WooCommerce Multivendor Marketplace – REST API Security Vulnerabilities

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

GHSA-G4MX-Q9VG-27P4 vulnerabilities

Vulnerabilities for packages: py3-tensorflow-serving-api, jwt-tool, kubeflow-volumes-web-app, py3-urllib3,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, guac, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint, cert-exporter, step, kubebuilder,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, ksops, hey, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, fluent-bit-plugin-loki, nerdctl, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, guac, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint, cert-exporter, step, kubebuilder,...

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, ksops, hey, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, fluent-bit-plugin-loki, nerdctl, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint,...

GHSA-3Q2C-PVP5-3CQP vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

CVE-2023-45803 vulnerabilities

Vulnerabilities for packages: py3-tensorflow-serving-api, jwt-tool, kubeflow-volumes-web-app, py3-urllib3,...

GHSA-49GW-VXVF-FC2G vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, ksops, hey, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, fluent-bit-plugin-loki, nerdctl, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint,...

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

CVE-2024-29025 vulnerabilities

Vulnerabilities for packages: selenium, management-api-for-apache-cassandra, neo4j, opensearch, wavefront-proxy, cloudwatch-exporter, spark,...

GHSA-5JPM-X58V-624V vulnerabilities

Vulnerabilities for packages: selenium, management-api-for-apache-cassandra, neo4j, opensearch, wavefront-proxy, cloudwatch-exporter, spark,...

GHSA-236W-P7WF-5PH8 vulnerabilities

Vulnerabilities for packages: dask-gateway, cilium, ksops, hey, flux-notification-controller, prometheus-blackbox-exporter, gitlab-pages, bom, fluent-bit-plugin-loki, nerdctl, go-licenses, doppler-kubernetes-operator, kube-fluentd-operator, influxd, spire-server, dataplaneapi, dive, nodetaint,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: goreleaser, dask-gateway, consul, nri-f5, grype, eksctl, terraform-docs, php-fpm_exporter, minio, gke-gcloud-auth-plugin, hey, runc, skaffold, telegraf, cue, vault-k8s, direnv, temporal-ui-server, supercronic, lazygit, nri-mssql, dex, crossplane, yq, wire-go, task,...

CVE-2023-46136 vulnerabilities

Vulnerabilities for packages: py3-tensorflow-serving-api, py3-werkzeug, kubeflow-volumes-web-app, kubeflow-jupyter-web-app,...

GHSA-HRFV-MQP8-Q5RW vulnerabilities

Vulnerabilities for packages: py3-tensorflow-serving-api, py3-werkzeug, kubeflow-volumes-web-app, kubeflow-jupyter-web-app,...

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

CVE-2024-5791

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input...

CVE-2024-5791

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input...

CVE-2024-5791 Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input...

CVE-2024-37694

ArcGIS Enterprise Server 10.8.0 allows a remote attacker to obtain sensitive information because /arcgis/rest/services does not require...

CVE-2024-37694

ArcGIS Enterprise Server 10.8.0 allows a remote attacker to obtain sensitive information because /arcgis/rest/services does not require...

CVE-2024-38636

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with F2FS) [failed]...

Metasploit Weekly Wrap-Up 06/21/2024

Argument Injection for PHP on Windows This week includes modules that target file traversal and arbitrary file read vulnerabilities for software such as Apache, SolarWinds and Check Point, with the highlight being a module for the recent PHP vulnerability submitted by sfewer-r7. This module...

Military-themed Email Scam Spreads Malware to Infect Pakistani Users

Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor. Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the....

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the...

CVE-2024-38636

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with...

CVE-2024-38636

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with...

CVE-2024-38636

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with...

How to Use Tines's SOC Automation Capability Matrix

Created by John Tuckner and the team at automation and AI-powered workflow platform Tines, the SOC Automation Capability Matrix (SOC ACM) is a set of techniques designed to help security operations teams understand their automation capabilities and respond more effectively to incidents. A...

CVE-2024-38636 f2fs: multidev: fix to recognize valid zero block address

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with...

CVE-2024-38636 f2fs: multidev: fix to recognize valid zero block address

In the Linux kernel, the following vulnerability has been resolved: f2fs: multidev: fix to recognize valid zero block address As reported by Yi Zhang in mailing list [1], kernel warning was catched during zbd/010 test as below: ./check zbd/010 zbd/010 (test gap zone support with...

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious...

Remote Code Execution (RCE)

js2py is vulnerable to Remote Code Execution (RCE). The vulnerability is due to the js2py.disable_pyimport() function failing to prevent JS sandbox escape, which allows an attacker to send crafted API calls which results in arbitrary code...

Exploit for CVE-2024-30270

This script is designed to exploit vulnerabilities in a Mailcow...

Exploit for CVE-2024-28397

Perkenalan 中文 `js2pyadalah paket python...

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

CVE-2024-3961

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

CVE-2024-3961 ConvertKit <= 2.4.9 - Missing Authorization

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for...

PCI DSS 4.0.1: New Clarifications on Client-Side Security – What You Need to Know

As a leading provider of web application and API security solutions, Imperva is committed to helping merchants, payment processors, and anyone seeking to comply with the latest PCI DSS requirements. We previously discussed the changes introduced in PCI DSS 4.0. This blog will cover the...

(Pwn2Own) Synology BC500 update_ntp_config Command Injection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology BC500 IP cameras. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of the server parameter provided to the syno-api handler....

Kibana 8.6.3 < 8.14 (ESA-2024-15)

The version of Kibana installed on the remote host is between 8.6.3 and 8.13.4. It is, therefore, affected by a vulnerability as referenced in the ESA-2024-15 advisory. A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run...