all InfoSec news
CVE-2023-30628 (kiwi_tcms)
April 24, 2023, 10:15 p.m. |
National Vulnerability Database web.nvd.nist.gov
the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. Commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 of the kiwitcms/Kiwi repository and commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 of the kiwitcms/enterprise repository contain …
attacks command command injection cve echo enterprise github hello ifs injection injection attacks management open source permission restricted system test untrusted value vulnerable
More from web.nvd.nist.gov / National Vulnerability Database
CVE-2023-21380 (android)
6 months ago |
web.nvd.nist.gov
CVE-2023-21381 (android)
6 months ago |
web.nvd.nist.gov
Jobs in InfoSec / Cybersecurity
Cybersecurity Consultant
@ Devoteam | Cité Mahrajène, Tunisia
GTI Manager of Cybersecurity Operations
@ Grant Thornton | Phoenix, AZ, United States
(Senior) Director of Information Governance, Risk, and Compliance
@ SIXT | Munich, Germany
Information System Security Engineer
@ Space Dynamics Laboratory | North Logan, UT
Intelligence Specialist (Threat/DCO) - Level 3
@ Constellation Technologies | Fort Meade, MD
Cybersecurity GRC Specialist (On-site)
@ EnerSys | Reading, PA, US, 19605