Cross-site Scripting vulnerabilities in Neos
It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access....
5.8AI Score
LDAP Authentication Improvements This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to...
7.5AI Score
[SECURITY] [DSA 5693-1] thunderbird security update
Debian Security Advisory DSA-5693-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2024 https://www.debian.org/security/faq Package : thunderbird CVE ID : CVE-2024-4367 CVE-2024-4767...
7.1AI Score
0.0004EPSS
A reflected XSS vulnerability has been found in YzmCMS 7.1. The vulnerability exists in yzmphp/core/class/application.class.php: when logged-in users access a malicious link, their cookies can be captured by an...
5.9AI Score
EPSS
A reflected XSS vulnerability has been found in YzmCMS 7.1. The vulnerability exists in yzmphp/core/class/application.class.php: when logged-in users access a malicious link, their cookies can be captured by an...
5.8AI Score
EPSS
illuminate/auth is vulnerable to Session Hijacking. The vulnerability is due to insecure handling of "remember me" cookies, where previously hijacked cookies would remain valid even after the user's password was reset or they logged...
7.2AI Score
Security Bulletin: IBM Operational Decision Manager for April 2024 - Multiple CVEs addressed
Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details ** CVEID:...
9.8CVSS
9.5AI Score
0.973EPSS
Huawei EulerOS: Security Advisory for python-urllib3 (EulerOS-SA-2024-1703)
The remote host is missing an update for the Huawei...
8.1CVSS
7.4AI Score
0.01EPSS
EulerOS Virtualization 3.0.6.0 : httpd (EulerOS-SA-2024-1684)
According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57....
7.5CVSS
7.5AI Score
0.732EPSS
Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2024-1684)
The remote host is missing an update for the Huawei...
7.5CVSS
8.7AI Score
0.732EPSS
EulerOS Virtualization 3.0.6.6 : curl (EulerOS-SA-2024-1647)
According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of...
3.7CVSS
7.5AI Score
0.001EPSS
EulerOS Virtualization 3.0.6.0 : python-urllib3 (EulerOS-SA-2024-1703)
According to the versions of the python-urllib3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a...
8.1CVSS
6.8AI Score
0.01EPSS
Huawei EulerOS: Security Advisory for python-pip (EulerOS-SA-2024-1702)
The remote host is missing an update for the Huawei...
8.1CVSS
7.4AI Score
0.01EPSS
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-1677)
The remote host is missing an update for the Huawei...
6.5CVSS
7AI Score
0.001EPSS
6.5CVSS
7AI Score
EPSS
EulerOS Virtualization 3.0.6.0 : curl (EulerOS-SA-2024-1677)
According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of...
6.5CVSS
7.2AI Score
0.001EPSS
6.5AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for glibc (EulerOS-SA-2024-1682)
The remote host is missing an update for the Huawei...
7.5CVSS
6.7AI Score
0.001EPSS
GitLab 3.0.29 < 4.0.5 (CVE-2023-1401)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: An issue has been discovered in GitLab DAST scanner affecting all versions starting from 3.0.29 before 4.0.5, in which the DAST scanner leak cross site cookies on redirect during authorization....
5CVSS
6.7AI Score
0.0004EPSS
EulerOS Virtualization 3.0.6.0 : python-pip (EulerOS-SA-2024-1702)
According to the versions of the python-pip packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a...
8.1CVSS
7.3AI Score
0.01EPSS
EulerOS Virtualization 3.0.6.0 : glibc (EulerOS-SA-2024-1682)
According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed,...
7.5CVSS
7.4AI Score
0.001EPSS
Debian dsa-5693 : thunderbird - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5693 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5693-1 [email protected] ...
8.8AI Score
0.0004EPSS
Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local...
6.4CVSS
6.3AI Score
0.0004EPSS
Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local...
6.4CVSS
6.3AI Score
0.0004EPSS
Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local...
6.4CVSS
6.1AI Score
0.0004EPSS
Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local...
6.4CVSS
6.2AI Score
0.0004EPSS
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This...
4.9CVSS
6.8AI Score
0.0004EPSS
Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-47233) Sander....
6.5CVSS
6.6AI Score
EPSS
Siemens SIMATIC RTLS Locating Manager
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....
10CVSS
9.2AI Score
0.009EPSS
PoC para explotar la vulnerabilidad CVE-2024-23897 en versiones...
9.8CVSS
6.3AI Score
0.961EPSS
[SECURITY] [DLA 3815-1] firefox-esr security update
Debian LTS Advisory DLA-3815-1 [email protected] https://www.debian.org/lts/security/ Emilio Pozuelo Monfort May 16, 2024 https://wiki.debian.org/LTS Package : firefox-esr Version : 115.11.0esr-1~deb10u1 CVE...
0.0004EPSS
7.8CVSS
7.1AI Score
EPSS
Apache Superset Known Default SECRET_KEY (CVE-2023-27524)
The Apache Superset install on the remote host is configured to use a known default SECRET_KEY. This can allow a remote, unauthenticated attacker to forge session cookies as arbitrary users, bypassing authentication and leading to remote code...
9.8CVSS
8.5AI Score
0.971EPSS
7.5AI Score
0.0004EPSS
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:1659-1)
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1659-1 advisory. In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynqmp-gqspi:...
7.8CVSS
7.7AI Score
0.0005EPSS
SUSE SLES15 Security Update : kernel (SUSE-SU-2024:1650-1)
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1650-1 advisory. In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4...
7.8CVSS
8.1AI Score
0.0004EPSS
7.1AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-1647)
The remote host is missing an update for the Huawei...
3.7CVSS
7.1AI Score
0.001EPSS
Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access. Bugs https://bugzilla.redhat.com/show_bug.cgi?id=2278989...
6.4CVSS
6.4AI Score
0.0004EPSS
Debian dla-3815 : firefox-esr - security update
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3815 advisory. A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects...
7.7AI Score
0.0004EPSS
Releases Ubuntu 23.10 Ubuntu 22.04 LTS Packages linux - Linux kernel linux-aws - Linux kernel for Amazon Web Services (AWS) systems linux-aws-6.5 - Linux kernel for Amazon Web Services (AWS) systems linux-azure - Linux kernel for Microsoft Azure Cloud systems linux-azure-6.5 - Linux kernel for...
6.5CVSS
6.5AI Score
EPSS
Laravel Hijacked authentication cookies vulnerability
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc. This.....
7.1AI Score
Laravel Hijacked authentication cookies vulnerability
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc. This.....
7.1AI Score
Laravel Hijacked authentication cookies vulnerability
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc. This.....
7.1AI Score
Laravel Hijacked authentication cookies vulnerability
Laravel 4.1.26 introduces security improvements for "remember me" cookies. Before this update, if a remember cookie was hijacked by another malicious user, the cookie would remain valid for a long period of time, even after the true owner of the account reset their password, logged out, etc. This.....
7.1AI Score
amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance
In artax version before 1.0.6 and 2 before 2.0.6, cookies of foo.bar.example.com were leaked to foo.bar. Additionally, any site could set cookies for any other site. Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the...
7AI Score
amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance
In artax version before 1.0.6 and 2 before 2.0.6, cookies of foo.bar.example.com were leaked to foo.bar. Additionally, any site could set cookies for any other site. Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the...
7AI Score
[SECURITY] [DSA 5691-1] firefox-esr security update
Debian Security Advisory DSA-5691-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq Package : firefox-esr CVE ID : CVE-2024-4367 CVE-2024-4767...
7.4AI Score
0.0004EPSS
[SECURITY] [DSA 5690-1] libreoffice security update
Debian Security Advisory DSA-5690-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq Package : libreoffice CVE ID : CVE-2024-3044 Amel...
6.6AI Score
0.0004EPSS
linux-hwe-5.15, linux-raspi vulnerabilities
It was discovered that the Open vSwitch implementation in the Linux kernel could overflow its stack during recursive action operations under certain conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2024-1151) Sander Wiebing, Alvise de Faveri Tron,...
7.8CVSS
6.9AI Score
EPSS