SP Project & Document Manager (WordPress Plugin) Security Vulnerabilities

Driving licences and other official documents leaked by authentication service used by Uber, TikTok, X, and more

A company that helps to authenticate users for big brands had a set of administration credentials exposed online for over a year, potentially allowing access to user identity documents such as driving licenses. As more and more legislation emerges requiring websites and platforms—like gambling...

CVE-2024-28820

Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c in openvpn-auth-ldap (aka the Three Rings Auth-LDAP plugin for OpenVPN) 2.0.4 allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this....

CVE-2024-28820

Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c in openvpn-auth-ldap (aka the Three Rings Auth-LDAP plugin for OpenVPN) 2.0.4 allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this....

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

‘Poseidon’ Mac stealer distributed via Google ads

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows...

CVE-2024-6262

The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

CVE-2024-6262

The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

CVE-2024-6262 Portfolio Gallery – Image Gallery Plugin <= 1.6.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible....

Directory creation by malicious user in saltstack

Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...

How to Use Python to Build Secure Blockchain Applications

Did you know it's now possible to build blockchain applications, known also as decentralized applications (or "dApps" for short) in native Python? Blockchain development has traditionally required learning specialized languages, creating a barrier for many developers… until now. AlgoKit, an...

CVE-2024-4983

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output...

CVE-2024-4983

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output...

GHSA-2C7C-3MJ9-8FQH vulnerabilities

Vulnerabilities for packages: keda, tkn, slsa-verifier, spire-server, flux-source-controller, traefik, cilium-envoy, cloudflared, oauth2-proxy, terragrunt, cert-manager, kyverno, dex, falco, aactl, istio-pilot-discovery, gitsign, sops, vexctl, tekton-chains, kots, rekor, flux-kustomize-controller,....

GHSA-JQ35-85CJ-FJ4P vulnerabilities

Vulnerabilities for packages: loki, kpt, up, slsa-verifier, ctop, cert-manager, prometheus, falco, aactl, chartmuseum, paranoia, tekton-chains, k3d, goreleaser, scorecard, kubescape, skaffold, bom, tekton-pipelines,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

GHSA-7WW5-4WQC-M92C vulnerabilities

Vulnerabilities for packages: helm-push, grype, eksctl, helm, up, kaniko, ctop, flux-source-controller, fuse-overlayfs-snapshotter, cert-manager, newrelic-infrastructure-agent, melange, cilium-cli, kubevela, trivy, k3d, kots, neuvector-agent, zot, flux-helm-controller, gitness, kubescape,...

CVE-2024-25620 vulnerabilities

Vulnerabilities for packages: helm-push, k9s, kubescape, cert-manager, zot, trivy, k8sgpt, kots, zarf, eksctl, helm-operator, chartmuseum, flux-source-controller, up, cilium-cli, flux-helm-controller,...

CVE-2024-21626 vulnerabilities

Vulnerabilities for packages: skopeo, nerdctl, grype, buildkitd, kaniko, ctop, syft, ingress-nginx-controller, docker, k9s, wolfictl, newrelic-infrastructure-agent, datadog-agent, nvidia-device-plugin, kubernetes, k3d, trivy, kots, zot, kubescape, cadvisor, runc, zarf, skaffold, telegraf,...

GHSA-R53H-JV2G-VPX6 vulnerabilities

Vulnerabilities for packages: helm-push, k9s, kubescape, cert-manager, zot, trivy, k8sgpt, kots, zarf, eksctl, helm-operator, chartmuseum, flux-source-controller, up, cilium-cli, flux-helm-controller,...

GHSA-VVPX-J8F3-3W6H vulnerabilities

Vulnerabilities for packages: restic, go, grpcurl, gke-gcloud-auth-plugin, k3d, hey, falco, wireguard-go,...

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: neuvector-sigstore-interface, pulumi-kubernetes-operator, flux-image-reflector-controller, keda, skopeo, flux-notification-controller, loki, buildkitd, flux-image-automation-controller, tkn, slsa-verifier, spire-server, flux-source-controller, terraform, cert-manager,....

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: dotnet, kpt, kubewatch, ollama, slsa-verifier, fuse-overlayfs-snapshotter, dgraph, kyverno, nginx-stable, falco, nvidia-device-plugin, envoy-ratelimit, weaviate, terraform-provider-azurerm, kind, kots, kubernetes-csi-livenessprobe, pulumi-language-dotnet, gobuster,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: clusterctl, prometheus-redis-exporter, skopeo, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, aws-load-balancer-controller, k8sgpt, rclone, velero, kpt, kubewatch, kaniko, ollama, secrets-store-csi-driver-provider-azure, docker-compose,...

CVE-2023-45142 vulnerabilities

Vulnerabilities for packages: caddy, keda, cert-manager, prometheus-adapter, gatekeeper, kubernetes, calico, prometheus, thanos, ipfs, gitlab-kas, up, kubevela,...

GHSA-RCJV-MGP8-QVMR vulnerabilities

Vulnerabilities for packages: caddy, keda, cert-manager, prometheus-adapter, gatekeeper, kubernetes, calico, prometheus, thanos, ipfs, gitlab-kas, up, kubevela,...

CVE-2022-41723 vulnerabilities

Vulnerabilities for packages: restic, go, grpcurl, gke-gcloud-auth-plugin, k3d, hey, falco, wireguard-go,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: clusterctl, go, cass-operator, shfmt, crane, kaniko, fuse-overlayfs-snapshotter, k9s, kubernetes-dashboard, sbomqs, envoy-ratelimit, yq, kubernetes, falcoctl, flux-helm-controller, runc, node-problem-detector, prometheus-elasticsearch-exporter, trillian,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: helm-push, libnvidia-container, clusterctl, prometheus-redis-exporter, go, skopeo, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, k8sgpt, rclone, crane, kpt, kubewatch, secrets-store-csi-driver-provider-azure, docker-compose, spicedb,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: clusterctl, go, cass-operator, shfmt, crane, kaniko, fuse-overlayfs-snapshotter, k9s, kubernetes-dashboard, sbomqs, yq, kubernetes, kots, falcoctl, flux-helm-controller, nvidia-container-toolkit, runc, node-problem-detector, prometheus-elasticsearch-exporter,...

GHSA-V6V8-XJ6M-XWQH vulnerabilities

Vulnerabilities for packages: neuvector-sigstore-interface, pulumi-kubernetes-operator, flux-image-reflector-controller, keda, skopeo, flux-notification-controller, loki, buildkitd, flux-image-automation-controller, tkn, slsa-verifier, spire-server, flux-source-controller, terraform, cert-manager,....

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: gitlab-logger, go-licenses, helm-push, petname, cass-operator, nsc, configmap-reload, prometheus-stackdriver-exporter, gke-gcloud-auth-plugin, docker-credential-ecr-login, vertical-pod-autoscaler, influx, docker-cli, cni-plugins, mage, slsa-verifier, ctop,...

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: kubernetes-csi-external-provisioner, aws-load-balancer-controller, k8sgpt, kpt, kubewatch, ollama, thanos-operator, fuse-overlayfs-snapshotter, kube-state-metrics, dgraph, kyverno, kubernetes-dashboard, nvidia-device-plugin, weaviate, aws-ebs-csi-driver, yq, timoni,...

CVE-2023-48795 vulnerabilities

Vulnerabilities for packages: helm-push, skopeo, src-fingerprint, nsc, kubewatch, ollama, secrets-store-csi-driver-provider-azure, slsa-verifier, kube-state-metrics, dgraph, kyverno, kubernetes-dashboard, ferretdb, falco, weaviate, istio-pilot-discovery, terraform-provider-azurerm, gitsign,...

CVE-2024-24557 vulnerabilities

Vulnerabilities for packages: filebeat, k3s, flux-image-reflector-controller, skopeo, nerdctl, cri-tools, loki, k8sgpt, buildkitd, eksctl, crane, helm-operator, helm, up, slsa-verifier, ctop, traefik, k9s, cert-manager, kyverno, newrelic-infrastructure-agent, prometheus, datadog-agent, falco,...

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: clusterctl, prometheus-redis-exporter, skopeo, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, aws-load-balancer-controller, k8sgpt, rclone, velero, kpt, kubewatch, kaniko, ollama, secrets-store-csi-driver-provider-azure, docker-compose,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: filebeat, sqlpad, chezmoi, flux-image-reflector-controller, keda, loki, k8sgpt, buildkitd, rclone, velero, up, secrets-store-csi-driver-provider-azure, tkn, flyte, spire-server, flux-source-controller, py3-azure-identity, step, py3-cassandra-medusa, traefik,...

GHSA-M5VV-6R4H-3VJ9 vulnerabilities

Vulnerabilities for packages: filebeat, sqlpad, chezmoi, flux-image-reflector-controller, keda, loki, k8sgpt, buildkitd, rclone, velero, up, secrets-store-csi-driver-provider-azure, tkn, flyte, spire-server, flux-source-controller, py3-azure-identity, step, py3-cassandra-medusa, traefik,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: helm-push, libnvidia-container, clusterctl, prometheus-redis-exporter, go, skopeo, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, k8sgpt, rclone, crane, kpt, kubewatch, secrets-store-csi-driver-provider-azure, docker-compose, spicedb,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: clusterctl, go, cass-operator, shfmt, crane, kaniko, fuse-overlayfs-snapshotter, k9s, kubernetes-dashboard, sbomqs, envoy-ratelimit, yq, kubernetes, falcoctl, flux-helm-controller, runc, node-problem-detector, prometheus-elasticsearch-exporter, trillian,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: helm-push, libnvidia-container, clusterctl, prometheus-redis-exporter, go, skopeo, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, k8sgpt, rclone, crane, kpt, kubewatch, secrets-store-csi-driver-provider-azure, docker-compose, spicedb,...

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: clusterctl, go, cass-operator, shfmt, crane, kaniko, fuse-overlayfs-snapshotter, k9s, kubernetes-dashboard, sbomqs, yq, kubernetes, kots, falcoctl, flux-helm-controller, nvidia-container-toolkit, runc, node-problem-detector, prometheus-elasticsearch-exporter,...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: go, kubernetes-csi-external-provisioner, aws-load-balancer-controller, k8sgpt, kpt, kubewatch, ollama, slsa-verifier, thanos-operator, fuse-overlayfs-snapshotter, kube-state-metrics, dgraph, kyverno, kubernetes-dashboard, falco, nvidia-device-plugin, weaviate,...

GHSA-C5Q2-7R4C-MV6G vulnerabilities

Vulnerabilities for packages: skopeo, keda, nerdctl, grpc-health-probe, tkn, slsa-verifier, spire-server, flux-source-controller, step, cloudflared, wolfictl, oauth2-proxy, terragrunt, cert-manager, dgraph, timestamp-authority, dex, policy-controller, falco, aactl, sigstore-scaffolding, melange,...

GHSA-3Q2C-PVP5-3CQP vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: helm-push, clusterctl, prometheus-redis-exporter, cass-operator, kubernetes-csi-external-provisioner, configmap-reload, shfmt, src-fingerprint, aws-load-balancer-controller, k8sgpt, velero, docker-cli, kpt, kubewatch, secrets-store-csi-driver-provider-azure,...

GHSA-8PGV-569H-W5RW vulnerabilities

Vulnerabilities for packages: aws-ebs-csi-driver, keda, argo-cd, cert-manager, kine, kubescape, kubernetes, cri-tools, kyverno, temporal-server, temporal, kubernetes-csi-external-resizer, envoy-ratelimit, docker-compose, containerd, kubevela,...

CVE-2023-47108 vulnerabilities

Vulnerabilities for packages: aws-ebs-csi-driver, keda, argo-cd, cert-manager, kine, kubescape, kubernetes, cri-tools, kyverno, temporal-server, temporal, kubernetes-csi-external-resizer, envoy-ratelimit, docker-compose, containerd, kubevela,...