Goolytics – Simple Google Analytics Security Vulnerabilities

CVE-2024-5138 in github.com/snapcore/snapd

CVE-2024-5138 in...

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o

malicious container creates symlink "mtab" on the host External in...

Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos/v10

Contract balance not updating correctly after interchain transaction in...

Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc

Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in...

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in github.com/traefik/traefik

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in...

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd/v2

Unauthenticated Access to sensitive settings in Argo CD in...

SQL Injection in Harbor scan log API in github.com/goharbor/harbor

SQL Injection in Harbor scan log API in...

Open Redirect URL in Harbor in github.com/goharbor/harbor

Open Redirect URL in Harbor in...

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

Files or Directories Accessible to External Parties in ProjectDiscovery in...

evmos allows transferring unvested tokens after delegations in github.com/evmos/evmos/v10

evmos allows transferring unvested tokens after delegations in...

`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker

docker cp allows unexpected chmod of host files in Moby Docker Engine in...

Google's Privacy Sandbox Accused of User Tracking by Austrian Non-Profit

Google's plans to deprecate third-party tracking cookies in its Chrome web browser with Privacy Sandbox has run into fresh trouble after Austrian privacy non-profit noyb (none of your business) said the feature can still be used to track users. "While the so-called 'Privacy Sandbox' is advertised.....

Snipe-IT allows users to promote or demote themselves or other users

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through...

Why Regulated Industries are Turning to Military-Grade Cyber Defenses

As cyber threats loom large and data breaches continue to pose increasingly significant risks. Organizations and industries that handle sensitive information and valuable assets make prime targets for cybercriminals seeking financial gain or strategic advantage. Which is why many highly regulated.....

CVE-2024-5685

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through...

Mattermost Desktop App allows for bypassing TCC restrictions on macOS

Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on...

Apache Airflow does not return the "Cache-Control" header for dynamic content

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache...

Mattermost Desktop App Remote Code Execution

Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI...

CVE-2024-25142

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache...

curl: Denial of Service in curl Request - HTTP headers eat all memory

Summary: Curl's unrestricted header storage lets malicious servers overwhelm memory, leading to out of Memory ( DOS) . When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit on how many....

ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws

An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors. "By adding random user data to the database or using a fake...

CVE-2024-5994

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics

Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country's emergence as an influential power has drawn the attention of cyber espionage groups. "North Korean government-backed actors have targeted the Brazilian...

CVE-2023-6492

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

CVE-2023-6492

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

CVE-2023-6492 Simple Sitemap <= 3.5.13 - Cross-Site Request Forgery via admin_notices

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

Exploit for CVE-2024-23692

Rejetto HFS (HTTP File Server) CVE-2024-23692 Vulnerability...

Google Chrome Security Update (stable-channel-update-for-desktop_22-2024-02) - Linux

Google Chrome is prone to an unspecified ...

Google Chrome Security Update (stable-channel-update-for-desktop_22-2024-02) - Windows

Google Chrome is prone to an unspecified ...

Linux kernel vulnerabilities

Releases Ubuntu 24.04 LTS Packages linux-azure - Linux kernel for Microsoft Azure Cloud systems linux-gke - Linux kernel for Google Container Engine (GKE) systems Details Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions,...

WP-UserOnline 2.88.0 - Stored Cross Site Scripting (Authenticated) Vulnerability

...

AEGON LIFE 1.0 Remote Code Execution

...

AEGON LIFE v1.0 Life Insurance Management System - Remote Code Execution Vulnerability

...

AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE)

...

Google Chrome Security Update (stable-channel-update-for-desktop_22-2024-02) - Mac OS X

Google Chrome is prone to an unspecified ...

Google Chrome Security Update (stable-channel-update-for-desktop_13-2024-02) - Windows

Google Chrome is prone to a stack-based buffer overflow...

Boelter Blue System Management 1.3 - SQL Injection Vulnerability

...

Ubuntu 22.04 LTS : Linux kernel (NVIDIA) vulnerabilities (USN-6818-3)

The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6818-3 advisory. Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer...

Google Chrome Security Update (stable-channel-update-for-desktop_13-2024-02) - Linux

Google Chrome is prone to a stack-based buffer overflow...

WP Go Maps (formerly WP Google Maps) < 9.0.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an...

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2019-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2019-1 advisory. The SUSE Linux Enterprise 15 SP5 Azure kernel was updated to receive various security bugfixes. The following...

atril - security update

Bulletin has no...

Boelter Blue System Management 1.3 - SQL Injection

...

Linux kernel (NVIDIA) vulnerabilities

Releases Ubuntu 22.04 LTS Packages linux-nvidia-6.5 - Linux kernel for NVIDIA systems Details Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this...

plasma-workspace - security update

Bulletin has no...

Google Chrome Security Update (stable-channel-update-for-desktop_13-2024-02) - Mac OS X

Google Chrome is prone to a stack-based buffer overflow...

chromium - security update

Bulletin has no...