WooCommerce Multivendor Marketplace – REST API Security Vulnerabilities

CVE-2024-37014

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...

CVE-2024-37014

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...

CVE-2024-36416

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

CVE-2024-36416

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

CVE-2024-36416

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

CVE-2024-36416 SuiteCRM v4 API Excessive log data DOS

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

CVE-2024-36416 SuiteCRM v4 API Excessive log data DOS

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

linux-oem-6.8 vulnerabilities

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. (CVE-2022-38096) Zheng Wang discovered that the...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Node.js Vulnerability Details ** CVEID: CVE-2024-22017 DESCRIPTION: **Node.js could allow a local attacker to gain elevated privileges on the system, caused by the failure of setuid() to drop all privileges...

linux-gkeop, linux-gkeop-5.15, linux-kvm vulnerabilities

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2023-6270) It was discovered that the Atheros...

CVE-2024-29849: Veeam discloses Critical Vulnerability that allows attackers to bypass user authentication on its Backup Enterprise Manager web interface

On May 21, 2024, Veeam revealed a severe flaw across its Veeam Backup Enterprise Manager (VBEM) web interface that enables an unauthenticated attacker to log into the web interface as any user. Officially designated as CVE-2024-29849, the vulnerability presents a major threat with a CVSS V3 rating....

CVE-2024-34332

An issue in SiSoftware SANDRA v31.66 (SANDRA.sys 15.18.1.1) and before allows an attacker to escalate privileges via a crafted buffer sent to the Kernel Driver using the DeviceIoControl Windows...

CVE-2024-34332

An issue in SiSoftware SANDRA v31.66 (SANDRA.sys 15.18.1.1) and before allows an attacker to escalate privileges via a crafted buffer sent to the Kernel Driver using the DeviceIoControl Windows...

linux-laptop vulnerabilities

Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service (system crash). (CVE-2023-6356, CVE-2023-6535, CVE-2023-6536) It was.....

CVE-2024-35305

Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through...

CVE-2024-35305

Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through...

CVE-2022-45176

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as.....

CVE-2022-45168

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes...

CVE-2022-45168

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes...

CVE-2022-45176

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as.....

Criminal IP Unveils Fraud Detection Data Products on Snowflake Marketplace

Criminal IP Unveils Innovative Fraud Detection Data Products on Snowflake Marketplace AI SPERA, a leader in Cyber...

CVE-2024-35305 Unauth Time-Based SQL Injection via API

Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through...

CVE-2024-35305 Unauth Time-Based SQL Injection via API

Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through...

A European Summer of Sports is Upon Us – What Does it Mean for Security?

The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....

Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers

Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources. "This case does highlight an inherent risk in using service tags as....

Exploit for CVE-2024-37888

CVE-2024-37888 This repository documents vulnerability...

Exploit for CVE-2024-29849

CVE-2024-29849 Veeam Backup Enterprise Manager Authentication...

Improper Authorization

github.com/argoproj/argo-cd/ is vulnerable to Improper Authorization. The vulnerability is caused by the exposure of the passwordPattern setting through the /api/v1/settings endpoint without...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Checkpoint Quantum Security Gateway Firmware

Vulnerability Scanner for CVE-2024-24919 (need Shodan API)...

[SECURITY] Fedora 40 Update: galera-26.4.18-1.fc40

Galera is a fast synchronous multimaster wsrep provider (replication engine) for transactional databases and similar applications. For more information about wsrep API see https://github.com/codership/wsrep-API repository. For a description of Galera replication engine see...

CVE-2024-34332

An issue in SiSoftware SANDRA v31.66 (SANDRA.sys 15.18.1.1) and before allows an attacker to escalate privileges via a crafted buffer sent to the Kernel Driver using the DeviceIoControl Windows...

Ubuntu: Security Advisory (USN-6820-1)

The remote host is missing an update for...

Linux kernel (ARM laptop) vulnerabilities

Releases Ubuntu 23.10 Packages linux-laptop - Linux kernel for Lenovo X13s ARM laptops Details Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use...

Ubuntu: Security Advisory (USN-6816-1)

The remote host is missing an update for...

Ubuntu: Security Advisory (USN-6821-1)

The remote host is missing an update for...

CVE-2024-37014

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...

CVE-2022-45168

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/createbackupcodes endpoint, because the application allows a user to generate or regenerate the backup codes...

Ubuntu: Security Advisory (USN-6817-1)

The remote host is missing an update for...

Linux kernel vulnerabilities

Releases Ubuntu 22.04 LTS Ubuntu 20.04 LTS Packages linux-gkeop - Linux kernel for Google Container Engine (GKE) systems linux-gkeop-5.15 - Linux kernel for Google Container Engine (GKE) systems linux-kvm - Linux kernel for cloud environments Details It was discovered that the ATA over...

Ubuntu: Security Advisory (USN-6819-1)

The remote host is missing an update for...

Ubuntu 24.04 LTS : Linux kernel (OEM) vulnerabilities (USN-6817-2)

The remote Ubuntu 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6817-2 advisory. Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer...

Kiuwan Local Analyzer / SAST / SaaS XML Injection / XSS / IDOR

...

CVE-2022-45176

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Stored Cross-site Scripting (XSS) can occur under the /api/v1/getbodyfile endpoint via the uri parameter. The web application (through its vShare functionality section) doesn't properly check parameters, sent in HTTP requests as.....

Ubuntu: Security Advisory (USN-6818-1)

The remote host is missing an update for...

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-6821-2)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6821-2 advisory. It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free...

CVE-2024-37014

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python...

Hirschmann HiOS Switches Null Pointer Dereference (CVE-2019-12259)

This vulnerability requires that at least one IPv4 multicast address has been assigned to the target in an incorrect way (e.g., using the API intended for assigning unicast-addresses). An attacker may use CVE-2019-12264 to incorrectly assign a multicast IP-address. An attacker on the same LAN as...

Ubuntu 23.10 : Linux kernel (ARM laptop) vulnerabilities (USN-6818-2)

The remote Ubuntu 23.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6818-2 advisory. Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference...

CVE-2024-34332

An issue in SiSoftware SANDRA v31.66 (SANDRA.sys 15.18.1.1) and before allows an attacker to escalate privileges via a crafted buffer sent to the Kernel Driver using the DeviceIoControl Windows...

Exploit for OS Command Injection in Php

CVE-2024-4577 - PHP CGI Argument Injection Remote Code...