[SECURITY] Fedora 40 Update: javaparser-3.25.8-3.fc40
This package contains a Java 1 to 13 Parser with AST generation and visitor support. The AST records the source code structure, javadoc and comments. It is also possible to change the AST nodes or create new ones to modify the source...
6.9AI Score
0.0004EPSS
It's that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams. These are something that pop up every year through email, texts, phone calls and even physical mail -- phony...
7AI Score
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a...
4.9CVSS
6.5AI Score
0.0004EPSS
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. This allows an adversary to exploit specific scenarios where the compression ratio becomes exceptionally high. As a...
4.9CVSS
6.7AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (February 26, 2024 to March 3, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 121 vulnerabilities disclosed in 88...
9.8CVSS
9.6AI Score
0.001EPSS
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was...
5.3CVSS
5.4AI Score
0.0004EPSS
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was...
5.3CVSS
5.4AI Score
0.0004EPSS
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was...
5.3CVSS
7.3AI Score
0.0004EPSS
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was...
5.3CVSS
5.7AI Score
0.0004EPSS
WinFiHack is a recreational attempt by me to rewrite my previous project Brute-Hacking-Framework's main wifi hacking script that uses netsh and native Windows scripts to create a wifi bruteforcer. This is in no way a fast script nor a superior way of doing the same hack but it needs no external...
7.4AI Score
Exploit for Use After Free in Microsoft
First in-the-wild 0-day of 2023 🔥 CVE-2023-21674 is a...
8.8CVSS
8.8AI Score
0.004EPSS
Golang < 1.21.8, 1.22.x < 1.22.1 Multiple Vulnerabilities
The version of Golang running on the remote host is prior to 1.21.8 or 1.22.x prior to 1.22.1. It is, therefore, is affected by multiple vulnerabilities: A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. (CVE-2023-45289) Verifying a certificate...
6.2AI Score
0.0004EPSS
SUSE SLES12 Security Update : gstreamer-plugins-bad (SUSE-SU-2024:0779-1)
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:0779-1 advisory. MXF demuxer use-after-free vulnerability [fedora-all] (CVE-2023-44446) Note that Nessus has not tested for this issue but has instead...
8.8CVSS
6.6AI Score
0.0005EPSS
SUSE SLES15 Security Update : gstreamer-plugins-bad (SUSE-SU-2024:0780-1)
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:0780-1 advisory. MXF demuxer use-after-free vulnerability [fedora-all] (CVE-2023-44446) Note that Nessus has not tested for this issue but has instead...
8.8CVSS
6.6AI Score
0.0005EPSS
8.8CVSS
7.7AI Score
0.0005EPSS
FreeBSD : go -- multiple vulnerabilities (b1b039ec-dbfc-11ee-9165-901b0e9408dc)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the b1b039ec-dbfc-11ee-9165-901b0e9408dc advisory. When following an HTTP redirect to a domain which is not a subdomain match or exact match of...
6.5AI Score
0.0004EPSS
8.8CVSS
7.7AI Score
0.0005EPSS
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e. pdsc_work_thread()->pdsc_process_adminq()...
6.4AI Score
0.0004EPSS
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely...
9.6CVSS
9.3AI Score
0.0004EPSS
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely...
9.6CVSS
9.1AI Score
0.0004EPSS
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely...
9.6CVSS
7AI Score
0.0004EPSS
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely...
9.6CVSS
7.2AI Score
0.0004EPSS
CVE-2023-50716 Invalid DATA_FRAG Submessage causes a bad-free error
eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely...
9.6CVSS
9.4AI Score
0.0004EPSS
1Panel open source panel project has an unauthorized vulnerability.
Impact The steps are as follows: Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point. Use Burp to intercept: When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed: It is...
6.3CVSS
7AI Score
0.0004EPSS
1Panel open source panel project has an unauthorized vulnerability.
Impact The steps are as follows: Access https://IP:PORT/ in the browser, which prompts the user to access with a secure entry point. Use Burp to intercept: When opening the browser and entering the URL (allowing the first intercepted packet through Burp), the following is displayed: It is...
6.3CVSS
6.7AI Score
0.0004EPSS
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Summary Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. Details The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access...
9.1CVSS
7.3AI Score
0.0004EPSS
GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback...
4.3CVSS
6.8AI Score
0.001EPSS
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the SparseFillEmptyRowsGrad implementation has incomplete validation of the shapes of its arguments. Although reverse_index_map_t and grad_values_t are accessed in a similar pattern, only reverse_index_map_t is validated to be of....
5.3CVSS
6.5AI Score
0.002EPSS
Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be...
4.3CVSS
6.3AI Score
0.001EPSS
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to...
6.5CVSS
6.3AI Score
0.001EPSS
An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15 . It was possible to trigger a DOS by using the math feature with a specific formula in issue...
5.7CVSS
6.3AI Score
0.002EPSS
Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments,...
8.7CVSS
5.5AI Score
0.001EPSS
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not...
5.3CVSS
5.2AI Score
0.001EPSS
BIT-wordpress-multisite-2020-25286
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not...
5.3CVSS
5.2AI Score
0.001EPSS
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who....
7.6CVSS
5.3AI Score
0.001EPSS
BIT-wordpress-multisite-2021-39201
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who....
7.6CVSS
5.3AI Score
0.001EPSS
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, users can create posts with raw body longer than the max_length site setting by including html comments that are not counted toward the...
6.5CVSS
6.5AI Score
0.001EPSS
An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, 1.39.x before 1.39.4, and 1.40.x before 1.40.1. It is possible to bypass the Bad image list (aka badFile) by using the thumb parameter (aka Manualthumb) of the File...
5.3CVSS
5.2AI Score
0.001EPSS
Discourse is an open source discussion platform. The embeddable comments can be exploited to create new topics as any user but without any clear title or content. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. As a workaround, disable embeddable comments...
5.3CVSS
6.7AI Score
0.001EPSS
Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC...
4.3CVSS
6.7AI Score
0.0005EPSS
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR...
6.5CVSS
5.8AI Score
0.001EPSS
Discourse is an open source discussion platform. Prior to version 3.0.4 of the stable branch and version 3.1.0.beta5 of the beta and tests-passed branches, the lack of restrictions on the iFrame tag makes it easy for an attacker to exploit the vulnerability and hide subsequent comments from other.....
5.4CVSS
6.6AI Score
0.001EPSS
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage...
6.8CVSS
6.4AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --!> is...
6.1CVSS
5.4AI Score
0.005EPSS
In Helm before versions 2.16.11 and 3.3.2, a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs to inject a bad chart into a repository. To perform this attack, an attacker.....
2.7CVSS
6.5AI Score
0.001EPSS
CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result.....
8.2CVSS
6.1AI Score
0.003EPSS
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes...
7.5CVSS
7.2AI Score
0.001EPSS
In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the body_schema validation in the request-validation plugin. For example,...
9.8CVSS
7AI Score
0.004EPSS
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e....
7.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc's adminq. [1] pdsc_adminq_isr and the resulting work from queue_work(), i.e....
6.6AI Score
0.0004EPSS