Diary & Availability Calendar Security Vulnerabilities

K000139533 : MySQL vulnerability CVE-2024-21090

Security Advisory Description Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 8.3.0 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to...

ROS-20240507-09

Vulnerability in the Extensions component of Microsoft Edge and Google Chrome browsers is related to incorrect security checks for standard elements. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive information V8 JavaScript script handler...

KLA66617 Multiple vulnerabilities in Google Chrome

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: Use after free vulnerability in ANGLE can be exploited to cause denial of service or execute...

Archives Calendar Widget <= 1.0.15 - Authenticated (Admin+) Stored Cross-Site Scripting

Description The Archives Calendar Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

New capabilities to help you secure your AI transformation

AI is transforming our world, unlocking new possibilities to enhance human abilities and to extend opportunities globally. At the same time, we are also facing an unprecedented threat landscape with the speed, scale, and sophistication of attacks increasing rapidly. To meet these challenges, we...

AIX is vulnerable to privilege escalation (CVE-2024-27273)

IBM SECURITY ADVISORY First Issued: Mon May 6 08:12:16 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/kernel_advisory7.asc Security Bulletin: AIX is vulnerable to privilege escalation (CVE-2024-27273)...

CVE-2024-3756

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF...

CVE-2024-3755

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

CVE-2024-3755

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

CVE-2024-3756

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF...

CVE-2024-3756 MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF...

CVE-2024-3756 MF Gig Calendar <= 1.2.1 - Arbitrary Event Deletion via CSRF

The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF...

CVE-2024-3755 MF Gig Calendar <= 1.2.1 - Editor+ Stored XSS

The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

Oracle Linux 9 : edk2 (ELSA-2024-2264)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2264 advisory. EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local...

Oracle Linux 9 : python3.11-cryptography (ELSA-2024-2337)

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-2337 advisory. cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or...

Oracle Linux 9 : frr (ELSA-2024-2156)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2156 advisory. An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet.c processes NLRIs if the attribute length is zero. (CVE-2023-41358) An...

GLSA-202405-02 : ImageMagick: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202405-02 (ImageMagick: Multiple Vulnerabilities) A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the...

Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Summary IBM Application Performance Management is vulnerable to denial of service, remote code execution, information disclosures and other vulnerabilities due to bundled product IBM ® Db2. This bulletin identifies the steps to address the vulnerabilities. Vulnerability Details ** CVEID:...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Storage Scale System

Summary There are vulnerabilities in IBM WebSphere Application Server Liberty, used by IBM Storage Scale System GUI, which could allow a remote attacker to cause a denial of service. Vulnerability Details ** CVEID: CVE-2023-22081 DESCRIPTION: **An unspecified vulnerability in Java SE related to...

ROS-20240503-04

A vulnerability in the mbedtls_x509_set_extension function of the Mbed TLS software is related to integer overflow. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of denial of service A vulnerability in the PSA Crypto API of the Mbed TLS and Mbed Crypto....

Agentless FIM for Detecting Network Configuration Changes

Dealing with multiple network administrators making frequent configuration changes with a monitoring solution that provides insights into device change without causing resource constraints. The performance and capabilities of a network device are entirely dependent upon its configuration settings.....

CVE-2024-2831

The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-2831

The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-1945

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for.....

CVE-2024-1945

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for.....

CVE-2024-2831

The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-1945

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'arflite_remove_preview_data' function in all versions up to, and including, 1.6.4. This makes it possible for.....

Introducing Artifact Attestations–now in public beta

June 25, 2024 update: Artifact Attestations is now generally available! Get started today. There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100M...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 304 vulnerabilities disclosed in 232...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus.

Summary Multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by Tivoli Netcool/OMNIbus running on Solaris. Vulnerability Details ** CVEID: CVE-2022-40609 DESCRIPTION: **IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote...

CVE-2024-33950 WordPress Archives Calendar Widget plugin <= 1.0.15 - Cross Site Scripting (XSS) vulnerability

Administrator Cross Site Scripting (XSS) in Archives Calendar Widget &lt;= 1.0.15...

kernel security, bug fix, and enhancement update

[5.14.0-427.13.1_4.OL9] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update...

KLA66425 Multiple vulnerabilities in Microsoft Browser

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: Use after free vulnerability in Picture In Picture can be exploited to cause denial of...

Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory. An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE...

Universal Forwarders < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0614)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0614 advisory. An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE...

Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0809 advisory. Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap...

Splunk Enterprise 8.1 < 8.1.13, 8.2.0 < 8.2.10, 9.0.0 < 9.0.4 (SVD-2023-0215)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0215 advisory. Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending...

Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory. decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900) The got package...

Security Bulletin: Multiple Security Vulnerabilities discovered in IBM Security Directory Suite (CVE-2022-32753, CVE-2022-32751, CVE-2022-33165)

Summary Several vulnerabilities were fixed in the IBM Security Verify Directory Suite. Vulnerability Details ** CVEID: CVE-2022-32753 DESCRIPTION: **IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive...

Security Bulletin: IBM Controller has addressed multiple vulnerabilities

Summary IBM Controller is affected and considered vulnerable, based on current information, to multiple vulnerabilites. This Security Bulletin addresses the vulnerabilities that have been remediated in IBM Controller. Vulnerability Details ** CVEID: CVE-2023-40695 DESCRIPTION: **IBM Cognos...

Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affecting Tivoli Netcool/OMNIbus

Summary Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by Tivoli Netcool/OMNIbus have been addressed. Vulnerability Details ** CVEID: CVE-2023-22049 DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow...

Security Bulletin: Vulnerabilities in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products

Summary Vulnerabilities in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Storage Virtualize and IBM FlashSystem products Vulnerability Details ** CVEID: CVE-2023-22081 DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow a remote...

MF Gig Calendar <= 1.2.1 - Cross-Site Request Forgery

Description The MF Gig Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action...

Pretty Google Calendar < 2.0.0 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user...

Where does your software (really) come from?

Software is a funny, profound thing: each piece of it is an invisible machine, seemingly made of magic words, designed to run on the ultimate, universal machine. It's not alive, but it has a lifecycle. It starts out as source code--just text files, sitting in a repository somewhere--and then later....

KLA66424 Multiple vulnerabilities in Google Chrome

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: Use after free vulnerability in Picture In Picture can be exploited to cause denial of service...

Security Bulletin: Multiple Vulnerabilities in IBM SDK Java affect IBM Cloud Pak System

Summary Multiple vulnerabilities found in IBM Java SDK reported in the IBM Java SDK CPU update October 2022 affect OS Image shipped with Cloud Pak System. Vulnerability Details ** CVEID: CVE-2022-21628 DESCRIPTION: **Java SE is vulnerable to a denial of service, caused by a flaw in the...

CVE-2024-33640

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LBell Pretty Google Calendar allows Stored XSS.This issue affects Pretty Google Calendar: from n/a through...

CVE-2024-33640

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LBell Pretty Google Calendar allows Stored XSS.This issue affects Pretty Google Calendar: from n/a through...

CVE-2024-33640 WordPress Pretty Google Calendar plugin <= 1.7.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LBell Pretty Google Calendar allows Stored XSS.This issue affects Pretty Google Calendar: from n/a through...