Barcode Scanner With Inventory & Order Manager Security Vulnerabilities

CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used (unauthenticated), an attacker may be able to...

CVE-2024-5655: GitLab Fixes CI/CD Vulnerability & 13 Other Flaws With Latest Patch Release

A security flaw that impacts specific versions of GitLab's Community and Enterprise Edition products was just detected. This vulnerability can be exploited to execute pipelines under any user's credentials. GitLab is a web-based DevOps platform offering tools for software development, version...

CVE-2024-37145 GHSL-2023-247: Flowise xss in /api/v1/chatflows-streaming/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/chatflows-streaming/id endpoint. If the default configuration is used (unauthenticated), an attacker may be...

CVE-2024-36423 GHSL-2023-246: Flowise xss in /api/v1/public-chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/public-chatflows/id endpoint. If the default configuration is used (unauthenticated), an attacker may be able...

CVE-2024-38474 Apache HTTP Server weakness with encoded question marks in backreferences

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to...

CVE-2024-38473 Apache HTTP Server proxy encoding problem

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-25026)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

CVE-2024-36987

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST...

CVE-2024-36987

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST...

CVE-2024-20399

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific...

CVE-2024-20399

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific...

CVE-2024-36987 Insecure File Upload in the indexing/preview REST endpoint

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, an authenticated, low-privileged user who does not hold the admin or power Splunk roles could upload a file with an arbitrary extension using the indexing/preview REST...

WordPress Security Research: A Beginner’s Series

Learn How To Find WordPress Vulnerabilities Step-by-Step Welcome to the inaugural post of our WordPress Security Research Beginner's Series! With the success of the Wordfence Bug Bounty Program, we wanted to provide emerging vulnerability researchers, and experienced Bug Bounty Hunters, with a...

CVE-2024-36422

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft.....

CVE-2024-36422

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft.....

CVE-2024-36421

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

CVE-2024-36421

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership...

CVE-2024-20399

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific...

WordPress Security Research Series: WordPress Request Architecture and Hooks

Welcome to Part 1 of the WordPress Security Research Beginner Series! If you haven’t had a chance, please review the series introduction blog post for more details on the goal of this series and what to expect. Before diving into the security features of WordPress, it's critical to understand the.....

Personal data stolen from unsuspecting airport visitors and plane passengers in “evil twin” attacks, man charged

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people. The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged...

CVE-2024-36422 GHSL-2023-245: Flowise xss in api/v1/chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft.....

Cisco NX-OS Software CLI Command Injection Vulnerability

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of arguments that are passed to specific...

CVE-2024-36421 GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets the Access-Control-Allow-Origin header to all, allowing arbitrary origins to connect to the website. In the default configuration (unauthenticated),...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting (CVE-2024-35153)

Summary IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the administrative console. Vulnerability Details Refer to the security bulletin(s) listed in the Remediation/Fixes section Affected Products and Versions Affected...

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to XML External Entity Injection attack due to IBM WebSphere Application Server Liberty (CVE-2024-22354)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to cross-site scripting due to IBM WebSphere Application Server Liberty (CVE-2024-27270)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-22353)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to server-side request forgery due to IBM WebSphere Application Server Liberty (CVE-2024-22329)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2024-27268)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to denial of service due to IBM WebSphere Application Server Liberty (CVE-2023-51775)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin. Vulnerability Details ** CVEID:.....

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: zarf, consul, flux, influxd, flux-source-controller, policy-controller, ksops, timestamp-authority, flux-helm-controller, opentofu, fulcio, argo-cd, neuvector-sigstore-interface, zot, nuclei, pulumi-kubernetes-operator, k3s, vexctl, glab, snyk-cli, kargo,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: flux-source-controller, grype, kubeflow-katib, ip-masq-agent, nghttp2, cortex, tctl, gke-gcloud-auth-plugin, mc, kubescape, gitlab-shell, kyverno, node-problem-detector, weaviate, kaf, metacontroller, prometheus-blackbox-exporter, helm, cluster-autoscaler,...

GHSA-2C7C-3MJ9-8FQH vulnerabilities

Vulnerabilities for packages: istio-pilot-discovery, flux-source-controller, cloudflared, argo-cd, fulcio, vexctl, traefik, tekton-pipelines, terragrunt, gitsign, aactl, keda, kubescape, sops, kots, tekton-chains, external-secrets-operator, cosign, kyverno, vault, slsa-verifier, cilium-envoy,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, docker, logstash-exporter, prometheus-alertmanager, doppler-kubernetes-operator, flux-source-controller, kuberay-operator, grype, policy-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, ip-masq-agent, zot, golangci-lint,...

GHSA-X84C-P2G9-RQV9 vulnerabilities

Vulnerabilities for packages: harbor-scanner-trivy, docker, dagger, buf, tekton-pipelines, docker-compose, helm-push, kaniko, neuvector-scanner, cri-tools, k3d, syft, grype, policy-controller, prometheus, wolfictl,...

GHSA-7WW5-4WQC-M92C vulnerabilities

Vulnerabilities for packages: kaniko, flux-source-controller, grype, telegraf, skaffold, flux-helm-controller, zot, tekton-pipelines, helm-push, k3d, kubescape, melange, kots, newrelic-infrastructure-agent, ctop, up, cert-manager, trivy, eksctl, helm, neuvector-agent, fuse-overlayfs-snapshotter,...

CVE-2024-25620 vulnerabilities

Vulnerabilities for packages: helm-operator, k9s, k8sgpt, zarf, helm-push, istio-operator, flux-source-controller, cilium-cli, cert-manager, chartmuseum, kubescape, flux-helm-controller, kots, trivy, eksctl, zot,...

GHSA-R53H-JV2G-VPX6 vulnerabilities

Vulnerabilities for packages: helm-operator, k9s, k8sgpt, zarf, helm-push, istio-operator, flux-source-controller, cilium-cli, cert-manager, chartmuseum, kubescape, flux-helm-controller, kots, trivy, eksctl, zot,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...

GHSA-JQ35-85CJ-FJ4P vulnerabilities

Vulnerabilities for packages: skaffold, k3s, tekton-pipelines, k3d, aactl, chartmuseum, kubescape, kpt, tekton-chains, ctop, loki, up, scorecard, slsa-verifier, cert-manager, bom, goreleaser, falco, paranoia,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, zot, stern, swagger, kubescape, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, prometheus-statsd-exporter, trivy, bincapz,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: logstash-exporter, gostatsd, grafana-rollout-operator, prometheus-alertmanager, direnv, flux-source-controller, policy-controller, tfsec, mongo-tools, ipfs, ip-masq-agent, harbor-registry, zot, golangci-lint, kubernetes, stern, glab, go-bindata, cortex, delve, go,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: logstash-exporter, gostatsd, grafana-rollout-operator, prometheus-alertmanager, direnv, flux-source-controller, policy-controller, tfsec, mongo-tools, ipfs, ip-masq-agent, harbor-registry, zot, golangci-lint, kubernetes, stern, glab, go-bindata, cortex, delve, go,...

CVE-2024-24789 vulnerabilities

Vulnerabilities for packages: logstash-exporter, direnv, dagdotdev, cloud-sql-proxy, mongo-tools, ip-masq-agent, stern, swagger, hivemind, kubescape, pluto, cni-plugins, clusterctl, nri-discovery-kubernetes, sbom-scorecard, node-problem-detector, syft, prometheus-statsd-exporter, trivy,...

GHSA-V6V8-XJ6M-XWQH vulnerabilities

Vulnerabilities for packages: zarf, consul, flux, influxd, flux-source-controller, policy-controller, ksops, timestamp-authority, flux-helm-controller, opentofu, fulcio, argo-cd, neuvector-sigstore-interface, zot, nuclei, pulumi-kubernetes-operator, k3s, vexctl, glab, snyk-cli, kargo,...

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: docker-credential-ecr-login, kubernetes-dashboard-metrics-scraper, grpcurl, wait-for-port, prometheus-stackdriver-exporter, ip-masq-agent, gitlab-logger, aws-flb-kinesis, petname, sonobuoy, nsc, mage, go-bindata, cortex, gke-gcloud-auth-plugin, helm-push, k3d, aactl,.....

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager, flux-source-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, zot, k3s, tctl, gke-gcloud-auth-plugin, kubernetes-csi-external-provisioner, mc, kyverno, node-problem-detector, prometheus-pushgateway, flux-image-reflector-controller,....

CVE-2024-24786 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, docker, logstash-exporter, prometheus-alertmanager, doppler-kubernetes-operator, flux-source-controller, kuberay-operator, grype, policy-controller, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, ip-masq-agent, zot, golangci-lint,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: temporal-ui-server, supercronic, logstash-exporter, prometheus-alertmanager, direnv, doppler-kubernetes-operator, kuberay-operator, grype, k8sgpt-operator, cloud-sql-proxy, kubeflow-katib, mongo-tools, ip-masq-agent, golangci-lint, kubernetes, k3s, go-bindata,...