Ryzen™ 3000 Series Desktop Processors With Radeon™ Graphics Security Vulnerabilities

(Pwn2Own) Phoenix Contact CHARX SEC-3100 MTQQ Protocol JSON Parsing Type Confusion Information Disclosure Vulnerability

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Phoenix Contact CHARX SEC-3100 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of JSON-encoded arrays. The issue...

CVE-2024-38874

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

Sony XAV-AX5500 Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability

This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of software updates. The issue results from the lack of.....

(Pwn2Own) Sony XAV-AX5500 WMV/ASF Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing....

(Pwn2Own) Alpine Halo9 Missing Authentication Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DLT interface, which listens on TCP port 3490 by default. The issue...

(Pwn2Own) Wyze Cam v3 Cloud Infrastructure Improper Authentication Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_action_batch endpoint of the cloud infrastructure. The issue...

FreeBSD : qt6-webengine -- Multiple vulnerabilities (c5415838-2f52-11ef-9cab-4ccc6adda413)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the c5415838-2f52-11ef-9cab-4ccc6adda413 advisory. Qt qtwebengine-chromium repo reports: Backports for 7 security bugs in Chromium: Tenable has...

Dell Client BIOS Improper Input Validation (DSA-2024-125)

Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. Note that Nessus has not tested for this issue but has instead...

(Pwn2Own) Synology RT6600ax Improper Access Control Firewall Bypass Vulnerability

This vulnerability allows remote attackers to bypass firewall rules and access the LAN interface on affected installations of Synology RT6600ax routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of firewall rules. The issue results from.....

CVE-2024-38874

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated...

SUSE SLES15 / openSUSE 15 Security Update : php-composer2 (SUSE-SU-2024:2107-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2107-1 advisory. - CVE-2024-35241: Fixed code execution when installing packages in repository with specially crafted branch names...

Mattermost Desktop Installed (macOS)

Mattermost Desktop is installed on the remote macOS...

CVE-2024-37899

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....

CVE-2024-37899

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....

CVE-2024-37899

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....

CVE-2024-5746

A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise...

CVE-2024-5746

A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise...

CVE-2024-37183

Plain text credentials and session ID can be captured with a network...

CVE-2024-37183

Plain text credentials and session ID can be captured with a network...

CVE-2024-37899 Disabling a user account changes its author, allowing RCE from user account in XWiki

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....

CVE-2024-37183 Westermo L210-F2G Lynx Cleartext Transmission of Sensitive Information

Plain text credentials and session ID can be captured with a network...

CVE-2024-37183 Westermo L210-F2G Lynx Cleartext Transmission of Sensitive Information

Plain text credentials and session ID can be captured with a network...

Security Bulletin: AIX is vulnerable to security restrictions bypass due to cURL libcurl (CVE-2024-0853)

Summary Vulnerability in cURL libcurl could allow a remote attacker to bypass security restrictions (CVE-2024-0853). AIX uses cURL libcurl as part of rsyslog, LV/PV encryption integration with HPCS and in Live Update for interacting with HMC. Vulnerability Details ** CVEID: CVE-2024-0853 ...

CVE-2024-5746

A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise...

CVE-2024-5746

A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise...

CVE-2024-36071

Samsung Magician 8.0.0 on Windows allows an admin to escalate privileges by tampering with the directory and DLL files used during the installation process. This occurs because of an Untrusted Search...

CVE-2024-36071

Samsung Magician 8.0.0 on Windows allows an admin to escalate privileges by tampering with the directory and DLL files used during the installation process. This occurs because of an Untrusted Search...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details...

Exploit for Path Traversal in Gitlab

CVE-2023-2825 (Unauthenticated) Directory traversal leads...

CVE-2024-6154

Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target...

CVE-2024-6154

Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target...

CVE-2024-6153

Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target.....

CVE-2024-6153

Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target.....

CVE-2024-6154 Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability

Parallels Desktop Toolgate Heap-based Buffer Overflow Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target...

CVE-2024-6153 Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability

Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target.....

CVE-2024-6153 Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability

Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target.....

Malicious code in melichat-component-library (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (1d7d152708054848a62109924487b7dcacac50e054b19a8682b3b0b26b279e6b) The OpenSSF Package Analysis project identified 'melichat-component-library' @ 1.1.0 (npm) as malicious. It is considered malicious because: The...

KrebsOnSecurity Threatened with Defamation Lawsuit Over Fake Radaris CEO

On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Boot arbitrary denial of service vulnerability ( CVE-2023-34053)

Summary Potential VMware Tanzu Spring Boot arbitrary denial of service vulnerability (CVE-2023-34053) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details **...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Boot arbitrary denial of service vulnerability ( CVE-2023-34053)

Summary Potential VMware Tanzu Spring Boot arbitrary denial of service vulnerability (CVE-2023-34053) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details **...

Malicious code in trip-component-platform-online-region-selector (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (f95bafb9c43b379f37ff5734d79cd5094b343568cae364a03ab16a6ee2a8abbd) The OpenSSF Package Analysis project identified 'trip-component-platform-online-region-selector' @ 13.2.0 (npm) as malicious. It is considered...

CVE-2024-38538

In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit path by sending a short (less than ETH_HLEN bytes) skb. To fix it check if we can actually pull...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in Less [CVE-2022-48624]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in Less, caused by a flaw with omitting shell_quote calls for LESSCLOSE in the close_altfile() function in filename.c [CVE-2022-48624]. Less is included as a Base OS package used by....

Vulnerabilities with the k8sGPT in github.com/k8sgpt-ai/k8sgpt

Vulnerabilities with the k8sGPT in...

CVE-2024-37897

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

CVE-2024-37897

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

CVE-2024-37897

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is...

CVE-2024-37352

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06 that allows attackers with system administrator permissions to interfere with other system administrators’ use of the management UI when the second administrator accesses the...

CVE-2024-37351

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Attackers with system administrator permissions can interfere with other system administrator’s use of the management UI when the second administrator later edits the same...

CVE-2024-37351

There is a cross-site scripting vulnerability in the management UI of Absolute Secure Access prior to version 13.06. Attackers with system administrator permissions can interfere with other system administrator’s use of the management UI when the second administrator later edits the same...