Goolytics – Simple Google Analytics Security Vulnerabilities
Malicious code in asf-component-templateruntime (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (a8505a127506a075d45802e114b4c6b3d9fe34267a7586fbd1724c5b70b0754d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in asf-component-listrenderer (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (6f800a7b495b28797dd18361930f1686e2cb294f6972babb0263a6e194afcf6a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in mmsdk-apml-htmlrendererr (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (35d7d1e7291969903946488e1ba191e23233d78f75808e9517ff90308f1b3d4f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in apl-validator (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (5c9d01a1289fd5e02d94728d6b0a19ec77687aadfde1e9807050227a0de03dc7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in mmsdk-apml-htmlrenderer (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (ae0814f13d1d5f49711b30a6fe260c2bfb566047df1b02774e899421faf58c92) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in portfolio-organism-adp-wrapper (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (41eb756462a90039b0df22968214c17f7b6bbf6a4aaf0db84da2266a6e33813d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in ct-helpers (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (e783edf3831848aac61070e6d4fcd03fb9023946d4c766f49e7d35b0403baa6f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in code.cloudflare.ajax (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (5869f17e67758b1fd6d47d84b2ab8d46f7912558ed8120de69bfc64ed5c0063d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in code.cloudflare.com (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (fd0d00a0ff9a56ee7446eb2b6ffa5b59db4eb466925a2c3d769df90c00fdcd76) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in coe.com (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (1b84c4d60e18fabe333d5d74a3fa2838edc6a70491dc3e9c7e3cc1d1f33e7241) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in code.jquery.ajax (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (52954659c906ed745d4b0c4b28b77fd0637eac32a5a4229bbeb6fa5ea8f7d004) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign
As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the.....
8AI Score
Malicious code in aws-public (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (b192498364ed7190f44f00a98983087f969407bd217eadfed1c6353335eda7f7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7.2AI Score
Malicious code in nppe_ttt_datalayer (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (c2cf2a52144e733f43888ec1331ac75fdfcffbf961c5e8879245feddb3360331) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in workerd-root (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (864f13e0626ddbb05fb951a4a4217000d4d74c0e9935d0ca041b22f805b1ff98) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
It was discovered that LibTIFF incorrectly handled memory when performing certain cropping operations, leading to a heap buffer overflow. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary...
5.5CVSS
7.7AI Score
0.0004EPSS
6.5CVSS
7.2AI Score
0.0005EPSS
Inappropriate implementation in Google Updator prior to 1.3.36.351 in Google Chrome allowed a local attacker to bypass discretionary access control via a malicious file. (Chromium security severity: High) Notes Author| Note ---|--- alexmurray | The Debian chromium source package is called...
6.3AI Score
0.0004EPSS
7.2AI Score
KLA68913 Multiple vulnerabilities in Google Chrome
Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions. Below is a complete list of vulnerabilities: Use after free vulnerability in PDFium can be exploited to cause...
8.9AI Score
0.0004EPSS
7.8CVSS
7AI Score
0.44EPSS
7.8CVSS
8.8AI Score
0.001EPSS
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 126 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 126.0.6478.54 (Linux) 126.0.6478.56/57( Windows, Mac) contains a number of fixes and improvements -- a list of changes is...
8.1AI Score
0.0004EPSS
Google Chrome < 126.0.6478.56 Multiple Vulnerabilities
The version of Google Chrome installed on the remote Windows host is prior to 126.0.6478.56. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop advisory. Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a...
6.9AI Score
0.0004EPSS
Google Chrome < 126.0.6478.56 Multiple Vulnerabilities
The version of Google Chrome installed on the remote macOS host is prior to 126.0.6478.56. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop advisory. Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote...
6.8AI Score
0.0004EPSS
Ubuntu 22.04 LTS : Linux kernel (NVIDIA) vulnerabilities (USN-6820-2)
The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6820-2 advisory. It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability....
8CVSS
10AI Score
0.0004EPSS
Inappropriate implementation in Google Updator prior to 1.3.36.351 in Google Chrome allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High) Notes Author| Note ---|--- alexmurray | The Debian chromium source package is called...
6.6AI Score
0.0004EPSS
Pixel Watch Security Bulletin—June 2024
The Pixel Watch Security Bulletin contains details of security vulnerabilities affecting Pixel Watch devices (Google Devices). For Google devices, security patch levels of 2024-06-05 or later address all applicable issues in the June 2024 Android Security Bulletin and all issues in this bulletin......
8.4AI Score
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option: If an...
5.3CVSS
7.1AI Score
0.0005EPSS
@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol http or https....
5.3CVSS
7AI Score
0.0004EPSS
ghtml is software that uses tagged templates for template engine functionality. It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Version 2.0.0 introduces changes to mitigate this issue. Version 2.0.0 contains updated.....
8.9CVSS
5.5AI Score
0.0004EPSS
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are...
8.8CVSS
7.5AI Score
0.0004EPSS
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are.....
8.8CVSS
7.5AI Score
0.0004EPSS
@grpc/grpc-js can allocate memory for incoming messages well above configured limits
Impact There are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length channel option: If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded. If an...
5.3CVSS
6.9AI Score
0.0005EPSS
ghtml Cross-Site Scripting (XSS) vulnerability
Summary It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. Actions Taken Updated the documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive...
8.9CVSS
5.3AI Score
0.0004EPSS
Composer has a command injection via malicious git branch name
Impact The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches 2.2.24 for 2.2 LTS or 2.7.7 for mainline Workarounds Avoid installing dependencies via git by using...
8.8CVSS
7.3AI Score
0.0004EPSS
Composer has multiple command injections via malicious git/hg branch names
Impact The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories. Patches 2.2.24 for 2.2 LTS or 2.7.7 for mainline Workarounds Avoid cloning potentially compromised...
8.8CVSS
7.2AI Score
0.0004EPSS
Langflow remote code execution vulnerability
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...
9.8CVSS
8.1AI Score
0.001EPSS
It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. A remote attacker could possibly use this issue to perform SQL injection attacks. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7405) It was discovered that ADOdb was incorrectly handling GET parameters...
9.1CVSS
7.3AI Score
0.006EPSS
Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an...
6.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
9CVSS
8.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
7.7CVSS
7.6AI Score
0.0005EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.1CVSS
9.5AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
8.9CVSS
8.3AI Score
0.0004EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...
8.6CVSS
8.4AI Score
0.0005EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this...
9.6CVSS
9.7AI Score
0.001EPSS
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this...
10CVSS
9.7AI Score
0.001EPSS
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. (CVE-2022-38096) Zheng Wang discovered that the...
7.8CVSS
8.7AI Score
0.0005EPSS
Malicious code in randombullshitgo-js (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (057c8df14eaa8785b6129f2c579be84c7330b0f8d7e9bb6eff202f60bdddabfd) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7.2AI Score
Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing
Impact In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type...
7AI Score