Lucene search

K

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics Security Vulnerabilities

nessus
nessus

FreeBSD : chromium -- security fix (6926d038-1db4-11ef-9f97-a8a1599412c6)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6926d038-1db4-11ef-9f97-a8a1599412c6 advisory. Chrome Releases reports: This update includes 1 security fix: Tenable has extracted the preceding...

8.8CVSS

6.4AI Score

0.003EPSS

2024-05-30 12:00 AM
nessus
nessus

Qlik Sense Enterprise Privilage Escalation (CVE-2024-36077)

The version of Qlik Sense Enterprise installed on the remote Windows host is prior to May 2022 prior to Patch 18, August 2022 prior to Patch 17, November 2022 prior to Patch 14, February 2023 prior to Patch 14, May 2023 prior to Patch 16, August 2023 prior to Patch 14, November 2023 prior to patch....

8.8CVSS

9.2AI Score

EPSS

2024-05-30 12:00 AM
5
openvas
openvas

Mageia: Security Advisory (MGASA-2024-0198)

The remote host is missing an update for...

7.5CVSS

7.1AI Score

0.0004EPSS

2024-05-30 12:00 AM
1
packetstorm

7.4AI Score

2024-05-30 12:00 AM
31
openvas
openvas

SUSE: Security Advisory (SUSE-SU-2024:1807-1)

The remote host is missing an update for...

9CVSS

6.7AI Score

0.001EPSS

2024-05-30 12:00 AM
3
nessus
nessus

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:1813-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1813-1 advisory. The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. This update fixes a regression with...

7.2AI Score

2024-05-30 12:00 AM
nessus
nessus

FreeBSD : nginx-devel -- Multiple Vulnerabilities in HTTP/3 (320a19f7-1ddd-11ef-a2ae-8c164567ca3c)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 320a19f7-1ddd-11ef-a2ae-8c164567ca3c advisory. The nginx development team reports: This update fixes the following vulnerabilities: Tenable...

6.5CVSS

7.2AI Score

0.0004EPSS

2024-05-30 12:00 AM
2
nessus
nessus

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : git (SUSE-SU-2024:1807-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1807-1 advisory. - CVE-2024-32002: Fixed recursive clones on case-insensitive filesystems that support symbolic.....

9CVSS

8.2AI Score

0.001EPSS

2024-05-30 12:00 AM
1
mageia
mageia

Updated perl-Email-MIME packages fix security vulnerabilities

An excessive memory use issue (CWE-770) exists in Email-MIME, before version 1.954, which can cause denial of service when parsing multipart MIME messages. The patch set (from 2020 and 2024) limits excessive depth and the total number of parts....

7.5CVSS

7.3AI Score

0.0004EPSS

2024-05-29 09:08 PM
11
nvd
nvd

CVE-2024-35284

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input...

5.7AI Score

EPSS

2024-05-29 04:15 PM
cve
cve

CVE-2024-35284

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input...

5.8AI Score

EPSS

2024-05-29 04:15 PM
26
qualysblog
qualysblog

2024 Cybersecurity Trends: What’s Observable Already?

2024 has already witnessed a staggering number of cyber incidents, with over 29.5 billion records breached across 4,645 publicly disclosed incidents in January alone, according to the IT Governance Security Spotlight. Moreover, CVEs are growing significantly year over year, with 13% growth from...

7.4AI Score

2024-05-29 03:41 PM
6
malwarebytes
malwarebytes

Data leak site BreachForums is back, boasting Live Nation/Ticketmaster user data. But is it a trap?

Notorious data leak site BreachForums appears to be back online after it was seized by law enforcement a few weeks ago. At least one of BreachForums domains and its dark web site are live again. However, questions have been raised over whether it is a genuine attempt to revive the forums once...

7.3AI Score

2024-05-29 01:06 PM
8
osv
osv

BIT-artifactory-2024-2248

A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user...

6.4CVSS

7.1AI Score

0.0004EPSS

2024-05-29 10:40 AM
2
hackerone
hackerone

WakaTime: IDOR to view order information of users and personal information

Hi team, I found one bug on your domain. It's IDOR bug. Summary: Insecure Direct Object Reference ( IDOR ) is the method of controlling which users can perform a certain type of action or view set of data. Insecure Direct Object Reference ( IDOR ) is a vulnerability that allows an attacker to...

7AI Score

2024-05-29 08:41 AM
42
cve
cve

CVE-2024-5150

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for...

9.8CVSS

7.2AI Score

0.001EPSS

2024-05-29 02:16 AM
nvd
nvd

CVE-2024-5150

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for...

9.8CVSS

9.4AI Score

0.001EPSS

2024-05-29 02:16 AM
vulnrichment
vulnrichment

CVE-2024-5150 Login with phone number <= 1.7.26 - Authentication Bypass due to Missing Empty Value Check

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for...

9.8CVSS

7AI Score

0.001EPSS

2024-05-29 02:00 AM
cvelist
cvelist

CVE-2024-5150 Login with phone number <= 1.7.26 - Authentication Bypass due to Missing Empty Value Check

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for...

9.8CVSS

9.4AI Score

0.001EPSS

2024-05-29 02:00 AM
nessus
nessus

SUSE SLES15 Security Update : glibc-livepatches (SUSE-SU-2024:1805-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2024:1805-1 advisory. - CVE-2024-2961: Fixed that the iconv() function in the GNU C Library may overflow the output buffer passed to it by up to 4 bytes when converting...

7AI Score

0.0005EPSS

2024-05-29 12:00 AM
openvas
openvas

Ubuntu: Security Advisory (USN-6790-1)

The remote host is missing an update for...

7.1AI Score

0.0004EPSS

2024-05-29 12:00 AM
4
f5
f5

K000139627: NGINX HTTP/3 QUIC vulnerability CVE-2024-34161

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously...

5.3CVSS

7.1AI Score

0.0004EPSS

2024-05-29 12:00 AM
7
f5
f5

K000139810: Oracle Java vulnerability CVE-2024-20919

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK:.....

5.9CVSS

5.9AI Score

0.0005EPSS

2024-05-29 12:00 AM
9
f5
f5

K000139612: NGINX HTTP/3 QUIC vulnerability CVE-2024-35200

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. (CVE-2024-35200) Note: This issue affects NGINX systems compiled with the ngx_http_v3_module module, where the...

5.3CVSS

7.2AI Score

0.0004EPSS

2024-05-29 12:00 AM
4
f5
f5

K000139628: Out-of-band Security Notification (May 29, 2024)

Security Advisory Description On May 29, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. You can watch...

6.5CVSS

5.6AI Score

0.0004EPSS

2024-05-29 12:00 AM
7
f5
f5

K000139609: NGINX HTTP/3 QUIC vulnerability CVE-2024-32760

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other potential impact. (CVE-2024-32760) Note: This issue affects NGINX systems compiled with the.....

6.5CVSS

7.3AI Score

0.0004EPSS

2024-05-29 12:00 AM
7
nessus
nessus

FreeBSD : OpenSSL -- Use after free vulnerability (73a697d7-1d0f-11ef-a490-84a93843eb75)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 73a697d7-1d0f-11ef-a490-84a93843eb75 advisory. The OpenSSL project reports: Use After Free with SSL_free_buffers (low). Calling the OpenSSL API...

6.6AI Score

EPSS

2024-05-29 12:00 AM
2
f5
f5

K000139611: NGINX HTTP/3 QUIC vulnerability CVE-2024-31079

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection...

4.8CVSS

7.3AI Score

0.0004EPSS

2024-05-29 12:00 AM
10
attackerkb
attackerkb

CVE-2024-4358

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. Recent assessments: remmons-r7 at June 03, 2024 6:57pm UTC reported: So...

10CVSS

10AI Score

0.946EPSS

2024-05-29 12:00 AM
21
github
github

ansibleguy-webui Cross-site Scripting vulnerability

Impact Multiple forms in version &lt;0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. Patches We recommend to upgrade to version &gt;= 0.0.21 References Report GitHub Issue...

8.2CVSS

6.6AI Score

0.0004EPSS

2024-05-28 09:23 PM
5
osv
osv

ansibleguy-webui Cross-site Scripting vulnerability

Impact Multiple forms in version &lt;0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. Patches We recommend to upgrade to version &gt;= 0.0.21 References Report GitHub Issue...

8.2CVSS

6.9AI Score

0.0004EPSS

2024-05-28 09:23 PM
5
cve
cve

CVE-2024-35239

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the....

2.7CVSS

6.7AI Score

0.0004EPSS

2024-05-28 09:16 PM
26
nvd
nvd

CVE-2024-35239

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the....

2.7CVSS

3.7AI Score

0.0004EPSS

2024-05-28 09:16 PM
osv
osv

Umbraco Forms components vulnerable to Stored Cross-site Scripting

Impact Authenticated user that has access to edit Forms may inject unsafe code into Forms components. Patches Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). References...

2.7CVSS

7AI Score

0.0004EPSS

2024-05-28 08:40 PM
1
github
github

Umbraco Forms components vulnerable to Stored Cross-site Scripting

Impact Authenticated user that has access to edit Forms may inject unsafe code into Forms components. Patches Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). References...

2.7CVSS

6.7AI Score

0.0004EPSS

2024-05-28 08:40 PM
4
cvelist
cvelist

CVE-2024-35239 Stored Cross-site Scripting on Components of Umbraco Forms

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the....

2.7CVSS

3.6AI Score

0.0004EPSS

2024-05-28 08:15 PM
2
vulnrichment
vulnrichment

CVE-2024-35239 Stored Cross-site Scripting on Components of Umbraco Forms

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the....

2.7CVSS

6.8AI Score

0.0004EPSS

2024-05-28 08:15 PM
nvd
nvd

CVE-2024-36110

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions &lt; 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on...

8.2CVSS

8.4AI Score

0.0004EPSS

2024-05-28 07:15 PM
cve
cve

CVE-2024-36110

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions &lt; 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on...

8.2CVSS

6.8AI Score

0.0004EPSS

2024-05-28 07:15 PM
37
osv
osv

CVE-2024-36110

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions &lt; 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on...

8.2CVSS

7.2AI Score

0.0004EPSS

2024-05-28 07:15 PM
2
cvelist
cvelist

CVE-2024-36110 Cross-site scripting in ansibleguy-webui

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions &lt; 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on...

8.2CVSS

8.4AI Score

0.0004EPSS

2024-05-28 06:33 PM
2
vulnrichment
vulnrichment

CVE-2024-36110 Cross-site scripting in ansibleguy-webui

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions &lt; 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on...

8.2CVSS

6.9AI Score

0.0004EPSS

2024-05-28 06:33 PM
osv
osv

silverstripe/userforms file upload exposure on UserForms module

The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is...

7AI Score

2024-05-28 05:21 PM
2
github
github

silverstripe/userforms file upload exposure on UserForms module

The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is...

7AI Score

2024-05-28 05:21 PM
6
mssecure
mssecure

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and...

7.7AI Score

2024-05-28 04:00 PM
2
mssecure
mssecure

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and...

9.5AI Score

2024-05-28 04:00 PM
594
redhat
redhat

(RHSA-2024:3427) Important: kpatch-patch security update

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix(es): kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (CVE-2024-1086) For more details about the security...

6.9AI Score

0.011EPSS

2024-05-28 01:07 PM
3
ics
ics

Campbell Scientific CSI Web Server

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Campbell Scientific Equipment: CSI Web Server Vulnerabilities: Path Traversal, Weak Encoding for Password 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an...

8.1AI Score

0.0004EPSS

2024-05-28 12:00 PM
16
osv
osv

amavisd-new vulnerability

It was discovered that amavisd-new incorrectly handled certain MIME email messages with multiple boundary parameters. A remote attacker could possibly use this issue to bypass checks for banned files or...

7AI Score

0.0004EPSS

2024-05-28 11:24 AM
3
veracode
veracode

Improper Access Control

Mattermost is vulnerable to Improper Access Control. The vulnerability is due to a failure to verify if the email signup configuration option is enabled when a user requests to switch from SAML to email, allowing users to switch their authentication method and potentially edit personal details...

4.3CVSS

7.2AI Score

0.0004EPSS

2024-05-28 10:17 AM
Total number of security vulnerabilities163814