@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
7.4CVSS
7.1AI Score
CVE-2024-35220 @fastify/session reuses destroyed session cookie
@fastify/session is a session plugin for fastify. Requires the @fastify/cookie plugin. When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not...
7.2AI Score
scheb/two-factor-bundle bypass two-factor authentication with remember-me option
In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication (2FA) using the remember_me cookie. When the remember_me checkbox was used during login, a "REMEMBERME" cookie was created. Upon.....
7.3AI Score
scheb/two-factor-bundle bypass two-factor authentication with remember-me option
In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication (2FA) using the remember_me cookie. When the remember_me checkbox was used during login, a "REMEMBERME" cookie was created. Upon.....
7.3AI Score
@fastify/session reuses destroyed session cookie
Impact When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. Patches Updating to v10.9.0 will solve this. Workarounds None References...
7AI Score
@fastify/session reuses destroyed session cookie
Impact When restoring the cookie from the session store, the expires field is overriden if the maxAge field was set. This means a cookie is never correctly detected as expired and thus expired sessions are not destroyed. Patches Updating to v10.9.0 will solve this. Workarounds None References...
7AI Score
Summary IBM Cloud Pak for Network Automation 2.7.3 addresses multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details ** CVEID: CVE-2024-30260 DESCRIPTION: **Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by a...
10AI Score
0.175EPSS
7.4AI Score
7.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to...
7AI Score
In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to...
6.9AI Score
Passbolt Api Retrieval of HTTP-only cookies
Passbolt uses three cookies: a session cookie, a CSRF protection cookie and a cookie to keep track of the multiple-factor authentication process. Both the session cookie and the mfa cookie are properly set HTTP-only to prevent an attacker from retrieving the content of those cookies if they...
6.4AI Score
Passbolt Api Retrieval of HTTP-only cookies
Passbolt uses three cookies: a session cookie, a CSRF protection cookie and a cookie to keep track of the multiple-factor authentication process. Both the session cookie and the mfa cookie are properly set HTTP-only to prevent an attacker from retrieving the content of those cookies if they...
6.4AI Score
Your vacation, reservations, and online dates, now chosen by AI: Lock and Code S05E11
This week on the Lock and Code podcast… The irrigation of the internet is coming. For decades, we’ve accessed the internet much like how we, so long ago, accessed water—by traveling to it. We connected (quite literally), we logged on, and we zipped to addresses and sites to read, learn, shop, and.....
6.8AI Score
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to...
7.3AI Score
CVE-2024-36002 dpll: fix dpll_pin_on_pin_register() for multiple parent pins
In the Linux kernel, the following vulnerability has been resolved: dpll: fix dpll_pin_on_pin_register() for multiple parent pins In scenario where pin is registered with multiple parent pins via dpll_pin_on_pin_register(..), all belonging to the same dpll device. A second call to...
7.1AI Score
amphp/artax is vulnerable to Cookie Leakage. The vulnerability is due to cookies being leaked to unauthorized domains, which allows an attacker to manipulate cookies in such a way where cookies of foo.bar.example.com were leaked to...
6.9AI Score
(RHSA-2024:2906) Important: firefox security update
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.11.0 ESR. Security Fix(es): firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367) firefox: IndexedDB files retained in private...
7.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and...
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and...
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and...
6.7AI Score
0.0004EPSS
CVE-2024-35860 bpf: support deferring bpf_link dealloc to after RCU grace period
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and...
6.7AI Score
0.0004EPSS
[SECURITY] Fedora 40 Update: firefox-126.0-5.fc40
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and...
7.3AI Score
Introducing FIM 4.0 with File Access Monitoring (FAM) and Agentless FIM to ensure compliance with the new PCI 4.0 File Integrity Monitoring (FIM) solutions are essential for virtually any organization to help identify suspicious activities across critical system files and registries, diagnose...
7.3AI Score
A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an...
3.7CVSS
7AI Score
0.0004EPSS
CVE-2024-5044 Emlog Pro Cookie improper authentication
A vulnerability was found in Emlog Pro 2.3.4. It has been classified as problematic. This affects an unknown part of the component Cookie Handler. The manipulation of the argument AuthCookie leads to improper authentication. It is possible to initiate the attack remotely. The complexity of an...
4.6AI Score
0.0004EPSS
laravel/framework is vulnerable to Insecure Deserialization. The vulnerability is due to the potential misuse of the application's encryption key, which allows an attacker to craft a serialized cookie, which upon deserialization results in arbitrary code...
7.5AI Score
Security Bulletin: IBM Operational Decision Manager for April 2024 - Multiple CVEs addressed
Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details ** CVEID:...
9.5AI Score
0.973EPSS
[SECURITY] Fedora 39 Update: firefox-126.0-5.fc39
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and...
7.3AI Score
Huawei EulerOS: Security Advisory for python-urllib3 (EulerOS-SA-2024-1703)
The remote host is missing an update for the Huawei...
7.4AI Score
0.01EPSS
EulerOS Virtualization 3.0.6.0 : python-urllib3 (EulerOS-SA-2024-1703)
According to the versions of the python-urllib3 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a...
6.8AI Score
EulerOS Virtualization 3.0.6.6 : curl (EulerOS-SA-2024-1647)
According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of...
7.5AI Score
Huawei EulerOS: Security Advisory for python-pip (EulerOS-SA-2024-1702)
The remote host is missing an update for the Huawei...
7.4AI Score
0.01EPSS
EulerOS Virtualization 3.0.6.0 : curl (EulerOS-SA-2024-1677)
According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of...
7.2AI Score
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-1677)
The remote host is missing an update for the Huawei...
7AI Score
0.001EPSS
EulerOS Virtualization 3.0.6.0 : python-pip (EulerOS-SA-2024-1702)
According to the versions of the python-pip packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a...
7.3AI Score
GitLab 13.3 < 13.3.4 (CVE-2020-13300)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: GitLab CE/EE version 13.3 prior to 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. (CVE-2020-13300) Note that Nessus has...
7.1AI Score
Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information (CVE-2024-28849,...
9.8AI Score
0.019EPSS
The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3_session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to...
7.5CVSS
7AI Score
0.001EPSS
The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3_session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to...
7.7AI Score
0.001EPSS
How the Qualys Enterprise TruRisk™ Platform Supports CISA Vulnrichment
Introduction In today's interconnected digital landscape, cybersecurity threats pose significant risks to organizations across various sectors. Recognizing the need for a structured approach to identify, prioritize, and address vulnerabilities, the Cybersecurity and Infrastructure Security Agency.....
6.9AI Score
CVE-2024-4352-Poc CVE-2024-4352 Tutor LMS Pro <= 2.7.0 -...
8.7AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 6, 2024 to May 12, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 180 vulnerabilities disclosed in 142...
9.5AI Score
0.001EPSS
Vulnerability in SiAdmin 1.1 that allows XSS via the /show.php query parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and thereby steal their cookie session...
6.3CVSS
5.9AI Score
0.0004EPSS
Siemens SIMATIC RTLS Locating Manager
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....
9.2AI Score
0.009EPSS
CVE-2024-4993 SQL injection vulnerability in SiAdmin
Vulnerability in SiAdmin 1.1 that allows XSS via the /show.php query parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and thereby steal their cookie session...
6AI Score
0.0004EPSS
(RHSA-2024:2887) Important: firefox security update
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.11.0 ESR. Security Fix(es): firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367) firefox: IndexedDB files retained in private...
7.3AI Score
0.0004EPSS
(RHSA-2024:2886) Important: firefox security update
Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.11.0 ESR. Security Fix(es): firefox: Arbitrary JavaScript execution in PDF.js (CVE-2024-4367) firefox: IndexedDB files retained in private...
7.3AI Score
0.0004EPSS