WooCommerce Multivendor Marketplace – REST API Security Vulnerabilities

CVE-2024-2013

An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack...

AVEVA PI Web API

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: AVEVA Equipment: PI Web API Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code...

Google’s Chrome changes make life harder for ad blockers

Despite protests, Google is rolling out changes in the Chrome browser that make it harder for ad blockers to do their job. Starting last Monday, June 3, 2024, Chrome Beta, Dev, and Canary channels will see the effects of the implementation of the new extension platform Manifest V3. The gradual...

Sensitive Information Exposure

h2o is vulnerable to Sensitive Information Exposure. The vulnerability is due the Typeahead API call which allows an attacker to lookup arbitrary system paths in the entire file system where h2o-3 is...

CVE-2023-28775

Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through...

CVE-2023-28775

Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through...

CVE-2023-28775 WordPress Yoast SEO Premium plugin <= 20.4 - Unauthenticated Zapier API Key Reset vulnerability

Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through...

CVE-2023-28775 WordPress Yoast SEO Premium plugin <= 20.4 - Unauthenticated Zapier API Key Reset vulnerability

Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through...

Improper Authorization

zenml is vulnerable to Improper Authorization. The vulnerability is due to improper authorization controls in the API PUT /api/v1/users/id endpoint, allowing any authenticated user to modify other users' information, including deactivating...

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487)

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For...

Description of the security update for SharePoint Server 2019: June 11, 2024 (KB5002602)

Description of the security update for SharePoint Server 2019: June 11, 2024 (KB5002602) Summary This security update resolves a Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures...

Description of the security update for SharePoint Enterprise Server 2016: June 11, 2024 (KB5002604)

Description of the security update for SharePoint Enterprise Server 2016: June 11, 2024 (KB5002604) Summary This security update resolves a Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures...

Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the.....

SQL Injection

litellm is vulnerable to SQL Injection. The vulnerability is due to improper handling of the 'user_id' parameter in the raw SQL query used for deleting users. This allows an attacker to inject malicious SQL commands, leading to potential unauthorized access to sensitive information such as API...

Exploit for Code Injection in Ssssssss Spider-Flow

...

Low: c-ares security update

The c-ares C library defines asynchronous DNS (Domain Name System) requests and provides name resolving API. Security Fix(es): c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and...

KB5039217: Windows 10 version 1809 / Windows Server 2019 Security Update (June 2024)

The remote Windows host is missing security update 5039217. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

Linux kernel (OEM) vulnerabilities

Releases Ubuntu 24.04 LTS Packages linux-oem-6.8 - Linux kernel for OEM systems Details Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this...

Low: c-ares security update

The c-ares C library defines asynchronous DNS (Domain Name System) requests and provides name resolving API. Security Fix(es): c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and...

KB5039294: Windows Server 2012 R2 Security Update (June 2024)

The remote Windows host is missing security update 5039294. It is, therefore, affected by multiple vulnerabilities Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080) DHCP Server Service Denial of Service Vulnerability (CVE-2024-30070) Windows OLE Remote...

RHEL 8 : fence-agents (RHSA-2024:3795)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3795 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...

Ubuntu 23.10 : Linux kernel vulnerabilities (USN-6819-2)

The remote Ubuntu 23.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6819-2 advisory. Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference...

KB5039236: Windows 11 version 22H2 / Windows Server version 23H2 Security Update (June 2024)

The remote Windows host is missing security update 5039236. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

KB5039274: Windows Server 2008 R2 Security Update (June 2024)

The remote Windows host is missing security update 5039274. It is, therefore, affected by multiple vulnerabilities Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080) Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability...

KB5039211: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (June 2024)

The remote Windows host is missing security update 5039211. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

KB5039225: Windows 10 LTS 1507 Security Update (June 2024)

The remote Windows host is missing security update 5039225. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege...

fence-agents security update

[4.10.0-62.3] - bundled jinja2: fix CVE-2024-34064 Resolves: RHEL-36482 [4.10.0-62.2] - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer Resolves: RHEL-35273 [4.10.0-62.1] - ha-cloud-support: upgrade bundled pyroute2 libs to fix issue in gcp-vpc-move-route's stop-action Resolves:...

Ubuntu: Security Advisory (USN-6817-2)

The remote host is missing an update for...

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to...

Ubuntu: Security Advisory (USN-6818-2)

The remote host is missing an update for...

How to Add a Blueprint Target Using Execution Hooks From the Policy API

This article explains how to set resources other than namespaces as the hooks for blueprint...

Ubuntu: Security Advisory (USN-6821-2)

The remote host is missing an update for...

Newsletter - API v1 and v2 addon for Newsletter < 2.4.6 - Missing Authorization to Email Subscribers Management

Description The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create.....

Ubuntu 22.04 LTS : Linux kernel (NVIDIA) vulnerabilities (USN-6820-2)

The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6820-2 advisory. It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability....

KB5039227: Windows 2022 / Azure Stack HCI 22H2 Security Update (June 2024)

The remote Windows host is missing security update 5039227. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

KB5039260: Windows Server 2012 Security Update (June 2024)

The remote Windows host is missing security update 5039260. It is, therefore, affected by multiple vulnerabilities Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080) DHCP Server Service Denial of Service Vulnerability (CVE-2024-30070) Windows OLE Remote...

KB5039213: Windows 11 version 21H2 Security Update (June 2024)

The remote Windows host is missing security update 5039213. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

KB5039214: Windows 10 Version 1607 / Windows Server 2016 Security Update (June 2024)

The remote Windows host is missing security update 5039214. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

KB5039266: Windows Server 2008 Security Update (June 2024)

The remote Windows host is missing security update 5039266. It is, therefore, affected by multiple vulnerabilities Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability (CVE-2024-30080) Windows Link Layer Topology Discovery Protocol Remote Code Execution Vulnerability...

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel (AWS) vulnerabilities (USN-6821-3)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6821-3 advisory. It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free...

Ubuntu 20.04 LTS : Linux kernel (Intel IoTG) vulnerabilities (USN-6828-1)

The remote Ubuntu 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6828-1 advisory. Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use-...

CentOS 9 : openssl-3.2.2-1.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the openssl-3.2.2-1.el9 build changelog. Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact...

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege...

Moderate: fence-agents security update

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es): jinja2: accepts keys containing non-attribute characters...

KB5039212: Windows 11 version 22H2 / Windows 11 version 23H2 Security Update (June 2024)

The remote Windows host is missing security update 5039212. It is, therefore, affected by multiple vulnerabilities Microsoft Speech Application Programming Interface (SAPI) Remote Code Execution Vulnerability (CVE-2024-30097) Windows Remote Access Connection Manager Information Disclosure...

CVE-2024-22261 SQL Injection in Harbor scan log API

SQL-Injection in Harbor allows priviledge users to leak the task...

Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty Profile affect IBM Robotic Process Automation.

Summary Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation as part of UMS and as an application server for container deployments. This bulletin identifies the security fixes to apply to address the vulnerability. ...

Langflow remote code execution vulnerability

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...

Langflow remote code execution vulnerability

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...