ChakraCore, Microsoft Edge Security Vulnerabilities

K000138634 : BIG-IP Next Central Manager vulnerability CVE-2024-32049

Security Advisory Description BIG-IP Next Central Manager may allow an unauthenticated, remote attacker to obtain BIG-IP Next LTM/WAF instance credentials. (CVE-2024-32049) Impact This vulnerability may allow an unauthenticated attacker in a man-in-the-middle (MITM) position between a BIG-IP Next.....

Microsoft Edge (Chromium) < 109.0.1518.100 (CVE-2023-2033)

The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 109.0.1518.100. It is, therefore, affected by a type confusion vulnerability in V8 as referenced in the April 24, 2023 advisory. Note that Nessus has not tested for these issues but has instead relied only on....

K000138898 : BIG-IP Advanced WAF/ASM, BIG-IP Next WAF, and NGINX App Protect WAF attack signature check failure

Security Advisory Description BIG-IP Advanced WAF/ASM, BIG-IP Next WAF, or NGINX App Protect WAF may fail to match an attack signature. This issue occurs when all of the following conditions are met: The affected security policy has a large number of attack signatures enabled (for example, all or.....

K000138894 : BIG-IP Configuration utility XSS vulnerability CVE-2024-33604

Security Advisory Description A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2024-33604) Impact An attacker may exploit this...

K000139404 : Quarterly Security Notification (May 2024)

Security Advisory Description On May 8, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K000139217 : BIG-IP TMM tenants on VELOS and rSeries vulnerability CVE-2024-32761

Security Advisory Description Under certain conditions, a potential data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. However, this issue cannot be exploited by an attacker because it is not consistently reproducible and is.....

K000139037: TMM vulnerability CVE-2024-25560

Security Advisory Description When BIG-IP AFM is licensed and provisioned, and a DNS profile is applied to a virtual server, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-25560) Impact Traffic is disrupted while the TMM process restarts. This...

Microsoft Edge (Chromium) < 109.0.1518.115 (CVE-2023-3079)

The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 109.0.1518.115. It is, therefore, affected by a type confusion vulnerability in v8 as referenced in the June 13, 2023 advisory. Note that Nessus has not tested for these issues but has instead relied only on.....

K000138728 : BIG-IP IPsec vulnerability CVE-2024-33608

Security Advisory Description When IPsec is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2024-33608) Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows a remote unauthenticated attacker.....

K000138732 : BIG-IP Next Central Manager OData Injection vulnerability CVE-2024-21793

Security Advisory Description An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). (CVE-2024-21793) Impact An unauthenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP NEXT Central Manager API...

Microsoft Edge (Chromium) < 109.0.1518.140 Heap Buffer Overflow Vulnerability

The version of Microsoft Edge (Chromium) installed on the remote Windows host is prior to 109.0.1518.140. It is, therefore, affected by a heap buffer vulnerability in WebP as referenced in the September 15, 2023 advisory. Note that Nessus has not tested for these issues but has instead relied only....

K000139553: VPN TunnelVision vulnerability CVE-2024-3661

Security Advisory Description By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or...

CVE-2024-4558

Use after free in ANGLE in Google Chrome prior to 124.0.6367.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity:...

CVE-2024-34397

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based.....

CVE-2024-27982

The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a....

Microsoft announces the 2024 Microsoft Security Excellence Awards winners

At this year's Microsoft Security Excellence Awards, we took a journey through the evolution of cybersecurity from the 1950s to today. While this event theme celebrated the significant technological advancements that have shaped each decade, the main focus was on the Microsoft Intelligent Security....

Exploits and vulnerabilities in Q1 2024

We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component....

SUSE: Security Advisory (SUSE-SU-2024:1162-1)

The remote host is missing an update for...

K000139532 : Node.js vulnerability CVE-2024-27983

Security Advisory Description An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are...

K000139533 : MySQL vulnerability CVE-2024-21090

Security Advisory Description Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 8.3.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to...

Edge < 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Author Display Name

Description The Edge theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary....

Linux kernel vulnerabilities

Releases Ubuntu 22.04 LTS Ubuntu 20.04 LTS Packages linux - Linux kernel linux-azure - Linux kernel for Microsoft Azure Cloud systems linux-azure-5.15 - Linux kernel for Microsoft Azure cloud systems linux-azure-fde - Linux kernel for Microsoft Azure CVM cloud systems linux-azure-fde-5.15 -...

Linux kernel vulnerabilities

Releases Ubuntu 20.04 LTS Ubuntu 18.04 ESM Packages linux - Linux kernel linux-aws - Linux kernel for Amazon Web Services (AWS) systems linux-aws-5.4 - Linux kernel for Amazon Web Services (AWS) systems linux-azure - Linux kernel for Microsoft Azure Cloud systems linux-azure-5.4 - Linux kernel...

ROS-20240507-09

Vulnerability in the Extensions component of Microsoft Edge and Google Chrome browsers is related to incorrect security checks for standard elements. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information V8 JavaScript script handler...

CVE-2024-34376

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Freesia Edge allows Stored XSS.This issue affects Edge: from n/a through...

CVE-2024-34376 WordPress Edge theme <= 2.0.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Freesia Edge allows Stored XSS.This issue affects Edge: from n/a through...

Azure File Sync Agent v18.0 Release – May 2024 (KB5023057)

Update for Azure File Sync agent (version 18.0.0.0). For more details, see the associated Microsoft Knowledge Base...

New capabilities to help you secure your AI transformation

AI is transforming our world, unlocking new possibilities to enhance human abilities and to extend opportunities globally. At the same time, we are also facing an unprecedented threat landscape with the speed, scale, and sophistication of attacks increasing rapidly. To meet these challenges, we...

Azure File Sync Agent v18.0 Release – May 2024 (KB5023057)

Update for Azure File Sync agent (version 18.0.0.0). For more details, see the associated Microsoft Knowledge Base...

Azure File Sync Agent v18.0 Release – May 2024 (KB5023057)

Update for Azure File Sync agent (version 18.0.0.0). For more details, see the associated Microsoft Knowledge Base...

Why Your VPN May Not Be As Secure As It Claims

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target's....

Exploit for Vulnerability in Microsoft

BadBlue (Windows) CVE-2024-21306 BadBlue implementation...

Exploit for Vulnerability in Microsoft

BadBlue (Windows) CVE-2024-21306 BadBlue implementation...

You get a passkey, you get a passkey, everyone should get a passkey

Microsoft is rolling out passkey support for all consumer accounts. Passkeys are a very secure replacement for passwords that can't be cracked, guessed or phished, and let you log in easily, without having to type a password every time. After enabling them in Windows 11 last year, Microsoft...

Security above all else—expanding Microsoft’s Secure Future Initiative

Last November, we launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products. Since then, the threat landscape has continued to...

Exploit for Vulnerability in Microsoft

CVE-2024-29988-exploit Exploit for Microsoft SmartScreen...

CVE-2024-34062

tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. --delim, --buf-size, --manpath) are passed through python's eval, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in release version 4.66.3. All...

Vulnerabilities that (mostly) aren’t: LUCKY13

TL;DR LUCKY13 is more an attack than a vulnerability LUCKY13 was patched over a decade ago … so it’s really unlikely that your server is vulnerable now It's an implementation issue Disabling CBC ciphers is still a good idea … but not because of susceptibility to LUCKY13 There is no material risk...

CVE-2023-44446

GStreamer MXF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending.....

CVE-2023-44429

GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may...

CVE-2023-42117

Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp...

CVE-2023-42115

Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens...

CVE-2023-42119

Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the smtp...

CVE-2023-42118

Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing...

CVE-2023-42116

Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of....

CVE-2023-42114

Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of....

CVE-2023-40476

GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary...

CVE-2023-40475

GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary...

CVE-2023-40474

GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary...

CVE-2023-38104

GStreamer RealMedia File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary...