVE-2023-43669 \u203c\n\nThe Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T12:30:53.000000Z"}, {"uuid": "51f8d196-0a57-4baa-9ef5-efaa678fc08a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43665", "type": "seen", "source": "https://t.me/ctinow/158089", "content": "https://ift.tt/LhHtSRB\nCVE-2023-43665 Django Vulnerability in NetApp Products", "creation_timestamp": "2023-12-22T00:26:48.000000Z"}, {"uuid": "ac04f429-5d59-4ce3-8e5b-add456a39b44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4366", "type": "seen", "source": "https://t.me/cibsecurity/68589", "content": "\u203c CVE-2023-4366 \u203c\n\nUse after free in Extensions in Google Chrome prior to 116.0.5845.96 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-15T22:36:47.000000Z"}]}