Lucene search

K

Newsletter – Send Awesome Emails From WordPress Security Vulnerabilities

cvelist
cvelist

CVE-2024-34580

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing (XMLDsig) specification without protection against an SSRF payload in a KeyInfo element. NOTE: the supplier disputes this CVE Record on the grounds that they are implementing the specification "correctly".....

EPSS

2024-06-26 12:00 AM
jvn
jvn

JVN#34977158: WordPress plugins "WP Tweet Walls" and "Sola Testimonials" vulnerable to cross-site request forgery

WordPress plugins "WP Tweet Walls" and "Sola Testimonials" provided by Sola Plugins contain a cross-site request forgery vulnerability (CWE-352). ## Impact While a user logs in to the WordPress site where the affected plugin is enabled, accessing a malicious page may make the user perform...

6.8AI Score

EPSS

2024-06-26 12:00 AM
cvelist
cvelist

CVE-2024-5460 Brocade Fabric OS versions prior to v9.0 have default community strings

A vulnerability in the default configuration of the Simple Network Management Protocol (SNMP) feature of Brocade Fabric OS versions before v9.0.0 could allow an authenticated, remote attacker to read data from an affected device via SNMP. The vulnerability is due to hard-coded, default...

8.1CVSS

EPSS

2024-06-25 11:58 PM
1
cvelist
cvelist

CVE-2024-38526 pdoc embeds link to malicious CDN if math mode is enabled

pdoc provides API Documentation for Python Projects. Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc...

7.2CVSS

EPSS

2024-06-25 11:53 PM
4
cvelist
cvelist

CVE-2024-4869 WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

7.2CVSS

EPSS

2024-06-25 11:35 PM
2
github
github

pdoc embeds link to malicious CDN if math mode is enabled

Impact Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. Users who produce documentation with math mode should update immediately. All other users are unaffected. Patches This issue has been fixed.....

7.1AI Score

2024-06-25 10:23 PM
1
osv
osv

pdoc embeds link to malicious CDN if math mode is enabled

Impact Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. Users who produce documentation with math mode should update immediately. All other users are unaffected. Patches This issue has been fixed.....

7.1AI Score

2024-06-25 10:23 PM
2
ibm
ibm

Security Bulletin: Maximo Application Suite - follow-redirects-1.15.4.tgz and follow-redirects-1.15.5.tgz are vulnerable to CVE-2024-28849 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses follow-redirects-1.15.4.tgz and follow-redirects-1.15.5.tgz which are vulnerable to CVE-2024-28849. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-28849 DESCRIPTION:...

6.5CVSS

6.7AI Score

0.0004EPSS

2024-06-25 10:09 PM
1
ibm
ibm

Security Bulletin: Maximo Application Suite - torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl is vulnerable to multiple security CVEs used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses torch-1.13.1-cp37-cp37m-manylinux1_x86_64.whl which is vulnerable to multiple security CVEs. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-31583 DESCRIPTION:...

8.2AI Score

0.0004EPSS

2024-06-25 10:08 PM
1
ibm
ibm

Security Bulletin: Maximo Application Suite - Multiple Netty package is vulnerable to CVE-2024-29025 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses multiple Netty package which is vulnerable to CVE-2024-29025. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-29025 DESCRIPTION: **Netty is vulnerable to a denial of...

5.3CVSS

7.2AI Score

0.0004EPSS

2024-06-25 10:08 PM
1
ibm
ibm

Security Bulletin: Maximo Application suite - express-4.18.2.tgz is vulnerable to CVE-2024-29041 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses express-4.18.2.tgz which is vulnerable to CVE-2024-29041. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-29041 DESCRIPTION: **Express.js Express could allow a remote...

6.1CVSS

7.1AI Score

0.0004EPSS

2024-06-25 10:07 PM
1
ibm
ibm

Security Bulletin: Maximo Application Suite - jose4j is vulnerable to CVE-2023-51775 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses jose4j which is vulnerable to CVE-2023-51775. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-51775 DESCRIPTION: **jose4j is vulnerable to a denial of service, caused by.....

7.2AI Score

0.0004EPSS

2024-06-25 10:06 PM
ibm
ibm

Security Bulletin: Maximo Application Suite - gunicorn-20.1.0-py3-none-any.whl is vulnerable to CVE-2024-1135 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses gunicorn-20.1.0-py3-none-any.whl which is vulnerable to CVE-2024-1135. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-1135 DESCRIPTION: **Gunicorn is vulnerable to...

7.5CVSS

6.1AI Score

0.0004EPSS

2024-06-25 10:05 PM
1
ibm
ibm

Security Bulletin: Maximo Application Suite - bcprov-jdk18on-1.76.jar is vulnerable to CVE-2024-30171 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses bcprov-jdk18on-1.76.jar which is vulnerable to CVE-2024-30171. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2024-30171 DESCRIPTION: **The Bouncy Castle Crypto Package...

6.4AI Score

0.0004EPSS

2024-06-25 10:05 PM
1
cve
cve

CVE-2024-5018

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory...

5.3CVSS

5.4AI Score

EPSS

2024-06-25 09:16 PM
4
nvd
nvd

CVE-2024-5018

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory...

5.3CVSS

EPSS

2024-06-25 09:16 PM
2
nvd
nvd

CVE-2024-5014

In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML...

7.1CVSS

EPSS

2024-06-25 09:16 PM
1
cve
cve

CVE-2024-5014

In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML...

7.1CVSS

6.8AI Score

EPSS

2024-06-25 09:16 PM
3
nvd
nvd

CVE-2024-38516

ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and...

8.8CVSS

EPSS

2024-06-25 09:15 PM
1
cve
cve

CVE-2024-38516

ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and...

8.8CVSS

8.6AI Score

EPSS

2024-06-25 09:15 PM
6
redhatcve
redhatcve

CVE-2024-39467

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted with checkpoint version = 48b305e4...

7AI Score

EPSS

2024-06-25 08:52 PM
redhatcve
redhatcve

CVE-2024-39462

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: dvp: Assign -&gt;num before accessing -&gt;hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs t...

7AI Score

EPSS

2024-06-25 08:51 PM
1
redhatcve
redhatcve

CVE-2024-39461

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Assign -&gt;num before accessing -&gt;hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs t...

7AI Score

EPSS

2024-06-25 08:51 PM
1
cvelist
cvelist

CVE-2024-5018 WhatsUp Gold LoadUsingBasePath Directory Traversal Information Disclosure Vulnerability

In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Path Traversal vulnerability exists Wug.UI.Areas.Wug.Controllers.SessionController.LoadNMScript. This allows allows reading of any file from the applications web-root directory...

5.3CVSS

EPSS

2024-06-25 08:27 PM
1
redhatcve
redhatcve

CVE-2024-37354

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix crash on racing fsync and size-extending write into prealloc We have been seeing crashes on duplicate keys in btrfs_set_item_key_safe(): BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)...

7AI Score

EPSS

2024-06-25 08:25 PM
1
redhatcve
redhatcve

CVE-2021-4440

In the Linux kernel, the following vulnerability has been resolved: x86/xen: Drop USERGS_SYSRET64 paravirt call commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream. USERGS_SYSRET64 is used to return from a syscall via SYSRET, but a Xen PV guest will nevertheless use the IRET hypercall, as...

7AI Score

EPSS

2024-06-25 08:24 PM
nvd
nvd

CVE-2024-5276

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this...

9.8CVSS

EPSS

2024-06-25 08:15 PM
cve
cve

CVE-2024-5276

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this...

9.8CVSS

9.9AI Score

EPSS

2024-06-25 08:15 PM
7
nvd
nvd

CVE-2024-4498

A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the /apply_settings function, allowing an attacker to manipulate the...

7.7CVSS

EPSS

2024-06-25 08:15 PM
cve
cve

CVE-2024-4498

A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the /apply_settings function, allowing an attacker to manipulate the...

7.7CVSS

7.9AI Score

EPSS

2024-06-25 08:15 PM
3
cvelist
cvelist

CVE-2024-5014 WhatsUp Gold GetASPReport Server-Side Request Forgery Information Disclosure

In WhatsUp Gold versions released before 2023.1.3, a Server Side Request Forgery vulnerability exists in the GetASPReport feature. This allows any authenticated user to retrieve ASP reports from an HTML...

7.1CVSS

EPSS

2024-06-25 08:13 PM
1
cvelist
cvelist

CVE-2024-38516 Aimeos HTML client may potentially reveal sensitive information in error log

ai-client-html is an Aimeos e-commerce HTML client component. Debug information revealed sensitive information from environment variables in error log. This issue has been patched in versions 2024.04.7, 2023.10.15, 2022.10.13 and...

8.8CVSS

EPSS

2024-06-25 08:08 PM
3
cvelist
cvelist

CVE-2024-4498 Path Traversal and RFI Vulnerability in parisneo/lollms-webui

A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the /apply_settings function, allowing an attacker to manipulate the...

7.7CVSS

EPSS

2024-06-25 07:55 PM
2
redhatcve
redhatcve

CVE-2024-39362

In the Linux kernel, the following vulnerability has been resolved: i2c: acpi: Unbind mux adapters before delete There is an issue with ACPI overlay table removal specifically related to I2C multiplexers. Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an existing I2C bus. When...

7.1AI Score

EPSS

2024-06-25 07:50 PM
redhatcve
redhatcve

CVE-2024-39298

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00 flags:...

7.1AI Score

EPSS

2024-06-25 07:49 PM
nvd
nvd

CVE-2024-36819

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee...

EPSS

2024-06-25 07:15 PM
2
cve
cve

CVE-2024-36819

MAP-OS 4.45.0 and earlier is vulnerable to Cross-Site Scripting (XSS). This vulnerability allows malicious users to insert a malicious payload into the "Client Name" input. When a service order from this client is created, the malicious payload is displayed on the administrator and employee...

6.1AI Score

EPSS

2024-06-25 07:15 PM
1
cvelist
cvelist

CVE-2024-5276 SQL Injection Vulnerability in FileCatalyst Workflow 5.1.6 Build 135 (and earlier)

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this...

9.8CVSS

EPSS

2024-06-25 07:13 PM
4
githubexploit
githubexploit

Exploit for CVE-2024-33883

CVE-2024-33883 Insufficient Prototype Pollution...

7.1AI Score

0.0004EPSS

2024-06-25 06:40 PM
13
rapid7blog
rapid7blog

Authentication Bypasses in MOVEit Transfer and MOVEit Gateway

On June 25, 2024, Progress Software published information on two new vulnerabilities in MOVEit Transfer and MOVEit Gateway: CVE-2024-5806, a high-severity authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration, and CVE-2024-5805, a critical SFTP-associated...

9.1CVSS

9.8AI Score

EPSS

2024-06-25 06:16 PM
6
rapid7blog
rapid7blog

Takeaways From The Take Command Summit: Understanding Modern Cyber Attacks

In today's cybersecurity landscape, staying ahead of evolving threats is crucial. The State of Security Panel from our Take Command summit held May 21st delved into how artificial intelligence (AI) is reshaping cyber attacks and defenses. The discussion highlighted the dual role of AI in...

7.4AI Score

2024-06-25 05:52 PM
osv
osv

Aimeos HTML client may potentially reveal sensitive information in error log

Impact Debug information can reveal sensitive information from environment variables in error log Affected platform Laravel environments with multi-vendor setups and admin access for the...

8.8CVSS

6.5AI Score

EPSS

2024-06-25 05:26 PM
1
github
github

Aimeos HTML client may potentially reveal sensitive information in error log

Impact Debug information can reveal sensitive information from environment variables in error log Affected platform Laravel environments with multi-vendor setups and admin access for the...

8.8CVSS

6.5AI Score

EPSS

2024-06-25 05:26 PM
4
ibm
ibm

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to cross-site scripting due to WebSphere Application Server Liberty

Summary There is a vulnerability in IBM WebSphere Application Server Liberty used by IBM Cloud Transformation Advisor (CVE-2024-27270). Vulnerability Details ** CVEID: CVE-2024-27270 DESCRIPTION: **IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site...

4.7CVSS

6.4AI Score

0.0004EPSS

2024-06-25 04:18 PM
2
nvd
nvd

CVE-2024-5989

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager®...

EPSS

2024-06-25 04:15 PM
3
cve
cve

CVE-2024-5990

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within Rockwell Automation ThinServer™ and cause a denial-of-service condition on the affected...

7.2AI Score

EPSS

2024-06-25 04:15 PM
2
nvd
nvd

CVE-2024-5990

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within Rockwell Automation ThinServer™ and cause a denial-of-service condition on the affected...

EPSS

2024-06-25 04:15 PM
1
cve
cve

CVE-2024-5989

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the Rockwell Automation ThinManager®...

9.1AI Score

EPSS

2024-06-25 04:15 PM
4
nvd
nvd

CVE-2024-5988

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager®...

EPSS

2024-06-25 04:15 PM
1
cve
cve

CVE-2024-5988

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the Rockwell Automation ThinManager®...

7.5AI Score

EPSS

2024-06-25 04:15 PM
1
Total number of security vulnerabilities888968