WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button With Floating Chat Widget Security Vulnerabilities

CVE-2024-6250 Absolute Path Traversal in parisneo/lollms-webui

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability....

CVE-2024-6250 Absolute Path Traversal in parisneo/lollms-webui

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability....

CVE-2024-6090 Path Traversal Vulnerability in gaizhenbiao/chuanhuchatgpt

A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users' chat histories. This vulnerability can also be exploited to delete any files ending in .json on the target system, leading to a denial of service as users are unable to...

CVE-2024-6090 Path Traversal Vulnerability in gaizhenbiao/chuanhuchatgpt

A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users' chat histories. This vulnerability can also be exploited to delete any files ending in .json on the target system, leading to a denial of service as users are unable to...

CVE-2024-5979 Denial of Service via Invalid Argument in h2oai/h2o-3

In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of...

Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904)

Summary IBM Security Guardium has addressed this vulnerability. Vulnerability Details CVEID: CVE-2022-43904 DESCRIPTION: IBM Security Guardium could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. CVSS Base score: 7.5 CVSS Temporal...

CVE-2024-4578 Privilege escalation in Arista Wireless Access Points

This Advisory describes an issue that impacts Arista Wireless Access Points. Any entity with the ability to authenticate via SSH to an affected AP as the “config” user is able to cause a privilege escalation via spawning a bash shell. The SSH CLI session does not require high permissions to...

CVE-2023-38370 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1, under certain configurations, could allow a user on the network to install malicious packages. IBM X-Force ID: ...

CVE-2023-38370 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1, under certain configurations, could allow a user on the network to install malicious packages. IBM X-Force ID: ...

CVE-2023-38368 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: ...

CVE-2023-38368 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could disclose sensitive information to a local user to do improper permission controls. IBM X-Force ID: ...

CVE-2023-30997 IBM Security Access Manager Docker privilege escalation

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: ...

CVE-2023-30997 IBM Security Access Manager Docker privilege escalation

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: ...

CVE-2023-30998 IBM Security Access Manager Docker privilege escalation

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: ...

CVE-2023-30998 IBM Security Access Manager Docker privilege escalation

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: ...

Thousands of UEFA Customer Credentials Sold on Dark Web

Cybercriminals targeting Euro 2024 fans & organizers! Phishing scams, illegal content sites, malware-laced apps & ticket fraud threaten the game. Learn how to protect yourself & ensure a safe Euro 2024...

CVE-2024-35153

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2024-35153

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2024-31916

IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: ...

CVE-2024-31916

IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: ...

CVE-2023-42011

IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: ...

CVE-2024-24792

Parsing a corrupt or malicious image with invalid color indices can cause a...

CVE-2024-24792

Parsing a corrupt or malicious image with invalid color indices can cause a...

CVE-2024-24792

Parsing a corrupt or malicious image with invalid color indices can cause a...

CVE-2023-42014

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within....

CVE-2023-42014

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within....

CVE-2023-42011

IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: ...

CVE-2023-38371

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: ...

CVE-2023-38371

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: ...

CVE-2023-38371 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: ...

CVE-2023-38371 IBM Security Access Manager Docker information disclosure

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: ...

Exploit for CVE-2024-34102

CVE-2024-34102: Unauthenticated Magento XXE CVEHunter tool...

Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz

The following Rapid7 analysts contributed to this research: Leo Gutierrez, Tyler McGraw, Sarah Lee, and Thomas Elkins. Executive Summary On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the...

CVE-2023-42014 IBM Sterling B2B Integrator Standard Edition cross-site scripting

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.2.0.2 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within....

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

AI has since replaced "cryptocurrency" and "blockchain" as the cybersecurity buzzwords everyone wants to hear. We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on "Saturday Night Live." A...

Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a...

CVE-2024-31916 IBM OpenBMC information disclosure

IBM OpenBMC FW1050.00 through FW1050.10 BMCWeb HTTPS server component could disclose sensitive URI content to an unauthorized actor that bypasses authentication channels. IBM X-ForceID: ...

CVE-2023-42011 IBM Sterling B2B Integrator Standard Edition tapjacking

IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: ...

CVE-2023-42011 IBM Sterling B2B Integrator Standard Edition tapjacking

IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: ...

CVE-2024-24792 Panic when parsing invalid palette-color images in golang.org/x/image

Parsing a corrupt or malicious image with invalid color indices can cause a...

CVE-2024-35153 IBM WebSphere Application Server cross-site scripting

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

CVE-2024-35153 IBM WebSphere Application Server cross-site scripting

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

Polyfill Library Injected with Malware Impacting 100,000 Websites

A trusted JavaScript library, Polyfill.io, became a malware delivery system. Security experts exposed the attack and the potential consequences for website visitors. Learn how this supply chain attack highlights the importance of web development security and what steps developers can take to...

Driving licences and other official documents leaked by authentication service used by Uber, TikTok, X, and more

A company that helps to authenticate users for big brands had a set of administration credentials exposed online for over a year, potentially allowing access to user identity documents such as driving licenses. As more and more legislation emerges requiring websites and platforms—like gambling...

CVE-2024-39373

TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with administrative...

CVE-2024-31883

IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption. IBM X-Force ID: ...

CVE-2024-39373

TELSAT marKoni FM Transmitters are vulnerable to a command injection vulnerability through the manipulation of settings and could allow an attacker to gain unauthorized access to the system with administrative...

CVE-2024-31883

IBM Security Verify Access 10.0.0.0 through 10.0.7.1, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption. IBM X-Force ID: ...

CVE-2023-30430

IBM Security Verify Access 10.0.0 through 10.0.7.1 could allow a local user to obtain sensitive information from trace logs. IBM X-Force ID: ...

CVE-2024-28820

Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c in openvpn-auth-ldap (aka the Three Rings Auth-LDAP plugin for OpenVPN) 2.0.4 allows attackers with a valid LDAP username and who can control the challenge/response password field to pass a string with more than 14 colons into this....