Foxit Reader ComboBox widget Format event use-after-free vulnerability
Talos Vulnerability Report TALOS-2024-1959 Foxit Reader ComboBox widget Format event use-after-free vulnerability April 30, 2024 CVE Number CVE-2024-25648 SUMMARY A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a ComboBox widget. A specially crafted JavaScript.....
8.8CVSS
7.7AI Score
0.001EPSS
RHEL 9 : skopeo (RHSA-2024:2549)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2549 advisory. The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and...
4.3CVSS
6.5AI Score
0.0005EPSS
Moderate: skopeo security and bug fix update
The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix(es): golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain...
8.8AI Score
0.0004EPSS
Moderate: skopeo security and bug fix update
The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. Security Fix(es): golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain...
4.3CVSS
6.3AI Score
0.0005EPSS
RHEL 9 : buildah update (Moderate) (RHSA-2024:2550)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:2550 advisory. The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working...
6.5AI Score
0.0004EPSS
Moderate: buildah bug fix update
The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...
8.7AI Score
0.0004EPSS
Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session...
6.3CVSS
5.7AI Score
0.0004EPSS
Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session...
6.3CVSS
5.9AI Score
0.0004EPSS
Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through...
4.3CVSS
4.7AI Score
0.0004EPSS
Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
CVE-2024-4310 Cross-site Scripting (XSS) vulnerability in HubBank
Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session...
6.3CVSS
6AI Score
0.0004EPSS
If state-sponsored actors are after one thing, it's to spread fear and uncertainty across the internet. There's always money to be made targeting individual businesses and organizations, but for James Nutland's work, it's always about the bigger picture. And his background in studying...
7.2AI Score
Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through...
4.3CVSS
4.7AI Score
0.0004EPSS
Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through...
7.5CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through...
7.5CVSS
7.6AI Score
0.0004EPSS
Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through...
7.5CVSS
7.8AI Score
0.0004EPSS
CVE-2024-33593 WordPress Smart Forms plugin <= 2.6.91 - Broken Access Control vulnerability
Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.6AI Score
0.0004EPSS
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.4AI Score
0.0004EPSS
CVE-2024-1905 Smart Forms < 2.6.96 - Admin+ Stored XSS
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.5AI Score
0.0004EPSS
Fedora 38 : python-fastapi / python-starlette (2023-9d50269499)
The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-9d50269499 advisory. python-starlette 0.25.0 ### Fixed - Limit the number of fields and files when parsing multipart/form-data on the MultipartParser ## python-fastapi...
7.3AI Score
RomethemeForm For Elementor < 1.1.3 - Missing Authorization
Description The RomethemeForm For Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to modify...
5.3CVSS
6.9AI Score
0.0004EPSS
BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery
Description The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Arbitrary File Read and Server-Side Request Forgery in all versions up to, and including, 2.8.8. This makes it possible for...
8.6CVSS
7.1AI Score
0.0004EPSS
FreeBSD : GLPI -- multiple vulnerabilities (5da8b1e6-0591-11ef-9e00-080027957747)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5da8b1e6-0591-11ef-9e00-080027957747 advisory. GLPI team reports: GLPI 10.0.15 Changelog (CVE-2024-29889, CVE-2024-31456) Note that Nessus...
7.7CVSS
7.6AI Score
0.0004EPSS
Oracle Linux 8 : cri-o (ELSA-2024-12348)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-12348 advisory. Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will...
7.5CVSS
6.7AI Score
0.0005EPSS
Fedora 39 : python-fastapi / python-starlette (2023-6c030b3c71)
The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-6c030b3c71 advisory. python-starlette 0.25.0 ### Fixed - Limit the number of fields and files when parsing multipart/form-data on the MultipartParser ## python-fastapi...
7.3AI Score
MailerLite – Signup forms (official) < 1.7.7 - Missing Authorization
Description The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it.....
5.3CVSS
6.7AI Score
0.001EPSS
Conversational Forms for ChatBot < 1.2.0 - Unauthenticated Arbitrary File Download
Description The ChatBot Conversational Forms plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to download arbitrary files from the server which may contain sensitive...
7AI Score
EPSS
Oracle Linux 9 : cri-o (ELSA-2024-12347)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-12347 advisory. Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will...
7.5CVSS
6.7AI Score
0.0005EPSS
The Anatomy of HTML Attachment Phishing
The Anatomy of HTML Attachment Phishing: One Code, Many Variants By Mathanraj Thangaraju, Niranjan Hegde, and Sijo Jacob · June 14, 2023 Introduction Phishing is the malevolent practise of pretending to be a reliable entity in electronic communication to steal sensitive data, such as login...
7.4AI Score
FreeBSD : powerdns-recursor -- denial of service (1af16f2b-023c-11ef-8791-6805ca2fa271)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1af16f2b-023c-11ef-8791-6805ca2fa271 advisory. A crafted response from an upstream server the recursor has been configured to forward-recurse to...
7.5CVSS
6.8AI Score
0.0004EPSS
Description The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions 1.5.0 to 1.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
6.4CVSS
5.4AI Score
0.001EPSS
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Identity and access management (IAM) services provider Okta has warned of a spike in the "frequency and scale" of credential stuffing attacks aimed at online services. These unprecedented attacks, observed over the last month, are said to be facilitated by "the broad availability of residential...
6.8AI Score
RHEL 8 : openstack-keystone (RHSA-2019:4358)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:4358 advisory. The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities....
8.8CVSS
6.5AI Score
0.018EPSS
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:4692 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT...
7.5CVSS
8.3AI Score
0.002EPSS
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:4590 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers...
7.3CVSS
6.7AI Score
0.001EPSS
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the b3affee8-04d1-11ef-8928-901b0ef714d4 advisory. Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due...
4.9CVSS
7.1AI Score
0.0004EPSS
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping....
4.4CVSS
5.7AI Score
0.0004EPSS
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping....
4.4CVSS
4.3AI Score
0.0004EPSS
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping....
4.4CVSS
4.5AI Score
0.0004EPSS
RHEL 7 : openstack-keystone (RHSA-2018:2523)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:2523 advisory. The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities....
5.3CVSS
5.4AI Score
0.001EPSS
RHEL 7 : openstack-keystone (RHSA-2018:2533)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:2533 advisory. The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities....
5.3CVSS
5.5AI Score
0.001EPSS
RHEL 7 : openstack-keystone (RHSA-2018:2543)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2018:2543 advisory. The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities....
5.3CVSS
5.4AI Score
0.001EPSS
10 Critical Endpoint Security Tips You Should Know
In today's digital world, where connectivity is rules all, endpoints serve as the gateway to a business's digital kingdom. And because of this, endpoints are one of hackers' favorite targets. According to the IDC, 70% of successful breaches start at the endpoint. Unprotected endpoints provide...
7.4AI Score
FreeBSD : chromium -- multiple security fixes (7a42852d-0347-11ef-9f97-a8a1599412c6)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7a42852d-0347-11ef-9f97-a8a1599412c6 advisory. Type Confusion in ANGLE. (CVE-2024-4058) Out of bounds read in V8 API. (CVE-2024-4059) ...
8.8CVSS
9.5AI Score
0.001EPSS
Form Maker by 10Web < 1.15.25 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting
Description The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output...
4.4CVSS
5.7AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 209 vulnerabilities disclosed in 169...
9.9AI Score
EPSS
Ring agrees to pay $5.6 million after cameras were used to spy on customers
Amazon's Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers' private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos. The....
7.1AI Score