Lucene search

K

Qubely – Advanced Gutenberg Blocks Security Vulnerabilities

cvelist
cvelist

CVE-2024-34350 Next.js Vulnerable to HTTP Request Smuggling

Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses....

7.5CVSS

7.6AI Score

0.0004EPSS

2024-05-09 04:07 PM
github
github

How AI enhances static application security testing (SAST)

In a 2023 GitHub survey, developers reported that their top task, second only to writing code (32%), was finding and fixing security vulnerabilities (31%). As their teams "shift left" and integrate security checks earlier into the software development lifecycle (SDLC), developers have become the...

7.8AI Score

2024-05-09 04:00 PM
6
qualysblog
qualysblog

How to Create Collaboration and Shared Goals with IT and Security Teams

In today’s ITSM landscape, merging IT operations and security practices is no longer “ideal”, but imperative. According to a recent Gartner® Board of Directors Survey 1, 88% of respondents indicated that their organization perceives cybersecurity as a business risk. This was up from 58% in 2016,...

7.4AI Score

2024-05-09 04:00 PM
8
thn
thn

New Guide: How to Scale Your vCISO Services Profitably

Cybersecurity and compliance guidance are in high demand among SMEs. However, many of them cannot afford to hire a full-time CISO. A _v_CISO can answer this need by offering on-demand access to top-tier cybersecurity expertise. This is also an opportunity for MSPs and MSSPs to grow their business.....

7.1AI Score

2024-05-09 11:05 AM
1
securelist
securelist

APT trends report Q1 2024

For more than six years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research. They provide a representative snapshot of what we have published.....

7.7AI Score

2024-05-09 10:00 AM
20
ibm
ibm

Security Bulletin: Due to the use of IBM Websphere Application Server Liberty, IBM CICS TX Advanced is vulnerable to Denial of Service, Weaker than exected security, Cross-site scripting and Server-side request forgery (SSRF).

Summary There are vulnerabilities in IBM WebSphere Application Server Liberty related packages that are shipped with IBM CICS TX Advanced. The version of IBM WebSphere Application Server Liberty shipped with IBM CICS TX Advanced has been updated to address the applicable issues. Vulnerability...

7CVSS

7.1AI Score

0.0004EPSS

2024-05-09 09:47 AM
4
qualysblog
qualysblog

Assess, Remediate, and Prevent the Top 10 MITRE ATT&CK Techniques for Ransomware, Mapped to Misconfigurations

In cybersecurity, the battle against ransomware is a pivotal challenge for organizations worldwide. Attackers are consistently refining their methods, highlighting the critical need for businesses to remain proactive in their defense strategies. To effectively address this threat, it is essential.....

7.6AI Score

2024-05-09 12:41 AM
12
nessus
nessus

EulerOS 2.0 SP10 : kernel (EulerOS-SA-2024-1592)

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we...

7.8CVSS

7AI Score

0.011EPSS

2024-05-09 12:00 AM
6
nessus
nessus

RHEL 8 : squid:4 (RHSA-2024:2777)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2777 advisory. Squid is a high-performance proxy caching server for web clients, supporting FTP, and HTTP data objects. Security Fix(es): * squid:...

8.6CVSS

7.8AI Score

0.0004EPSS

2024-05-09 12:00 AM
8
nessus
nessus

EulerOS 2.0 SP10 : grub2 (EulerOS-SA-2024-1569)

According to the versions of the grub2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set- bootflag will create a temporary file...

5.5CVSS

7.5AI Score

0.0005EPSS

2024-05-09 12:00 AM
5
wpvulndb
wpvulndb

EmbedPress Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor < 3.9.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Description The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.9.16 due to...

5.9AI Score

0.0004EPSS

2024-05-09 12:00 AM
1
nessus
nessus

EulerOS 2.0 SP10 : grub2 (EulerOS-SA-2024-1591)

According to the versions of the grub2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set- bootflag will create a temporary file...

5.5CVSS

7.5AI Score

0.0005EPSS

2024-05-09 12:00 AM
5
wpvulndb
wpvulndb

Gutenberg Blocks with AI by Kadence WP – Page Builder Features < 3.2.20 - Contributor+ Server-Side Request Forgery

Description The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.19. This makes it possible for authenticated attackers, with contributor-level access and above, to make web...

7.7CVSS

6.7AI Score

0.0004EPSS

2024-05-09 12:00 AM
2
wpvulndb
wpvulndb

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.20 - Contributor+ Stored Cross-Site Scripting via 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table'

Description The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Dual Color Header', 'Event Calendar', & 'Advanced Data Table' widgets in all versions up to, and...

5.9AI Score

0.001EPSS

2024-05-09 12:00 AM
1
wpvulndb
wpvulndb

Gutenberg Blocks with AI by Kadence WP < 3.2.37 - Contributor+ Stored Cross-Site Scripting via Block Link

Description The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the plugin's blocks in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS

5.8AI Score

0.0004EPSS

2024-05-09 12:00 AM
2
nessus
nessus

Debian dsa-5685 : wordpress - security update

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5685 advisory. WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang' parameter. This allows unauthenticated...

7.6CVSS

6.4AI Score

0.003EPSS

2024-05-09 12:00 AM
3
impervablog
impervablog

API Security and The Silent Menace of Unknown APIs

The digital application landscape is evolving rapidly, with APIs as the backbone of modern software development. However, amidst all this innovation lies a silent menace: the prevalence of unknown APIs. These APIs, often lurking beyond sanctioned channels, pose significant security risks to...

7.8AI Score

2024-05-08 10:59 PM
12
ibm
ibm

Security Bulletin: Multiple Vulnerabilities have been identified in IBM MQ shipped with IBM WebSphere Remote Server

Summary IBM MQ is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM MQ have been published in a security bulletin CVE-2023-26159, CVE-2024-25015, CVE-2024-25048, CVE-2024-20952, CVE-2023-33850, CVE-2023-6237, CVE-2024-0727 Vulnerability Details...

7.5CVSS

7.4AI Score

0.002EPSS

2024-05-08 05:21 PM
2
thn
thn

New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data

Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the...

7.4AI Score

2024-05-08 02:17 PM
1
nvd
nvd

CVE-2024-34566

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johan van der Wijk Content Blocks (Custom Post Widget) allows Stored XSS.This issue affects Content Blocks (Custom Post Widget): from n/a through...

6.5CVSS

6.7AI Score

0.0004EPSS

2024-05-08 11:15 AM
cve
cve

CVE-2024-34566

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johan van der Wijk Content Blocks (Custom Post Widget) allows Stored XSS.This issue affects Content Blocks (Custom Post Widget): from n/a through...

6.5CVSS

6.6AI Score

0.0004EPSS

2024-05-08 11:15 AM
29
thn
thn

The Fundamentals of Cloud Security Stress Testing

״Defenders think in lists, attackers think in graphs," said John Lambert from Microsoft, distilling the fundamental difference in mindset between those who defend IT systems and those who try to compromise them. The traditional approach for defenders is to list security gaps directly related to...

7.4AI Score

2024-05-08 10:58 AM
1
cvelist
cvelist

CVE-2024-34566 WordPress Content Blocks (Custom Post Widget) plugin <= 3.3.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johan van der Wijk Content Blocks (Custom Post Widget) allows Stored XSS.This issue affects Content Blocks (Custom Post Widget): from n/a through...

6.5CVSS

7.3AI Score

0.0004EPSS

2024-05-08 10:54 AM
thn
thn

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The findings come from WPScan, which said that the vulnerability (CVE-2023-40000, CVSS score: 8.3) has been leveraged to set.....

8.3CVSS

6.5AI Score

0.0004EPSS

2024-05-08 07:03 AM
1
cve
cve

CVE-2024-4418

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the data pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's.....

6.2CVSS

6.2AI Score

0.0004EPSS

2024-05-08 03:15 AM
45
f5
f5

K11342432 : BIG-IP HTTP non-RFC-compliant security exposure

Security Advisory Description This issue occurs when a non-RFC-compliant HTTP request is received by a virtual server on a system matching one of the following conditions: BIG-IP 15.1.0 and later version with a virtual server with an HTTP profile with Enforce RFC Compliance enabled. All supported.....

7.2AI Score

2024-05-08 12:00 AM
14
f5
f5

K000138636 : BIG-IP Configuration utility XSS vulnerability CVE-2024-31156

Security Advisory Description A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2024-31156) Impact An authenticated attacker may exploit.....

8CVSS

5.3AI Score

0.0004EPSS

2024-05-08 12:00 AM
18
f5
f5

K000138898 : BIG-IP Advanced WAF/ASM, BIG-IP Next WAF, and NGINX App Protect WAF attack signature check failure

Security Advisory Description BIG-IP Advanced WAF/ASM, BIG-IP Next WAF, or NGINX App Protect WAF may fail to match an attack signature. This issue occurs when all of the following conditions are met: The affected security policy has a large number of attack signatures enabled (for example, all or.....

7.1AI Score

2024-05-08 12:00 AM
14
f5
f5

K000138894 : BIG-IP Configuration utility XSS vulnerability CVE-2024-33604

Security Advisory Description A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. (CVE-2024-33604) Impact An attacker may exploit this...

6.1CVSS

5.6AI Score

0.0004EPSS

2024-05-08 12:00 AM
9
f5
f5

K000139404 : Quarterly Security Notification (May 2024)

Security Advisory Description On May 8, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

6.9AI Score

0.0004EPSS

2024-05-08 12:00 AM
20
thn
thn

New Case Study: The Malicious Comment

How safe is your comments section? Discover how a seemingly innocent 'thank you' comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. Read the full real-life case study here. When is a 'Thank you' not a 'Thank you'? When it's a...

6.8AI Score

2024-05-07 10:42 AM
1
rosalinux
rosalinux

Advisory ROSA-SA-2024-2417

Software: faad2 2.8.8 OS: ROSA Virtualization 2.1 package_evr_string: faad2-2.8.8-6.0.1.rv3 CVE-ID: CVE-2021-32272 BDU-ID: 2022-01810 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the stszin function of the mp4read.c component of the Freeware Advanced Audio Decoder 2 (FAAD2) audio decoder is...

7.8CVSS

7.5AI Score

0.002EPSS

2024-05-07 08:22 AM
3
wpvulndb
wpvulndb

Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) < 3.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via pagingType Parameter

Description The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagingType’ parameter in all versions up to, and including, 3.7.1 due to insufficient input...

5.9AI Score

0.0004EPSS

2024-05-07 12:00 AM
4
wpvulndb
wpvulndb

Advanced Ads – Ad Manager & AdSense < 1.52.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Ad Widget

Description The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS

5.9AI Score

0.001EPSS

2024-05-07 12:00 AM
1
nessus
nessus

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6766-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6766-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able...

7.8CVSS

7.1AI Score

EPSS

2024-05-07 12:00 AM
19
spring
spring

This Week in Spring - May 7th, 2024

Hi, Spring fans! Welcome to another amazing installment of This Week in Spring! I'm in bellisima Rome, Italy, where I've just spent time in some fun meetings, and now I'm off to lovely London, UK, for Devoxx UK 2024. It's going to be amazing. If you're there, don't hesitate to say hi! I've got to.....

7.3AI Score

2024-05-07 12:00 AM
3
nessus
nessus

Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-6767-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6767-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able...

7.8CVSS

6.7AI Score

0.0004EPSS

2024-05-07 12:00 AM
23
wpvulndb
wpvulndb

Advanced Ads – Ad Manager & AdSense < 1.52.2 - Authenticated (Admin+) PHP Object Injection

Description The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placement_slug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is.....

7.2CVSS

7.4AI Score

0.001EPSS

2024-05-07 12:00 AM
5
wordfence
wordfence

$563 Bounty Awarded for Reflected Cross-Site Scripting Vulnerability Patched in Yoast SEO WordPress Plugin

🎉 Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On April 22th, 2024, during our second Bug Bounty Extravaganza,.....

6.1CVSS

6.2AI Score

0.001EPSS

2024-05-06 03:04 PM
22
krebs
krebs

Why Your VPN May Not Be As Secure As It Claims

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target's....

6.7AI Score

2024-05-06 02:24 PM
7
nessus
nessus

RHEL 8 : unbound (RHSA-2024:2696)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2696 advisory. The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es): * bind9: KeyTrap - Extreme CPU...

8CVSS

8.4AI Score

0.05EPSS

2024-05-06 12:00 AM
3
nessus
nessus

Oracle Linux 9 : grub2 (ELSA-2024-2456)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-2456 advisory. An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially...

7.8CVSS

7.4AI Score

0.001EPSS

2024-05-06 12:00 AM
6
nessus
nessus

Debian dsa-5681 : affs-modules-5.10.0-29-4kc-malta-di - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5681 advisory. Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an...

8CVSS

8.2AI Score

0.0005EPSS

2024-05-06 12:00 AM
14
nessus
nessus

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:1490-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1490-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of...

7.8CVSS

7.6AI Score

EPSS

2024-05-04 12:00 AM
8
malwarebytes
malwarebytes

You get a passkey, you get a passkey, everyone should get a passkey

Microsoft is rolling out passkey support for all consumer accounts. Passkeys are a very secure replacement for passwords that can't be cracked, guessed or phished, and let you log in easily, without having to type a password every time. After enabling them in Windows 11 last year, Microsoft...

7.3AI Score

2024-05-03 08:21 PM
5
ibm
ibm

Security Bulletin: There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products.

Summary IBM Application Performance Management is vulnerable to denial of service, remote code execution, information disclosures and other vulnerabilities due to bundled product IBM ® Db2. This bulletin identifies the steps to address the vulnerabilities. Vulnerability Details ** CVEID:...

8.4CVSS

9.4AI Score

0.014EPSS

2024-05-03 01:22 PM
10
thn
thn

Google Announces Passkeys Adopted by Over 400 Million Accounts

Google on Thursday announced that passkeys are being used by over 400 million Google accounts, authenticating users more than 1 billion times over the past two years. "Passkeys are easy to use and phishing resistant, only relying on a fingerprint, face scan or a pin making them 50% faster than...

6.9AI Score

2024-05-03 06:40 AM
1
nvd
nvd

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

7.2CVSS

6.2AI Score

0.001EPSS

2024-05-03 06:15 AM
1
cve
cve

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

7.2CVSS

6.1AI Score

0.001EPSS

2024-05-03 06:15 AM
55
vulnrichment
vulnrichment

CVE-2024-4439

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

7.2CVSS

5.9AI Score

0.001EPSS

2024-05-03 05:32 AM
Total number of security vulnerabilities38884