go.etcd.io/etcd/client/pkg/v3 is vulnerable to Insecure Transport. The vulnerability is due to default weak ciphers...
7AI Score
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
8.6AI Score
0.001EPSS
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
6.4AI Score
0.001EPSS
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
7.1AI Score
0.001EPSS
CVE-2023-5800 Insufficient input validation in VAPIX API create_overlay.cgi
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
5.4CVSS
8.9AI Score
0.001EPSS
SonicWall SonicOS Multiple Vulnerabilities (SNWLID-2023-0012)
According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by multiple vulnerabilities with impact to SonicOS Management Web Interface and SSLVPN Portal, but not SonicWall SSLVPN SMA100 and SMA1000 series products. These vulnerabilities...
8.8CVSS
7.4AI Score
0.001EPSS
OpenSSL: Multiple Vulnerabilities
Background OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Description Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced....
7.5CVSS
7.7AI Score
0.004EPSS
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
AVEVA Edge products (formerly known as InduSoft Web Studio)
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: AVEVA Edge products (formerly known as InduSoft Web Studio) Vulnerability: Uncontrolled Search Path Element 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an...
7.3CVSS
8AI Score
0.0004EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable Remotely/Low attack complexity Vendor: Gessler GmbH Equipment: WEB-MASTER Vulnerabilities: Use of Weak Credentials, Use of Weak Hash 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a user to take...
9.8CVSS
7.9AI Score
0.001EPSS
Post-quantum Cryptography for the Go Ecosystem
filippo.io/mlkem768 is a pure-Go implementation of ML-KEM-768 optimized for correctness and readability. ML-KEM (formerly known as Kyber, renamed because we can't have nice things) is a post-quantum key exchange mechanism in the process of being standardized by NIST and adopted by most of the...
6.8AI Score
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.3AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
6.9AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.5AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
7AI Score
0.001EPSS
CVE-2024-1019 WAF bypass of the ModSecurity v3 release line
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.7AI Score
0.001EPSS
Emerson Rosemount GC370XA, GC700XA, GC1500XA
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely Vendor: Emerson Equipment: Rosemount GC370XA, GC700XA, GC1500XA Vulnerabilities: Command Injection, Improper Authentication, Improper Authorization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could...
9.8CVSS
8.9AI Score
0.001EPSS
Hitron Systems Security Camera DVR
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available/known public exploitation Vendor: Hitron Systems Equipment: DVR Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of these...
7.5CVSS
7.2AI Score
0.0005EPSS
Mitsubishi Electric CNC Series (Update E)
EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: CNC Series devices Vulnerability: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a malicious remote attacker to...
9.8CVSS
9.8AI Score
0.004EPSS
Rockwell Automation LP30/40/50 and BM40 Operator Interface
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: LP30, LP40, LP50, and BM40 Operator Panels Vulnerability: Improper Validation of Consistency within Input, Out-of-bounds Write, Stack-based Buffer Overflow,...
8.8CVSS
8.4AI Score
0.002EPSS
Rockwell Automation ControlLogix and GuardLogix
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of...
8.6CVSS
8.5AI Score
0.0005EPSS
Rockwell Automation FactoryTalk Service Platform
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk Service Platform Vulnerability: Improper Verification of Cryptographic Signature 2. RISK EVALUATION Successful exploitation of this vulnerability...
9.8CVSS
5.5AI Score
0.001EPSS
Mitsubishi Electric MELSEC WS Series Ethernet Interface Module
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely Vendor: Mitsubishi Electric Equipment: MELSEC WS Series Vulnerability: Authentication Bypass by Capture-replay 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized attacker to login...
7.5CVSS
7.4AI Score
0.001EPSS
Mitsubishi Electric FA Engineering Software Products
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: EZSocket, FR Configurator2, GT Designer3 Version1(GOT1000), GT Designer3 Version1(GOT2000), GX Works2, GX Works3, MELSOFT Navigator, MT Works2, MX Component, MX...
9.8CVSS
8.6AI Score
0.002EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
6.8AI Score
0.001EPSS
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft
CVE-2023-35636 Microsoft Outlook Information Disclosure...
6.5CVSS
7.1AI Score
0.005EPSS
IBM SECURITY ADVISORY First Issued: Thu Jan 25 14:11:09 CST 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/openssl_advisory40.asc Security Bulletin: AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129,...
7.5CVSS
7.8AI Score
0.001EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: SystemK Equipment: NVR 504/508/516 Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to...
9.8CVSS
8.5AI Score
0.001EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: MachineSense LLC. Equipment: MachineSense FeverWarn Vulnerabilities: Missing Authentication for Critical Function, Use of Hard-coded Credentials, Improper Access Control, OS Command...
10CVSS
9AI Score
0.001EPSS
Any authenticated user may obtain private message details from other users on the same instance
Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an.....
7.5CVSS
6.8AI Score
0.0005EPSS
Any authenticated user may obtain private message details from other users on the same instance
Summary Users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message itself, which means any user can just iterate over message ids to (loudly) obtain all private messages of an.....
7.5CVSS
6.9AI Score
0.0005EPSS
Malicious code in wlwz-2312-5600 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (d9ea2c84f0fc71bf250ba20ff3cb19f83672f94904dee3fb919b7f6445f6f137) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in wlwz-2312-5500 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (c85949273c1645637458b52979f1f1f07fe1d80347e5df1e9c5021e5c58b51e8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in wlwz-2312-5300 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (50fca67107983106693c8958b74438ad0353ca8e3ba131b4ab590d176f666bda) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in wlwz-2312-2800 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (30d10037b506d53ce78827697987a27ffcabbe7ed7bdfcb53be766bac27b7f38) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in wlwz-2312-5800 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (f96f6776c01b0bad20c67f46b5523dece5292ce9d738606bfb82a67b1a203e3e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in wlwz-2311-5600 (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (b11d2225504316c6ba5d94d64e0cd25351c0db51aa106188ecf04a58004ffe0b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
7.5CVSS
6.4AI Score
0.0005EPSS
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
7.5CVSS
6.7AI Score
0.0005EPSS
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
6.5CVSS
7.5AI Score
0.0005EPSS
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
6.5CVSS
7AI Score
0.0005EPSS
Lemmy is a link aggregator and forum for the fediverse. Starting in version 0.17.0 and prior to version 0.19.1, users can report private messages, even when they're neither sender nor recipient of the message. The API response to creating a private message report contains the private message...
7.5CVSS
7.7AI Score
0.0005EPSS
Publitas: CORS Misconfiguration on █████
Summary: An cross-origin resource sharing (CORS) policy controls whether and how content running on other domains can perform two-way interaction with the domain that publishes the policy. The policy is fine-grained and can apply access controls per-request based on the URL and other features of...
6.8AI Score
No permission checks for editing/deleting records with CSV import form
Impact Users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using the CSV import form, provided they have create permissions. The likelyhood of a user having create permissions but not having edit or delete permissions is low, but it.....
4.3CVSS
4.5AI Score
0.0004EPSS
No permission checks for editing/deleting records with CSV import form
Impact Users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using the CSV import form, provided they have create permissions. The likelyhood of a user having create permissions but not having edit or delete permissions is low, but it.....
4.3CVSS
4.5AI Score
0.0004EPSS
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Impact If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user. Base CVSS: 4.3 Reported by: Nick K - LittleMonkey, littlemonkey.co.nz References ...
4.3CVSS
4.5AI Score
0.0004EPSS
Record titles for restricted records can be viewed if exposed by GridFieldAddExistingAutocompleter
Impact If a user should not be able to see a record, but that record can be added to a GridField using the GridFieldAddExistingAutocompleter component, the record's title can be accessed by that user. Base CVSS: 4.3 Reported by: Nick K - LittleMonkey, littlemonkey.co.nz References ...
4.3CVSS
4.5AI Score
0.0004EPSS
View permissions are bypassed for paginated lists of ORM data
Impact canView permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This has....
5.3CVSS
5.2AI Score
0.0005EPSS