Goolytics – Simple Google Analytics Security Vulnerabilities

Important: bind and dhcp security update

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. The...

Moderate: cockpit security update

Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more. Security Fix(es): cockpit: command injection when deleting a sosreport with a...

Moderate: sssd security update

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end...

Moderate: kernel update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation (CVE-2023-6240) kernel: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2024-0340) kernel:...

Moderate: squashfs-tools security update

SquashFS is a highly compressed read-only file system for Linux. These packages contain the utilities for manipulating squashfs file systems. Security Fix(es): squashfs-tools: unvalidated filepaths allow writing outside of destination (CVE-2021-40153) squashfs-tools: possible Directory...

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in...

Evmos allows unvested token delegations in github.com/evmos/evmos/v10

Evmos allows unvested token delegations in...

go-grpc-compression has a zstd decompression bombing vulnerability in github.com/mostynb/go-grpc-compression

go-grpc-compression has a zstd decompression bombing vulnerability in...

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o

malicious container creates symlink "mtab" on the host External in...

CVE-2024-5138 in github.com/snapcore/snapd

CVE-2024-5138 in...

Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama

Ollama does not validate the format of the digest (sha256 with 64 hex digits) in...

apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko

apko Exposure of HTTP basic auth credentials in log output in...

Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos/v10

Contract balance not updating correctly after interchain transaction in...

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd/v2

Unauthenticated Access to sensitive settings in Argo CD in...

Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in go.opentelemetry.io/collector/config/configgrpc

Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC in...

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in github.com/traefik/traefik

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in...

`docker cp` allows unexpected chmod of host files in Moby Docker Engine in github.com/docker/docker

docker cp allows unexpected chmod of host files in Moby Docker Engine in...

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

Files or Directories Accessible to External Parties in ProjectDiscovery in...

Open Redirect URL in Harbor in github.com/goharbor/harbor

Open Redirect URL in Harbor in...

SQL Injection in Harbor scan log API in github.com/goharbor/harbor

SQL Injection in Harbor scan log API in...

evmos allows transferring unvested tokens after delegations in github.com/evmos/evmos/v10

evmos allows transferring unvested tokens after delegations in...

Google's Privacy Sandbox Accused of User Tracking by Austrian Non-Profit

Google's plans to deprecate third-party tracking cookies in its Chrome web browser with Privacy Sandbox has run into fresh trouble after Austrian privacy non-profit noyb (none of your business) said the feature can still be used to track users. "While the so-called 'Privacy Sandbox' is advertised.....

Why Regulated Industries are Turning to Military-Grade Cyber Defenses

As cyber threats loom large and data breaches continue to pose increasingly significant risks. Organizations and industries that handle sensitive information and valuable assets make prime targets for cybercriminals seeking financial gain or strategic advantage. Which is why many highly regulated.....

CVE-2024-5685

Users with "User:edit" and "Self:api" permissions can promote or demote themselves or other users by performing changes to the group's memberships via API call.This issue affects snipe-it: from v4.6.17 through...

CVE-2024-25142

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser. This issue affects Apache...

ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws

An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors. "By adding random user data to the database or using a fake...

CVE-2024-5994

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

CVE-2024-5994 WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with...

North Korean Hackers Target Brazilian Fintech with Sophisticated Phishing Tactics

Threat actors linked to North Korea have accounted for one-third of all the phishing activity targeting Brazil since 2020, as the country's emergence as an influential power has drawn the attention of cyber espionage groups. "North Korean government-backed actors have targeted the Brazilian...

CVE-2023-6492

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

CVE-2023-6492

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

CVE-2023-6492 Simple Sitemap <= 3.5.13 - Cross-Site Request Forgery via admin_notices

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible.....

Exploit for CVE-2024-23692

Rejetto HFS (HTTP File Server) CVE-2024-23692 Vulnerability...

AEGON LIFE v1.0 Life Insurance Management System - Unauthenticated Remote Code Execution (RCE)

...

AEGON LIFE 1.0 Remote Code Execution

...

Ubuntu 22.04 LTS : Linux kernel (NVIDIA) vulnerabilities (USN-6818-3)

The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6818-3 advisory. Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer...

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2019-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2019-1 advisory. The SUSE Linux Enterprise 15 SP5 Azure kernel was updated to receive various security bugfixes. The following...

atril - security update

Bulletin has no...

Boelter Blue System Management 1.3 - SQL Injection

...

plasma-workspace - security update

Bulletin has no...

chromium - security update

Bulletin has no...

WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)

...

CVE-2024-32923

there is a possible cellular denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for...

CVE-2024-32924

In DeregAcceptProcINT of cn_NrmmStateDeregInit.cpp, there is a possible denial of service due to a logic error in the code. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for...

CVE-2024-32925

In dhd_prot_txstatus_process of dhd_msgbuf.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

CVE-2024-32926

there is a possible information disclosure due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

CVE-2024-32930

In plugin_ipc_handler of slc_plugin.c, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure of 4 bytes of stack memory with no additional execution privileges needed. User interaction is not needed for...

CVE-2024-32929

In gpu_slc_get_region of pixel_gpu_slc.c, there is a possible EoP due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...