Windows Server, Version 1909 (Server Core Installation) Security Vulnerabilities

CVE-2024-38521 Persistent Cross-Site Scripting (XSS) in hushline inbox

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the safe Jinja2 attribute, and thus not sanitized upon display. This issue has been patched in version...

Security Bulletin: Vulnerability in tqdm affects IBM Process Mining CVE-2024-34062

Summary There is a vulnerability in tqdm that could allow an local authenticated attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID:...

Security Bulletin: Vulnerability in Jinja affects IBM Process Mining CVE-2024-34064

Summary There is a vulnerability in Jinja that could allow an attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability....

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server

Mattermost leaks details of AD/LDAP groups of a teams in...

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server

Mattermost post fetching without auditing in compliance export in...

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server

APM Server vulnerable to Insertion of Sensitive Information into Log File in...

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server

Mattermost allows attackers access to posts in channels they are not a member of in...

Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server

Mattermost allows demoted guests to change group names in...

Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server

Mattermost viewing archived public channels permissions vulnerability in...

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server

Mattermost notified all users in the channel when using WebSockets to respond individually in...

Mattermost race condition in github.com/mattermost/mattermost-server

Mattermost race condition in...

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in...

Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server

Mattermost Cross-site Scripting vulnerability in...

Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center

Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in...

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server

Mattermost denial of service through long emoji value in...

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server

Mattermost fails to check the "invite_guest" permission in...

Server-Side Request Forgery in github.com/greenpau/caddy-security

Server-Side Request Forgery in...

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server

Mattermost fails to properly restrict the access of files attached to posts in...

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server

Mattermost vulnerable to denial of service via large number of emoji reactions in...

The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada

The DES/3DES cipher was used as part of the TLS protocol by installation tools in...

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server

Mattermost fails to limit the number of role names in...

SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

SFTP is possible on the Proxy server for any user with SFTP access in...

Security Bulletin: Vulnerability in Bouncy Castle Crypto Package For Java affects IBM Process Mining CVE-2024-30171

Summary There is a vulnerability in Bouncy Castle Crypto Package For Java that could allow an remote authenticated attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability....

Security Bulletin: Vulnerability in Apache Commons Compress affects IBM Process Mining Multiple CVEs

Summary There is a vulnerability in Apache Commons Compress that could allow an remote attacker exploit to cause a denial of service condition on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability...

Security Bulletin: Vulnerability in Bouncy Castle Crypto Package For Java affects IBM Process Mining CVE-2024-34447

Summary There is a vulnerability in Bouncy Castle Crypto Package For Java that could allow an attacker to perform a DNS poisoning attack on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in Netty affects IBM Process Mining CVE-2024-29025

Summary There is a vulnerability in Netty that could allow an attacker to cause a denial of service condition on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-29025 ...

Security Bulletin: Vulnerability in Bouncy Castle Crypto Package For Java affects IBM Process Mining CVE-2024-30172

Summary There is a vulnerability in Bouncy Castle Crypto Package For Java that could allow an attacker to cause a denial of service condition on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability...

Security Bulletin: Vulnerability in Pydantic affects IBM Process Mining CVE-2024-3772

Summary There is a vulnerability in Pydantic that could allow an attacker to cause a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-3772 ...

Security Bulletin: Vulnerability in Node.js affects IBM Process Mining CVE-2024-28849

Summary There is a vulnerability in Node.js that could allow an remote authenticated attacker to obtain sensitive information on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID:...

Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects IBM Process Mining CVE-2024-22262

Summary There is a vulnerability in VMware Tanzu Spring Framework that could allow a remote attacker to conduct phishing attacks on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID:....

Security Bulletin: Vulnerability in Gunicorn affects IBM Process Mining CVE-2024-1135

Summary There is a vulnerability in Gunicorn that could allow an attacker to conduct XSS attacks on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-1135 DESCRIPTION:...

Security Bulletin: Vulnerability in Bouncy Castle Crypto Package For Java affects IBM Process Mining CVE-2024-29857

Summary There is a vulnerability in Bouncy Castle Crypto Package For Java that could allow an attacker to cause excessive CPU consumption on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details.....

Security Bulletin: Vulnerability in sqlparse affects IBM Process Mining CVE-2024-4340

Summary There is a vulnerability in sqlparse that could allow an attacker to cause a denial of service condition on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-4340 .....

Security Bulletin: Vulnerability in Pallets Werkzeug affects IBM Process Mining CVE-2024-34069

Summary There is a vulnerability in Pallets Werkzeug that could allow an attacker to gain elevated privileges on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-34069 ...

3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Update #1: As of 12:36PM EST, another plugin has been infected. We've updated the list below to include this fourth plugin and the plugins team has been notified. Update #2: As of 2:20 PM EST, two more plugins appear to have malicious commits, however, the releases have not officially been made...

Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2024-37532)

Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Refer to the security bulletin(s).....

Exploit for CVE-2024-34102

🇮🇱 **#BringThemHome...

Security Bulletin: IBM Master Data Management is vulnerable to identity spoofing caused by vulnerabilites in IBM WebSphere Application Server

Summary IBM Master Data Management version 11.6 and 12.0 is impacted by vulnerability to identity spoofing in WebSphere Application Server. IBM WebSphere Application Server is vulnerable to identity spoofing by an authenticated user due to improper signature validation. Vulnerability Details **...

CVE-2024-38531

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...

CVE-2024-38531

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...

CVE-2024-38531

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...

CVE-2024-29038

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. This issue was patched in version...

CVE-2024-29038

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. This issue was patched in version...

CVE-2024-29038

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. This issue was patched in version...

CVE-2024-29038 tpm2 does not detect if quote was not generated by TPM

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. This issue was patched in version...

CVE-2024-29038 tpm2 does not detect if quote was not generated by TPM

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. This issue was patched in version...

CVE-2024-38531 Nix sandbox escape

Nix is a package manager for Linux and other Unix systems that makes package management reliable and reproducible. A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can...

Security Bulletin: An unspecified IBM SDK, Java Technology Edition vulnerability affects InfoSphere Data Replication

Summary An unspecified IBM SDK, Java Technology Edition vulnerability is addressed. Vulnerability Details ** CVEID: CVE-2023-22081 DESCRIPTION: **An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity...

Security Bulletin: An unspecified IBM SDK, Java Technology Edition vulnerability affects InfoSphere Data Replication

Summary An unspecified IBM SDK, Java Technology Edition vulnerability is addressed. Vulnerability Details ** CVEID: CVE-2023-22045 DESCRIPTION: **An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts. CVSS Base...

Security Bulletin: A vulnerability in github.com/containerd/containerd-v1.6.17 affects Data Replication on Cloud Pak for Data

Summary A vulnerability in the github.com/containerd/containerd-v1.6.17 package has been addressed. Vulnerability Details ** CVEID: CVE-2023-25173 DESCRIPTION: **containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary...