WordPress Header Builder Plugin – Pearl Security Vulnerabilities

CVE-2024-39310 WordPress Basil Theme Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability

The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the post_title parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level...

CVE-2024-39310 WordPress Basil Theme Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability

The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the post_title parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level...

CVE-2024-39305

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...

CVE-2024-39305

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...

CVE-2024-39305 Envoy Proxy use after free when route hash policy is configured with cookie attributes

Envoy is a cloud-native, open source edge and service proxy. Prior to versions 1.30.4, 1.29.7, 1.28.5, and 1.27.7. Envoy references already freed memory when route hash policy is configured with cookie attributes. Note that this vulnerability has been fixed in the open as the effect would be...

CVE-2023-42503

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to upgrade to version 1.24.0, which fixes the issue. A third party can create a malformed.....

WordPress Security Research: A Beginner’s Series

Learn How To Find WordPress Vulnerabilities Step-by-Step Welcome to the inaugural post of our WordPress Security Research Beginner's Series! With the success of the Wordfence Bug Bounty Program, we wanted to provide emerging vulnerability researchers, and experienced Bug Bounty Hunters, with a...

CVE-2024-36421

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

CVE-2024-36421

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership...

WordPress Security Research Series: WordPress Request Architecture and Hooks

Welcome to Part 1 of the WordPress Security Research Beginner Series! If you haven’t had a chance, please review the series introduction blog post for more details on the goal of this series and what to expect. Before diving into the security features of WordPress, it's critical to understand the.....

CVE-2024-36421 GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: flux-source-controller, grype, kubeflow-katib, ip-masq-agent, nghttp2, cortex, tctl, gke-gcloud-auth-plugin, mc, kubescape, gitlab-shell, kyverno, node-problem-detector, weaviate, kaf, metacontroller, prometheus-blackbox-exporter, helm, cluster-autoscaler,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, docker, logstash-exporter, prometheus-alertmanager, doppler-kubernetes-operator, flux-source-controller, kuberay-operator, grype, policy-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, ip-masq-agent, zot, golangci-lint,...

CVE-2024-21626 vulnerabilities

Vulnerabilities for packages: runc, docker, zarf, kaniko, grype, telegraf, skaffold, zot, kubernetes, k3s, k3d, kubescape, newrelic-infrastructure-agent, kots, datadog-agent, ctop, k9s, buildkitd, cadvisor, ingress-nginx-controller, syft, wolfictl, trivy, nvidia-device-plugin, nerdctl,...

GHSA-VR64-R9QJ-H27F vulnerabilities

Vulnerabilities for packages:...

GHSA-VVPX-J8F3-3W6H vulnerabilities

Vulnerabilities for packages: restic, wireguard-go, grpcurl, go, gke-gcloud-auth-plugin, falco, k3d, dynamic-localpv-provisioner,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2022-41723 vulnerabilities

Vulnerabilities for packages: restic, wireguard-go, grpcurl, go, gke-gcloud-auth-plugin, falco, k3d, dynamic-localpv-provisioner,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, zot, stern, swagger, kubescape, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, prometheus-statsd-exporter, trivy, bincapz,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: logstash-exporter, gostatsd, grafana-rollout-operator, prometheus-alertmanager, direnv, flux-source-controller, policy-controller, tfsec, mongo-tools, ipfs, ip-masq-agent, harbor-registry, zot, golangci-lint, kubernetes, stern, glab, go-bindata, cortex, delve, go,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: logstash-exporter, gostatsd, grafana-rollout-operator, prometheus-alertmanager, direnv, flux-source-controller, policy-controller, tfsec, mongo-tools, ipfs, ip-masq-agent, harbor-registry, zot, golangci-lint, kubernetes, stern, glab, go-bindata, cortex, delve, go,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, stern, swagger, hivemind, kubescape, pluto, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, syft, prometheus-statsd-exporter, trivy,...

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: docker-credential-ecr-login, kubernetes-dashboard-metrics-scraper, grpcurl, wait-for-port, prometheus-stackdriver-exporter, ip-masq-agent, gitlab-logger, aws-flb-kinesis, petname, sonobuoy, nsc, mage, go-bindata, cortex, gke-gcloud-auth-plugin, helm-push, k3d, aactl,.....

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager, flux-source-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, zot, k3s, tctl, gke-gcloud-auth-plugin, kubernetes-csi-external-provisioner, mc, kyverno, node-problem-detector, prometheus-pushgateway, flux-image-reflector-controller,....

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, docker, logstash-exporter, prometheus-alertmanager, doppler-kubernetes-operator, flux-source-controller, kuberay-operator, grype, policy-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, ip-masq-agent, zot, golangci-lint,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2024-35255 vulnerabilities

Vulnerabilities for packages: restic, filebeat, zarf, flux, prometheus-operator, py3-cassandra-medusa, flux-source-controller, policy-controller, telegraf, timestamp-authority, fulcio, harbor-registry, chezmoi, airflow, nuclei, zot, velero, cortex, flyte, rclone, tekton-pipelines, traefik,...

GHSA-M5VV-6R4H-3VJ9 vulnerabilities

Vulnerabilities for packages: restic, filebeat, zarf, flux, prometheus-operator, py3-cassandra-medusa, flux-source-controller, policy-controller, telegraf, timestamp-authority, fulcio, harbor-registry, chezmoi, airflow, nuclei, zot, velero, cortex, flyte, rclone, tekton-pipelines, traefik,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, zot, stern, swagger, kubescape, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, prometheus-statsd-exporter, trivy, bincapz,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: logstash-exporter, gostatsd, grafana-rollout-operator, prometheus-alertmanager, direnv, flux-source-controller, policy-controller, tfsec, mongo-tools, ipfs, ip-masq-agent, harbor-registry, zot, golangci-lint, kubernetes, stern, glab, go-bindata, cortex, delve, go,...

CVE-2024-24790 vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, stern, swagger, hivemind, kubescape, pluto, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, syft, prometheus-statsd-exporter, trivy,...

CVE-2023-39325 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager, flux-source-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, zot, k3s, go, tctl, gke-gcloud-auth-plugin, kubernetes-csi-external-provisioner, mc, kubescape, gitlab-shell, kyverno, node-problem-detector, prometheus-pushgateway,...

GHSA-3Q2C-PVP5-3CQP vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2024-22871 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2023-39326 vulnerabilities

Vulnerabilities for packages: docker-credential-ecr-login, kubernetes-dashboard-metrics-scraper, grpcurl, wait-for-port, prometheus-stackdriver-exporter, ip-masq-agent, gitlab-logger, aws-flb-kinesis, petname, sonobuoy, nsc, mage, go-bindata, cortex, gke-gcloud-auth-plugin, helm-push, k3d, aactl,.....

GHSA-5F94-VHJQ-RPG8 vulnerabilities

Vulnerabilities for packages: docker-credential-ecr-login, kubernetes-dashboard-metrics-scraper, grpcurl, wait-for-port, prometheus-stackdriver-exporter, ip-masq-agent, gitlab-logger, aws-flb-kinesis, petname, sonobuoy, nsc, mage, go-bindata, cortex, gke-gcloud-auth-plugin, helm-push, k3d, aactl,.....

GHSA-9F76-WG39-X86H vulnerabilities

Vulnerabilities for packages: docker-credential-ecr-login, kubernetes-dashboard-metrics-scraper, grpcurl, wait-for-port, prometheus-stackdriver-exporter, ip-masq-agent, gitlab-logger, aws-flb-kinesis, petname, sonobuoy, nsc, mage, go-bindata, cortex, gke-gcloud-auth-plugin, helm-push, k3d, aactl,.....

GHSA-49GW-VXVF-FC2G vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, stern, swagger, hivemind, kubescape, pluto, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, syft, prometheus-statsd-exporter, trivy,...

GHSA-2WRH-6PVC-2JM9 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager, flux-source-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, zot, k3s, tctl, gke-gcloud-auth-plugin, kubernetes-csi-external-provisioner, mc, kyverno, node-problem-detector, prometheus-pushgateway, flux-image-reflector-controller,....

GHSA-4374-P667-P6C8 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager, flux-source-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, zot, k3s, go, tctl, gke-gcloud-auth-plugin, kubernetes-csi-external-provisioner, mc, kubescape, gitlab-shell, kyverno, node-problem-detector, prometheus-pushgateway,...

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: pulumi-language-dotnet, kubernetes-csi-livenessprobe, influxd, flux-source-controller, grype, telegraf, prometheus-stackdriver-exporter, secrets-store-csi-driver, flux-helm-controller, kubeflow-katib, argo-cd, pulumi-kubernetes-operator, conftest, cortex, tctl, k3d,...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: flux-source-controller, grype, kubeflow-katib, ip-masq-agent, nghttp2, cortex, tctl, gke-gcloud-auth-plugin, mc, kubescape, gitlab-shell, kyverno, node-problem-detector, weaviate, kaf, metacontroller, prometheus-blackbox-exporter, helm, cluster-autoscaler,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...