Lucene search

K

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics Security Vulnerabilities

amazon
amazon

Medium: cri-tools

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

7.3AI Score

0.0004EPSS

2024-06-06 08:17 PM
2
cve
cve

CVE-2024-5552

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes...

7.5CVSS

7.2AI Score

0.0004EPSS

2024-06-06 07:16 PM
24
nvd
nvd

CVE-2024-5552

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes...

7.5CVSS

0.0004EPSS

2024-06-06 07:16 PM
nvd
nvd

CVE-2024-3404

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the history files of other users, potentially leading to...

6.5CVSS

0.0004EPSS

2024-06-06 07:16 PM
1
cve
cve

CVE-2024-3404

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the history files of other users, potentially leading to...

6.5CVSS

6.3AI Score

0.0004EPSS

2024-06-06 07:16 PM
24
osv
osv

Contract balance not updating correctly after interchain transaction

Summary Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Details We discovered a bug walking through how to liquid stake using Safe which...

7.5CVSS

7.9AI Score

0.0004EPSS

2024-06-06 06:51 PM
1
github
github

Contract balance not updating correctly after interchain transaction

Summary Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. Details We discovered a bug walking through how to liquid stake using Safe which...

7.5CVSS

7.9AI Score

0.0004EPSS

2024-06-06 06:51 PM
mageia
mageia

Updated amavisd-new packages fix security vulnerability

Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or...

6.9AI Score

0.0004EPSS

2024-06-06 06:48 PM
2
cvelist
cvelist

CVE-2024-3404 Improper Access Control in gaizhenbiao/chuanhuchatgpt

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the history files of other users, potentially leading to...

6.5CVSS

0.0004EPSS

2024-06-06 06:45 PM
2
vulnrichment
vulnrichment

CVE-2024-3404 Improper Access Control in gaizhenbiao/chuanhuchatgpt

In gaizhenbiao/chuanhuchatgpt, specifically the version tagged as 20240121, there exists a vulnerability due to improper access control mechanisms. This flaw allows an authenticated attacker to bypass intended access restrictions and read the history files of other users, potentially leading to...

6.5CVSS

6.2AI Score

0.0004EPSS

2024-06-06 06:45 PM
github
github

evmos allows transferring unvested tokens after delegations

Impact This advisory has been created to address the following vulnerabilities found in the Evmos codebase and affecting vesting accounts. Wrong spendable balance computation The spendable balance is not updated properly when delegating vested tokens. The following example help in describing the...

3.5CVSS

4.3AI Score

0.0004EPSS

2024-06-06 06:21 PM
4
osv
osv

evmos allows transferring unvested tokens after delegations

Impact This advisory has been created to address the following vulnerabilities found in the Evmos codebase and affecting vesting accounts. Wrong spendable balance computation The spendable balance is not updated properly when delegating vested tokens. The following example help in describing the...

3.5CVSS

4.3AI Score

0.0004EPSS

2024-06-06 06:21 PM
4
osv
osv

CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific....

9.1CVSS

6.8AI Score

0.0004EPSS

2024-06-06 06:15 PM
1
cve
cve

CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific....

9.1CVSS

9AI Score

0.0004EPSS

2024-06-06 06:15 PM
23
nvd
nvd

CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific....

9.1CVSS

0.0004EPSS

2024-06-06 06:15 PM
vulnrichment
vulnrichment

CVE-2024-5552 ReDoS in kubeflow/kubeflow

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes...

7.5CVSS

7AI Score

0.0004EPSS

2024-06-06 06:09 PM
1
cvelist
cvelist

CVE-2024-5552 ReDoS in kubeflow/kubeflow

kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes...

7.5CVSS

0.0004EPSS

2024-06-06 06:09 PM
1
talosblog
talosblog

The sliding doors of misinformation that come with AI-generated search results

As someone who used to think that his entire livelihood would come from writing, I've long wondered if any sort of computer or AI could replace my essential functions at work. For now, it seems there are enough holes in AI-generated language that my ability to write down a complete, accurate and...

7.2AI Score

2024-06-06 06:00 PM
9
metasploit
metasploit

Telerik Report Server Auth Bypass

This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and prior which allows an unauthenticated attacker to create a new account with administrative privileges. The vulnerability leverages the initial setup page which is still accessible once the....

9.9CVSS

7.2AI Score

0.938EPSS

2024-06-06 05:46 PM
10
cvelist
cvelist

CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific....

9.1CVSS

0.0004EPSS

2024-06-06 05:32 PM
2
vulnrichment
vulnrichment

CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific....

9.1CVSS

6.8AI Score

0.0004EPSS

2024-06-06 05:32 PM
1
nvd
nvd

CVE-2024-37156

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in...

6.1CVSS

0.0004EPSS

2024-06-06 04:15 PM
2
osv
osv

CVE-2024-37156

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in...

6.1CVSS

6.2AI Score

0.0004EPSS

2024-06-06 04:15 PM
cve
cve

CVE-2024-37156

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in...

6.1CVSS

6.1AI Score

0.0004EPSS

2024-06-06 04:15 PM
23
cvelist
cvelist

CVE-2024-37156 TokenController formName not sanitized in hidden input

The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in...

6.1CVSS

0.0004EPSS

2024-06-06 04:03 PM
1
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 27, 2024 to June 2, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

10CVSS

9.6AI Score

EPSS

2024-06-06 03:09 PM
14
osv
osv

s2n-tls has a potentially observable differences in RSA premaster secret handling

When receiving a message from a client that sent an invalid RSA premaster secret, an issue in s2n-tls results in the server performing additional processing when the premaster secret contains an incorrect client hello version. While no practical attack on s2n-tls has been demonstrated, this causes....

7AI Score

2024-06-06 02:26 PM
2
github
github

s2n-tls has a potentially observable differences in RSA premaster secret handling

When receiving a message from a client that sent an invalid RSA premaster secret, an issue in s2n-tls results in the server performing additional processing when the premaster secret contains an incorrect client hello version. While no practical attack on s2n-tls has been demonstrated, this causes....

7AI Score

2024-06-06 02:26 PM
4
thn
thn

Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

Muhstik botnet exploits a critical Apache RocketMQ flaw (CVE-2023-33246) for remote code execution, targeting Linux servers and IoT devices for DDoS attacks and cryptocurrency mining. Infection involves executing a shell script from a remote IP, downloading the Muhstik malware binary ("pty3"), and....

9.8CVSS

8.3AI Score

0.973EPSS

2024-06-06 01:14 PM
8
malwarebytes
malwarebytes

Advance Auto Parts customer data posted for sale

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers. Allegedly the customer data includes: Names Email...

7.4AI Score

2024-06-06 12:57 PM
7
malwarebytes
malwarebytes

Husband stalked ex-wife with seven AirTags, indictment says

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania. The...

6.2AI Score

2024-06-06 12:20 PM
5
ics
ics

Emerson PACSystem and Fanuc

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.6 ATTENTION: Low attack complexity Vendor: Emerson Equipment: PACSystem, Fanuc Vulnerabilities: Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity Insufficiently Protected Credentials, Download of Code Without...

8.4AI Score

EPSS

2024-06-06 12:00 PM
5
ics
ics

Emerson Ovation

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Emerson Equipment: Ovation Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity CISA is aware of a public report, known as...

8.4AI Score

EPSS

2024-06-06 12:00 PM
5
ics
ics

Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: CC-Link IE TSN Industrial Managed Switch Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this...

6.5CVSS

7.4AI Score

0.001EPSS

2024-06-06 12:00 PM
3
thn
thn

Prevent Account Takeover with Better Password Security

Tom works for a reputable financial institution. He has a long, complex password that would be near-impossible to guess. He's memorized it by heart, so he started using it for his social media accounts and on his personal devices too. Unbeknownst to Tom, one of these sites has had its password...

7AI Score

2024-06-06 09:55 AM
6
veracode
veracode

Information Disclosure

TYPO3/CMS is vulnerable to Information Disclosure. This vulnerability arises from insufficient validation and handling of uploaded files within forms. It may result in arbitrary file disclosure or unauthorized access to sensitive system...

7AI Score

2024-06-06 06:02 AM
2
thn
thn

Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI

Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository that's designed to deliver an information stealer called Lumma (aka LummaC2). The package in question is crytic-compilers, a typosquatted version of a legitimate library...

7.1AI Score

2024-06-06 05:49 AM
2
nvd
nvd

CVE-2024-5153

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain...

9.1CVSS

9.2AI Score

0.001EPSS

2024-06-06 04:15 AM
cve
cve

CVE-2024-5153

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain...

9.1CVSS

6.9AI Score

0.001EPSS

2024-06-06 04:15 AM
24
vulnrichment
vulnrichment

CVE-2024-5153 Startklar Elementor Addons <= 1.7.15 - Unauthenticated Path Traversal to Arbitrary Directory Deletion

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain...

9.1CVSS

7AI Score

0.001EPSS

2024-06-06 03:53 AM
1
cvelist
cvelist

CVE-2024-5153 Startklar Elementor Addons <= 1.7.15 - Unauthenticated Path Traversal to Arbitrary Directory Deletion

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain...

9.1CVSS

9.2AI Score

0.001EPSS

2024-06-06 03:53 AM
1
f5
f5

K000139922: Open vSwitch vulnerabilities CVE-2023-3966 and CVE-2023-5366

Security Advisory Description CVE-2023-3966 A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is...

7.5CVSS

7.1AI Score

0.0004EPSS

2024-06-06 12:00 AM
7
wpvulndb
wpvulndb

Pure Chat – Live Chat Plugin & More! < 2.23 - Cross-Site Request Forgery

Description The Pure Chat plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.22. This is due to missing or incorrect nonce validation on the pure_chat_update function. This makes it possible for unauthenticated attackers to update chat details.....

4.3CVSS

6.4AI Score

0.0005EPSS

2024-06-06 12:00 AM
2
packetstorm

7.4AI Score

2024-06-06 12:00 AM
80
packetstorm

7.4AI Score

2024-06-06 12:00 AM
79
packetstorm

7.4AI Score

0.0004EPSS

2024-06-06 12:00 AM
166
packetstorm

7.4AI Score

2024-06-06 12:00 AM
78
wpexploit
wpexploit

WP Chat App < 3.6.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is...

6AI Score

0.0004EPSS

2024-06-06 12:00 AM
7
nessus
nessus

FreeBSD : cyrus-imapd -- unbounded memory allocation (14908bda-232b-11ef-b621-00155d645102)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 14908bda-232b-11ef-b621-00155d645102 advisory. Cyrus IMAP 3.8.3 Release Notes states: Fixed CVE-2024-34055: Cyrus-IMAP through 3.8.2 and 3.10.0-beta2...

6.5CVSS

6.6AI Score

0.0005EPSS

2024-06-06 12:00 AM
3
wpvulndb
wpvulndb

WP Chat App < 3.6.5 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. PoC 1. Navigate to...

5.2AI Score

0.0004EPSS

2024-06-06 12:00 AM
Total number of security vulnerabilities164328