IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: ...
4CVSS
EPSS
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: ...
4CVSS
3.7AI Score
EPSS
CVE-2022-38383 IBM Cloud Pak for Security information disclosure
IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.11.0 and IBM QRadar Software Suite 1.10.12.0 through 1.10.21.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: ...
4CVSS
EPSS
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including.....
8.8CVSS
EPSS
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including.....
8.8CVSS
8.8AI Score
EPSS
IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. IBM X-Force ID: ...
7.5CVSS
EPSS
IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. IBM X-Force ID: ...
7.5CVSS
7.4AI Score
EPSS
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the...
7.5CVSS
EPSS
CVE-2024-31912 IBM MQ privilege escalation
IBM MQ 9.3 LTS and 9.3 CD could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. IBM X-Force ID: ...
7.5CVSS
EPSS
authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including.....
8.8CVSS
EPSS
Exploit for Use After Free in Arm Avalon Gpu Kernel Driver
Exploit for CVE-2022-46395 The write up can be found...
8.8CVSS
7.6AI Score
0.003EPSS
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has...
7.8CVSS
7.5AI Score
0.974EPSS
TEMU sued for being “dangerous malware” by Arkansas Attorney General
Chinese online shopping giant Temu is facing a lawsuit filed by State of Arkansas Attorney General Tim Griffin, alleging that the retailer's mobile app spies on users. “Temu purports to be an online shopping platform, but it is dangerous malware, surreptitiously granting itself access to...
7.5AI Score
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: ...
6.2CVSS
6AI Score
EPSS
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: ...
6.2CVSS
5.8AI Score
EPSS
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: ...
6.2CVSS
EPSS
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: ...
6.2CVSS
EPSS
Exploit for Improper Input Validation in Google Android
Exploit for CVE-2022-20186 The write up can be found...
7.8CVSS
8AI Score
0.0004EPSS
Exploit for Improper Input Validation in Google Android
Exploit for CVE-2022-20186 The write up can be found...
7.8CVSS
8AI Score
0.0004EPSS
CVE-2024-35139 IBM Security Access Manager Docker information disclosure
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: ...
6.2CVSS
5.7AI Score
EPSS
CVE-2024-35139 IBM Security Access Manager Docker information disclosure
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from the container due to incorrect default permissions. IBM X-Force ID: ...
6.2CVSS
EPSS
CVE-2024-35137 IBM Security Access Manager Docker information disclosure
IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: ...
6.2CVSS
EPSS
User-provided environment values allow execution on macOS agents in...
7.2AI Score
Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security
Improper Restriction of Excessive Authentication Attempts in...
4.8CVSS
6.8AI Score
0.0004EPSS
CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs
CubeFS timing attack can leak user passwords in...
6.5CVSS
6.7AI Score
0.001EPSS
Minio unsafe default: Access keys inherit admin of root user, allowing privilege escalation in...
8.8CVSS
7AI Score
0.002EPSS
Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault
Enumeration of users in HashiCorp Vault in...
5.3CVSS
6.7AI Score
0.001EPSS
SFTP is possible on the Proxy server for any user with SFTP access in...
7.2AI Score
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in...
6.8AI Score
EPSS
CVE-2024-24787 vulnerabilities
Vulnerabilities for packages: overmind, flux-image-reflector-controller, delve, thanos, ctop, govulncheck, hcloud, kubernetes-csi-external-resizer, pulumi-language-dotnet, trivy, jitsucom-bulker, prometheus-mysqld-exporter, traefik, kubecolor, vt-cli, regclient, mockery, influx,...
6.5AI Score
0.0004EPSS
GHSA-5FQ7-4MXC-535H vulnerabilities
Vulnerabilities for packages: overmind, flux-image-reflector-controller, delve, thanos, ctop, govulncheck, hcloud, kubernetes-csi-external-resizer, pulumi-language-dotnet, trivy, jitsucom-bulker, prometheus-mysqld-exporter, traefik, kubecolor, vt-cli, regclient, mockery, influx,...
7.5AI Score
CVE-2024-24789 vulnerabilities
Vulnerabilities for packages: hivemind, trivy, prometheus-mysqld-exporter, up, docker-credential-gcr, glab, go-md2man, osv-scanner, pulumi-language-java, age, wait-for-port, nsc, nri-f5, kafka-proxy, prometheus-nats-exporter, controller-gen, nri-prometheus, extism, kubebuilder, step,...
5.5CVSS
6.1AI Score
0.0004EPSS
GHSA-2JWV-JMQ4-4J3R vulnerabilities
Vulnerabilities for packages: overmind, flux-image-reflector-controller, delve, thanos, ctop, govulncheck, hcloud, kubernetes-csi-external-resizer, pulumi-language-dotnet, trivy, jitsucom-bulker, prometheus-mysqld-exporter, traefik, kubecolor, vt-cli, regclient, mockery, influx,...
7.5AI Score
CVE-2024-24790 vulnerabilities
Vulnerabilities for packages: hivemind, trivy, prometheus-mysqld-exporter, up, docker-credential-gcr, glab, go-md2man, osv-scanner, pulumi-language-java, age, wait-for-port, nsc, nri-f5, kafka-proxy, prometheus-nats-exporter, controller-gen, nri-prometheus, extism, kubebuilder, step,...
9.8CVSS
9.8AI Score
0.001EPSS
GHSA-49GW-VXVF-FC2G vulnerabilities
Vulnerabilities for packages: hivemind, trivy, prometheus-mysqld-exporter, up, docker-credential-gcr, glab, go-md2man, osv-scanner, pulumi-language-java, age, wait-for-port, nsc, nri-f5, kafka-proxy, prometheus-nats-exporter, controller-gen, nri-prometheus, extism, kubebuilder, step,...
7.5AI Score
CVE-2024-24788 vulnerabilities
Vulnerabilities for packages: overmind, flux-image-reflector-controller, delve, thanos, ctop, govulncheck, hcloud, kubernetes-csi-external-resizer, pulumi-language-dotnet, trivy, jitsucom-bulker, prometheus-mysqld-exporter, traefik, kubecolor, vt-cli, regclient, mockery, influx,...
6.5AI Score
0.0004EPSS
GHSA-236W-P7WF-5PH8 vulnerabilities
Vulnerabilities for packages: hivemind, trivy, prometheus-mysqld-exporter, up, docker-credential-gcr, glab, go-md2man, osv-scanner, pulumi-language-java, age, wait-for-port, nsc, nri-f5, kafka-proxy, prometheus-nats-exporter, controller-gen, nri-prometheus, extism, kubebuilder, step,...
7.5AI Score
3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords
Update: As of 12:36PM EST, another plugin has been infected. We've updated the list below to include this fourth plugin and the plugins team has been notified. Update: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made meaning.....
7.2AI Score
GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others
GitLab has released security updates to address 14 security flaws, including one critical vulnerability that could be exploited to run continuous integration and continuous deployment (CI/CD) pipelines as any user. The weaknesses, which affect GitLab Community Edition (CE) and Enterprise Edition...
9.6CVSS
7.3AI Score
EPSS
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...
3.6CVSS
EPSS
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...
3.6CVSS
3.9AI Score
EPSS
CVE-2024-38531 Nix sandbox escape
Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...
3.6CVSS
EPSS
Glastonbury ticket hijack vulnerability fixed
The Glastonbury ticket website was vulnerable to a relatively simple attack that that allowed ticket theft and data leakage. What’s the issue? An attacker could scrape collaborative ticket buying websites (e.g. Reddit) to gather people’s details, use a flaw in the registration process and session.....
6.8AI Score
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before...
EPSS
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before...
6.5AI Score
EPSS
8220 Gang Exploits Oracle WebLogic Server Flaws for Cryptocurrency Mining
Security researchers have shed more light on the cryptocurrency mining operation conducted by the 8220 Gang by exploiting known security flaws in the Oracle WebLogic Server. "The threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the malware...
7.5CVSS
7.1AI Score
0.974EPSS
CVE-2024-5737 HTML Injection in AdmirorFrames Joomla! Extension
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before...
EPSS
Combatting the Evolving SaaS Kill Chain: How to Stay Ahead of Threat Actors
The modern kill chain is eluding enterprises because they aren't protecting the infrastructure of modern business: SaaS. SaaS continues to dominate software adoption, and it accounts for the greatest share of public cloud spending. But enterprises and SMBs alike haven't revised their security...
7.4AI Score
New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities
A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study...
7.4AI Score
The Theron Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
EPSS