Apache Kafka is vulnerable to Incorrect Access Control. The vulnerability is due to an error in ACL management during ZK to KRaft mode migration, specifically when an ACL is removed while two or more other ACLs remain associated with the same resource. This condition results in Kafka treating the.....
7AI Score
0.0004EPSS
Exploit for Integer Overflow or Wraparound in Linux Linux Kernel
CVE-2022-0185-Case-Study This case study is a result of an...
8.4CVSS
8.9AI Score
0.001EPSS
Xwiki is prone to a remote code execution (RCE) ...
9.6CVSS
7.9AI Score
0.0004EPSS
9.4CVSS
8.4AI Score
0.006EPSS
MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack PoC Make a contributor or higher user open a link where <> is a valid event:...
6.6AI Score
0.0004EPSS
Xwiki is prone to a remote code execution (RCE) ...
9.9CVSS
7.9AI Score
0.0004EPSS
MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC 1. Go to "MF Gig Calendar >.....
5.4AI Score
0.0004EPSS
Xwiki is prone to a remote code execution (RCE) ...
9.9CVSS
7.9AI Score
0.0004EPSS
MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
0.0004EPSS
MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF...
6.8AI Score
0.0004EPSS
XWiki < 14.10.19, 15.0-rc-1 < 15.5.4, 15.6-rc-1 < 15.9-rc-1 RCE Vulnerability (GHSA-c2gg-4gq4-jv5j)
Xwiki is prone to a remote code execution (RCE) ...
9.9CVSS
7.9AI Score
0.0004EPSS
Xwiki is prone to a remote code execution (RCE) ...
10CVSS
7.9AI Score
0.001EPSS
Summary IBM Call Center removed parts of a legacy code that carried vulnerabilites. The code did contain CVE-2009-2625, CVE-2013-4002, CVE-2020-14338, CVE-2022-23437, CVE-2012-0881, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin...
6.5CVSS
8AI Score
0.129EPSS
Summary Order Management removed parts of legacy code that carried vulnerabilites. The code did contain CVE-2009-2625, CVE-2013-4002, CVE-2012-0881, however the specific code related to the vulnerability is not in use, therefore the risk is lower. This bulletin identifies the steps to take to...
7.5CVSS
7.7AI Score
0.129EPSS
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device. If a...
4.8CVSS
7.2AI Score
0.0004EPSS
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device. If a...
4.8CVSS
5.4AI Score
0.0004EPSS
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device. If a...
4.8CVSS
5.7AI Score
0.0004EPSS
CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls
On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability...
10CVSS
9.8AI Score
0.957EPSS
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two....
6.8AI Score
0.0004EPSS
Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two....
6.4AI Score
0.0004EPSS
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a....
4.2CVSS
7.3AI Score
0.0004EPSS
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two....
6.3AI Score
0.0004EPSS
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two....
6.5AI Score
0.0004EPSS
While an Apache Kafka cluster is being migrated from ZooKeeper mode to KRaft mode, in some cases ACLs will not be correctly enforced. Two preconditions are needed to trigger the bug: 1. The administrator decides to remove an ACL 2. The resource associated with the removed ACL continues to have two....
6.6AI Score
0.0004EPSS
org.springframework.security:spring-security-core Dependency in Bamboo Data Center and Server
This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability,...
8.2CVSS
6.7AI Score
0.0004EPSS
This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS...
8.1CVSS
7.9AI Score
0.0004EPSS
This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0-eap01, 8.15.0, 8.16.0, 8.17.0, 8.18.0, and 8.19.0 of Bitbucket Data.....
8.2CVSS
8AI Score
0.0004EPSS
KLA65584 Multiple vulnerabilities in Microsoft Browser
Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: Use after free vulnerability in Dawn can be exploited to cause denial of service or execute...
8.4AI Score
0.0004EPSS
EventPrime < 3.3.5 - Unauthenticated Booking Price Manipulation
Description The plugin is vulnerable to booking price manipulations due to insufficient validation and control of booking prices in versions up to, and including, 3.3.4. This makes it possible for unauthenticated attackers to make bookings with lower...
9.8CVSS
7.1AI Score
0.001EPSS
Oracle Linux 7 : squid (ELSA-2024-1787)
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1787 advisory. Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid...
8.6CVSS
6.9AI Score
0.019EPSS
Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities
Summary IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details ** CVEID: CVE-2023-34967 DESCRIPTION: **Samba is vulnerable to a denial of service, caused.....
9.8CVSS
10AI Score
0.963EPSS
The internet is already scary enough without April Fool’s jokes
I feel like over the past several years, the "holiday" that is April Fool's Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you'd find on a news site any day of the week. And there are so many more serious issues that are.....
7.3AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 193 vulnerabilities disclosed in 154...
9.9CVSS
9.8AI Score
0.082EPSS
Cosign malicious attachments can cause system-wide denial of service
Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other....
4.2CVSS
7.3AI Score
0.0004EPSS
Cosign malicious attachments can cause system-wide denial of service
Summary A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other....
4.2CVSS
4.7AI Score
0.0004EPSS
AIX is vulnerable to email spoofing due to sendmail (CVE-2023-51765)
IBM SECURITY ADVISORY First Issued: Thu Apr 11 15:33:45 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/sendmail_advisory4.asc Security Bulletin: AIX is vulnerable to email spoofing due to sendmail (CVE-2023-51765)...
5.3CVSS
5.8AI Score
0.002EPSS
A flaw was found in the Cosign package where maliciously crafted software artifacts can trigger uncontrolled resource consumption by allocating too much memory and starving out the system. A successful attack may result in a denial of service of the machine running Cosign, impacting...
4.2CVSS
4.3AI Score
0.0004EPSS
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....
7.6CVSS
7.7AI Score
0.002EPSS
Siemens RUGGEDCOM APE1808 before V11.0.1
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....
8.8CVSS
6.7AI Score
0.003EPSS
This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0 and 9.5.0 of Bamboo Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...
8.1CVSS
7.9AI Score
0.0004EPSS
Software: runc 1.0.0 OS: rosa-server79 package_evr_string: runc-1.0.0.0-70.rc10.res7 CVE-ID: CVE-2019-19921 BDU-ID: None CVE-Crit: HIGH CVE-DESC.: runc has improper access control leading to elevated privileges associated with libcontainer/rootfs_linux.go. To exploit this, an attacker must be able....
8.6CVSS
9AI Score
0.051EPSS
BookingPress < 1.0.82 - Authenticated (Customer+) Insecure Direct Object Reference
Description The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.81 due to missing validation on a user controlled key. This makes it possible for...
4.3CVSS
6.5AI Score
0.0004EPSS
The Jenkins Automation Server vulnerability involves the creation of temporary files with insecure permissions. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to read, modify, or delete files A vulnerability in the args4j library of the Jenkins Git server.....
9.8CVSS
7.6AI Score
0.96EPSS
SAP NetWeaver AS Java Information Disclosure (April 2024)
SAP NetWeaver Application Server for Java is affected by an information disclosure vulnerability. 'Self-Registration' and 'Modify your own profile' in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer....
8.8CVSS
6.7AI Score
0.0004EPSS
SAP NetWeaver AS ABAP DoS (April 2024)
The remote SAP NetWeaver ABAP server may be affected by a denial of service (DoS) vulnerability. The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to.....
6.5CVSS
7.1AI Score
0.0004EPSS
Vulnerability of sessionReadRecord function of ext/session/sqlite3session.c file of database management system SQLite is related to a buffer overflow in dynamic memory. Exploitation of the vulnerability could allow an attacker acting remotely to affect confidentiality, integrity, and...
7.3CVSS
7.7AI Score
0.001EPSS
Esri Portal for ArcGIS < Security 2024 Update 1 Multiple Vulnerabilities (10.8.1)
The version of Esri Portal for ArcGIS installed is missing Security 2024 Update 1. It is, therefore, affected by multiple vulnerabilities including: There is a difficult to exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 10.8.1 through 11.2...
9.9CVSS
7.5AI Score
0.0004EPSS
The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups By Jambul Tologonov and John Fokker · April 11, 2024 The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect....
6.5AI Score
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a....
4.2CVSS
4.7AI Score
0.0004EPSS
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a....
4.2CVSS
6.9AI Score
0.0004EPSS