Lucene search

K

P10, P10 Plus Security Vulnerabilities

talosblog
talosblog

The internet is already scary enough without April Fool’s jokes

I feel like over the past several years, the "holiday" that is April Fool's Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you'd find on a news site any day of the week. And there are so many more serious issues that are.....

7.3AI Score

2024-04-11 06:00 PM
5
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 193 vulnerabilities disclosed in 154...

9.9CVSS

9.8AI Score

0.082EPSS

2024-04-11 05:23 PM
32
debiancve
debiancve

CVE-2021-47192

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

6.6AI Score

0.0004EPSS

2024-04-10 07:15 PM
6
nvd
nvd

CVE-2021-47192

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

7.4AI Score

0.0004EPSS

2024-04-10 07:15 PM
cve
cve

CVE-2021-47192

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

6.5AI Score

0.0004EPSS

2024-04-10 07:15 PM
34
vulnrichment
vulnrichment

CVE-2021-47192 scsi: core: sysfs: Fix hang when device state is set via sysfs

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

6.9AI Score

0.0004EPSS

2024-04-10 06:56 PM
1
cvelist
cvelist

CVE-2021-47192 scsi: core: sysfs: Fix hang when device state is set via sysfs

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

6.7AI Score

0.0004EPSS

2024-04-10 06:56 PM
cve
cve

CVE-2024-31287

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through...

6.5CVSS

7AI Score

0.0004EPSS

2024-04-10 04:15 PM
26
nvd
nvd

CVE-2024-31287

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through...

6.5CVSS

6.4AI Score

0.0004EPSS

2024-04-10 04:15 PM
cvelist
cvelist

CVE-2024-31287 WordPress Media Library Folders plugin <= 8.1.8 - Directory Traversal vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through...

6.5CVSS

6.6AI Score

0.0004EPSS

2024-04-10 04:07 PM
wpvulndb
wpvulndb

WP Photo Album Plus < 8.6.03.005 - Authenticated (Subscriber+) Arbitrary File Upload

Description The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wppa_user_upload() function in all versions up to, and including, 8.6.03.004. This makes it possible for authenticated attackers, with subscriber-level access....

7.7AI Score

0.0004EPSS

2024-04-10 12:00 AM
7
redos
redos

ROS-20240410-02

Vulnerability in the HTTP/3 QUIC module of NGINX Plus, NGINX OSS web servers that allows an attacker to cause a denial of service. denial of service Vulnerability of ngx_http_v3_module module of NGINX and NGINX Plus servers is related to memory usage after its release. memory after it has been...

7.5CVSS

7AI Score

0.0004EPSS

2024-04-10 12:00 AM
9
ubuntucve
ubuntucve

CVE-2021-47192

In the Linux kernel, the following vulnerability has been resolved: scsi: core: sysfs: Fix hang when device state is set via sysfs This fixes a regression added with: commit f0f82e2476f6 ("scsi: core: Fix capacity set to zero after offlinining device") The problem is that after iSCSI recovery,...

6.5AI Score

0.0004EPSS

2024-04-10 12:00 AM
7
f5
f5

K000139225: nghttp2 vulnerability CVE-2024-28182

Security Advisory Description nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes...

5.3CVSS

6.1AI Score

0.0004EPSS

2024-04-10 12:00 AM
13
cve
cve

CVE-2024-2335

The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget link URLs in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers....

6.4CVSS

7.6AI Score

0.0004EPSS

2024-04-09 07:15 PM
27
nvd
nvd

CVE-2024-2335

The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget link URLs in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers....

6.4CVSS

5.7AI Score

0.0004EPSS

2024-04-09 07:15 PM
2
cvelist
cvelist

CVE-2024-2335

The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget link URLs in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers....

6.4CVSS

5.8AI Score

0.0004EPSS

2024-04-09 06:59 PM
vulnrichment
vulnrichment

CVE-2024-2335

The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget link URLs in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers....

6.4CVSS

5.8AI Score

0.0004EPSS

2024-04-09 06:59 PM
f5
f5

K000139227 : amphp/http vulnerability CVE-2024-2653

Security Advisory Description amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash. (CVE-2024-2653) Impact There is no impact; F5 products are not affected by this...

7AI Score

0.0004EPSS

2024-04-09 12:00 AM
22
nessus
nessus

Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-6726-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6726-1 advisory. Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part...

7.8CVSS

7.9AI Score

EPSS

2024-04-09 12:00 AM
22
f5
f5

K000139228 : Envoy vulnerability CVE-2024-27919

Security Advisory Description Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This.....

7.5CVSS

7.6AI Score

0.0004EPSS

2024-04-09 12:00 AM
14
f5
f5

K000139236 : Apache Traffic Server HTTP/2 CONTINUATION DoS attack vulnerability CVE-2024-31309

Security Advisory Description HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. (CVE-2024-31309) Impact There is no impact; F5 products are not affected by this...

7AI Score

0.0004EPSS

2024-04-09 12:00 AM
9
nessus
nessus

Ubuntu 22.04 LTS / 23.10 : Linux kernel vulnerabilities (USN-6724-1)

The remote Ubuntu 22.04 LTS / 23.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6724-1 advisory. Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any...

8CVSS

7.1AI Score

0.0005EPSS

2024-04-09 12:00 AM
28
f5
f5

K000139218 : CVE-2024-22243 Spring Framework vulnerability

Security Advisory Description Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or...

8.1CVSS

6.5AI Score

0.0004EPSS

2024-04-09 12:00 AM
20
f5
f5

K000139229 : Tempesta vulnerability CVE-2024-2758

Security Advisory Description Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately. (CVE-2024-2758) Impact There is no impact; F5 products are not affected by this...

7.8AI Score

0.0004EPSS

2024-04-09 12:00 AM
8
ibm
ibm

Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to various attacks due to IBM Runtime Environment Java Technology Edition Version 17

Summary IBM Java 17 is used by IBM Sterling Connect:Direct FTP+ on AIX, Linux, and Windows platforms in product configuration and data transmission. IBM Sterling Connect:Direct FTP+ on AIX, Linux, and Windows platforms is impacted by vulnerabilities in IBM Java 17. IBM Sterling Connect:Direct FTP+....

7.5CVSS

6.9AI Score

0.001EPSS

2024-04-08 05:29 PM
9
ibm
ibm

Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to various attacks due to IBM Runtime Environment Java Technology Edition Version 8

Summary IBM Java 8 is used by IBM Sterling Connect:Direct FTP+ on Solaris platform in product configuration and data transmission. IBM Sterling Connect:Direct FTP+ on Solaris platform is impacted by vulnerabilities in IBM Java 8. IBM Sterling Connect:Direct FTP+ on Solaris platform has upgraded...

7.5CVSS

6.9AI Score

0.001EPSS

2024-04-08 05:27 PM
13
ibm
ibm

Security Bulletin: Vulnerabilities in cryptography and Jinja [CVE-2023-50782, CVE-2024-22195]

Summary IBM Storage Protect Plus Microsoft File Systems Backup and Restore can be affected by vulnerabilities in cryptography and Jinja which include obtain sensitive information and cross-site scripting, as described by the CVEs in the "Vulnerability Details" section. These vulnerabilities have...

7.5CVSS

7.2AI Score

0.001EPSS

2024-04-08 12:54 PM
7
nvd
nvd

CVE-2024-3434

A vulnerability classified as critical was found in CP Plus Wi-Fi Camera up to 20240401. Affected by this vulnerability is an unknown functionality of the component User Management. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been...

5.4CVSS

5.6AI Score

0.0004EPSS

2024-04-08 12:15 AM
1
cve
cve

CVE-2024-3434

A vulnerability classified as critical was found in CP Plus Wi-Fi Camera up to 20240401. Affected by this vulnerability is an unknown functionality of the component User Management. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been...

5.4CVSS

6.7AI Score

0.0004EPSS

2024-04-08 12:15 AM
41
f5
f5

K000139214 : Apache httpd vulnerability CVE-2024-27316

Security Advisory Description HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. (CVE-2024-27316) Impact There is no impact; F5 products...

7AI Score

0.005EPSS

2024-04-08 12:00 AM
39
cvelist
cvelist

CVE-2024-3434 CP Plus Wi-Fi Camera User Management improper authorization

A vulnerability classified as critical was found in CP Plus Wi-Fi Camera up to 20240401. Affected by this vulnerability is an unknown functionality of the component User Management. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been...

5.4CVSS

5.9AI Score

0.0004EPSS

2024-04-07 11:31 PM
cve
cve

CVE-2024-31286

Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before...

9.9CVSS

9.3AI Score

0.0004EPSS

2024-04-07 06:15 PM
30
nvd
nvd

CVE-2024-31286

Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before...

9.9CVSS

9.6AI Score

0.0004EPSS

2024-04-07 06:15 PM
cvelist
cvelist

CVE-2024-31286 WordPress WP Photo Album Plus plugin < 8.6.03.005 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before...

9.9CVSS

9.6AI Score

0.0004EPSS

2024-04-07 05:30 PM
1
filippoio
filippoio

My Maintenance Policy

I wrote a short document describing how I maintain open source projects, to link it from my global CODE_OF_CONDUCT, CONTRIBUTING, and SECURITY files. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations. It got...

7.6AI Score

2024-04-06 08:40 PM
10
wired
wired

Identity Thief Lived as a Different Man for 33 Years

Plus: Microsoft scolded for a “cascade” of security failures, AI-generated lawyers send fake legal threats, a data broker quietly lobbies against US privacy legislation, and...

7.4AI Score

2024-04-06 09:00 AM
8
ibm
ibm

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850

Summary IBM Copy Services Manager is vulnerable to an information disclosure threats ( CVE-2023-33850) and other vulnerabilities ( CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, CVE-2023-33850) due to the use of IBM Java. IBM Java is used by CSM to.....

7.5CVSS

6.7AI Score

0.001EPSS

2024-04-05 11:21 PM
9
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 25, 2024 to March 31, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 405 vulnerabilities disclosed in 320...

10CVSS

9.7AI Score

EPSS

2024-04-04 05:35 PM
49
wpvulndb
wpvulndb

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting

Description The The Plus Blocks for Block Editor | Gutenberg plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

7.1CVSS

6.3AI Score

0.0004EPSS

2024-04-04 12:00 AM
11
cve
cve

CVE-2024-0335

ABB has internally identified a vulnerability in the ABB VPNI feature of the S+ Control API component which may be used by several Symphony Plus products (e.g., S+ Operations, S+ Engineering and S+ Analyst) This issue affects Symphony Plus S+ Operations: from 3..0;0 through 3.3 SP1 RU4, from...

7.5CVSS

6.8AI Score

0.0004EPSS

2024-04-03 07:15 PM
30
nvd
nvd

CVE-2024-0335

ABB has internally identified a vulnerability in the ABB VPNI feature of the S+ Control API component which may be used by several Symphony Plus products (e.g., S+ Operations, S+ Engineering and S+ Analyst) This issue affects Symphony Plus S+ Operations: from 3..0;0 through 3.3 SP1 RU4, from...

7.5CVSS

7.5AI Score

0.0004EPSS

2024-04-03 07:15 PM
cvelist
cvelist

CVE-2024-0335 Malformed Packet Handling

ABB has internally identified a vulnerability in the ABB VPNI feature of the S+ Control API component which may be used by several Symphony Plus products (e.g., S+ Operations, S+ Engineering and S+ Analyst) This issue affects Symphony Plus S+ Operations: from 3..0;0 through 3.3 SP1 RU4, from...

7.5CVSS

7.7AI Score

0.0004EPSS

2024-04-03 06:53 PM
1
f5
f5

K000139152 : Linux kernel vulnerability CVE-2023-2006

Security Advisory Description A race condition was found in the Linux kernel's RxRPC network protocol, within the processing of RxRPC bundles. This issue results from the lack of proper locking when performing operations on an object. This may allow an attacker to escalate privileges and execute...

7CVSS

7.6AI Score

0.0005EPSS

2024-04-02 12:00 AM
11
nvd
nvd

CVE-2023-6154

A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product's expected behavior and potentially load a third-party library upon execution. This...

7.8CVSS

7.6AI Score

0.0004EPSS

2024-04-01 11:15 AM
cve
cve

CVE-2023-6154

A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product's expected behavior and potentially load a third-party library upon execution. This...

7.8CVSS

6.9AI Score

0.0004EPSS

2024-04-01 11:15 AM
29
cvelist
cvelist

CVE-2023-6154 Local privilege escalation in Bitdefender Total Security (VA-11168)

A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product's expected behavior and potentially load a third-party library upon execution. This...

7.8CVSS

7.8AI Score

0.0004EPSS

2024-04-01 10:06 AM
f5
f5

K000139140 : util-linux vulnerability CVE-2024-28085

Security Advisory Description wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not...

7AI Score

0.0005EPSS

2024-04-01 12:00 AM
18
f5
f5

K000139141 : liblzma vulnerability CVE-2024-3094

Security Advisory Description Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to....

10CVSS

9.3AI Score

0.133EPSS

2024-04-01 12:00 AM
39
wired
wired

You Should Update Apple iOS and Google Chrome ASAP

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and...

7.2AI Score

2024-03-31 10:00 AM
10
Total number of security vulnerabilities14782