Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal.....
9.8CVSS
6.8AI Score
0.0004EPSS
CVE-2024-32881 Unauthorized access to GET/SET of Slack Bot Tokens in Danswer
Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot, leading to internal.....
9.8CVSS
9.5AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 15, 2024 to April 21, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 209 vulnerabilities disclosed in 169...
9.9AI Score
EPSS
The CISO’s Top Priority: Elevating Data-Centric Security
The shift to cloud computing has enhanced the resilience and security of most organizations. In this era of unparalleled agility and scalability, data-centric security can offer transformational opportunities for Chief Information Security Officers (CISOs) to improve data protection, compliance,...
7.2AI Score
The Rise of Large-Language-Model Optimization
The web has become so interwoven with everyday life that it is easy to forget what an extraordinary accomplishment and treasure it is. In just a few decades, much of human knowledge has been collectively written up and made available to anyone with an internet connection. But all of this is coming....
6.7AI Score
Zynith SEO <= 7.4.9 - Unauthenticated Stored Cross-Site Scripting
Description The Zynith SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...
8.6CVSS
8AI Score
0.0004EPSS
SpEL Injection in GET /api/v1/policies/validation/condition/<expr> (GHSL-2023-236) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in...
8.8CVSS
8.9AI Score
0.0004EPSS
SpEL Injection in GET /api/v1/policies/validation/condition/<expr> (GHSL-2023-236) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in...
8.8CVSS
8.9AI Score
0.0004EPSS
OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)
SpEL Injection in PUT /api/v1/events/subscriptions (GHSL-2023-251) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...
8.8CVSS
8AI Score
0.0004EPSS
OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)
SpEL Injection in PUT /api/v1/events/subscriptions (GHSL-2023-251) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...
8.8CVSS
8AI Score
0.0004EPSS
This Week in Spring - Tuesday, April 23rd, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! We've had a really busy, wonderful week, as always, so let's dive right into it! We want you! ...to submit a talk to SpringOne 2024, in sunny Las Vegas! Hurry, the CFP closes May 3rd! Spring Shell 3.1.11, 3.2.4, and 3.3.0-m1...
7.1AI Score
AI Infographic Maker < 4.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The AI Infographic Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
6.5CVSS
5.9AI Score
0.0004EPSS
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
Summary Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions. PoC ```javascript const { parseWithZod } =...
8.6CVSS
8.5AI Score
0.0004EPSS
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
Summary Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions. PoC ```javascript const { parseWithZod } =...
8.6CVSS
8.5AI Score
0.0004EPSS
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
SpEL Injection in PUT /api/v1/policies (GHSL-2023-252) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from...
9.4CVSS
9.8AI Score
0.0004EPSS
OpenMetadata vulnerable to SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`)
SpEL Injection in PUT /api/v1/policies (GHSL-2023-252) Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability CompiledRule::validateExpression is also called from...
9.4CVSS
8.3AI Score
0.0004EPSS
Google ad for Facebook redirects to scam
Today, we are looking at a malicious ad campaign targeting Facebook users via Google search. It is well-known that tech support scammers attract new victims by buying ads for certain keywords related to their audience. What is perhaps less known is how it is even possible to impersonate top brands....
6.9AI Score
USF College of Engineering Presents Rapid7 With 2024 Corporate Impact Award
This past Friday, April 19, the University of South Florida (USF) College of Engineering recognized individuals and organizations who have greatly impacted USF and beyond at its ninth annual Engineering Honors Awards at The Armature Works in Tampa. I had the honor of joining my colleagues,...
7.4AI Score
(RHSA-2024:2010) Important: Satellite 6.15.0 release
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Security fixes: * python-pygments: ReDoS in pygments (CVE-2022-40896) * python-pycryptodomex: Side-channel...
7.6AI Score
EPSS
[SECURITY] Fedora 40 Update: chromium-124.0.6367.60-2.fc40
Chromium is an open-source web browser, powered by WebKit...
8.8CVSS
7.3AI Score
0.001EPSS
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. Details Since #26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo.....
7.9AI Score
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. Details Since #26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo.....
7.9AI Score
0G and OnePiece Labs Collaborate to Create Crypto x AI Incubator
By Owais Sultan 0G Labs and One Piece Labs have announced the launch of the first incubator for startups working at… This is a post from HackRead.com Read the original post: 0G and OnePiece Labs Collaborate to Create Crypto x AI...
7.3AI Score
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
6.4CVSS
5.7AI Score
0.0004EPSS
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
6.4CVSS
5.6AI Score
0.0004EPSS
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
6.4CVSS
5.8AI Score
0.0004EPSS
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible.....
6.4CVSS
5.7AI Score
0.0004EPSS
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible.....
6.4CVSS
5.7AI Score
0.0004EPSS
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible.....
6.4CVSS
5.8AI Score
0.0004EPSS
A flaw was found in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in...
5.3CVSS
6AI Score
0.0004EPSS
[SECURITY] Fedora 39 Update: chromium-124.0.6367.60-2.fc39
Chromium is an open-source web browser, powered by WebKit...
8.8CVSS
7.3AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.711EPSS
Description The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This....
6.4CVSS
5.9AI Score
0.0004EPSS
7.4AI Score
FortiNet FortiClient EMS 7.2.2 / 7.0.10 SQL Injection / Remote Code Execution Exploit
A remote SQL injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server) versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled...
9.8CVSS
10AI Score
0.711EPSS
Visual Studio Code Execution Exploit
This Metasploit module creates a vsix file which can be installed in Visual Studio Code as an extension. At activation/install, the extension will execute a shell or two. Tested against VSCode 1.87.2 on Ubuntu...
7.7AI Score
Take Command Summit: Take Breaches from Inevitable to Preventable on May 21
Registration is now open for Take Command, a day-long virtual summit in partnership with AWS. You do not want to miss it. You’ll get new attack intelligence, insight into AI disruption, transparent MDR partnerships, and more. In 2024, adversaries are using AI and new techniques, working in gangs...
7AI Score
Wallarm introduced its ongoing Open Source API Firewall project to the world at the recently concluded Blackhat Asia 2024 conference in Singapore. The open-source API Firewall by Wallarm is a free, lightweight API Firewall designed to protect REST and GraphQL API endpoints across cloud-native...
8.1AI Score
Billions of scraped Discord messages up for sale
Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard.....
6.8AI Score
ToddyCat is making holes in your infrastructure
We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts...
7.6AI Score
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud Infographic Maker – iList allows Stored XSS.This issue affects Infographic Maker – iList: from n/a through...
6.5CVSS
6.4AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud Infographic Maker – iList allows Stored XSS.This issue affects Infographic Maker – iList: from n/a through...
6.5CVSS
6.6AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud Infographic Maker – iList allows Stored XSS.This issue affects Infographic Maker – iList: from n/a through...
6.5CVSS
6.6AI Score
0.0004EPSS
Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage
Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make its operations more effective and efficient. "They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and...
7.2AI Score
Description The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes.....
6.4CVSS
5.9AI Score
0.0004EPSS
[SECURITY] Fedora 38 Update: chromium-124.0.6367.60-1.fc38
Chromium is an open-source web browser, powered by WebKit...
8.8CVSS
7AI Score
0.001EPSS
AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now
Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in...
6.9AI Score
[SECURITY] Fedora 40 Update: chromium-123.0.6312.122-1.fc40
Chromium is an open-source web browser, powered by WebKit...
8.8CVSS
7.5AI Score
0.001EPSS
Taking Time to Understand NIS2 Reporting Requirements
The newest version of the European Union Network and Information Systems directive, or NIS2, came into force in January 2023. Member States have until October 2024 to transpose it into their national law. One of the most critical changes with NIS2 is the schedule for reporting a cybersecurity...
7AI Score
IT and Cybersecurity Jobs in the Age of Emerging AI Technologies
By Waqas Fear AI taking your IT or cybersecurity job? Don't! Learn how AI creates new opportunities in network management, threat detection & more. This is a post from HackRead.com Read the original post: IT and Cybersecurity Jobs in the Age of Emerging AI...
7.3AI Score