The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...
5.4AI Score
0.0004EPSS
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...
0.0004EPSS
CVE-2024-4149 Floating Chat Widget < 3.2.3 - Admin+ Stored XSS
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...
5.7AI Score
0.0004EPSS
CVE-2024-4149 Floating Chat Widget < 3.2.3 - Admin+ Stored XSS
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...
0.0004EPSS
Denial Of Service Via Account Lockout
org.keycloak, keycloak-services is vulnerable to Denial of Service via account lockout. The vulnerability is due to improper handling of usernames formatted as email addresses, which allows attackers to lock out legitimate users by repeatedly using incorrect...
7AI Score
Driving forward in Android drivers
Posted by Seth Jenkins, Google Project Zero Introduction Android's open-source ecosystem has led to an incredible diversity of manufacturers and vendors developing software that runs on a broad variety of hardware. This hardware requires supporting drivers, meaning that many different codebases...
7.8CVSS
7.5AI Score
0.001EPSS
LatePoint Plugin < 4.9.9.1 - Missing Authorization and Sensitive Information Exposure via IDOR
Description The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated...
9.1CVSS
6.6AI Score
0.001EPSS
Adobe Media Encoder Memory Leak Vulnerability (APSB24-34) - Windows
Adobe Media Encoder is prone to a memory leak...
5.5CVSS
6.8AI Score
0.001EPSS
Vulnerability in program/lib/Roundcube/rcube_string_replacer.php component of RoundCube mail client Webmail exists due to failure to take measures to protect the structure of the web page. Exploitation of the vulnerability could allow a remote attacker to conduct a cross-site scripting (XSS)...
6.1CVSS
6.2AI Score
0.113EPSS
virt:kvm_utils1 security update
hivex libguestfs libguestfs-winsupport libiscsi libnbd libvirt [5.7.0-42] - Document CVEs as fixed (Karl Heubaum) {CVE-2023-2700} - Fix off-by-one error in udevListInterfacesByStatus (Martin Kletzander) [Orabug: 36364474] {CVE-2024-1441} - libvirt- : Check caller-provided buffers to be NULL with...
5.5CVSS
7.2AI Score
0.0004EPSS
Telerik Report Server Authentication Bypass / Remote Code Execution Exploit
This Metasploit module chains an authentication bypass vulnerability with a deserialization vulnerability to obtain remote code execution against Telerik Report Server versions 10.0.24.130 and below. The authentication bypass flaw allows an unauthenticated user to create a new user with...
9.9CVSS
8.3AI Score
0.938EPSS
9.9CVSS
7AI Score
0.938EPSS
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2008-1)
The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2008-1 advisory. The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were...
9.8CVSS
8.8AI Score
EPSS
Summary There is a vulnerability in Java on z/OS used by IBM Maximo Asset Management application. Vulnerability Details ** CVEID: CVE-2024-3933 DESCRIPTION: **Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to restrict access to a...
5.3CVSS
6.9AI Score
0.0004EPSS
Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components
Impact We have identified a Cross-Site Scripting (XSS) vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...
5.8AI Score
Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components
Impact We have identified a Cross-Site Scripting (XSS) vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...
5.8AI Score
Keycloak Denial of Service via account lockout
In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his...
7.1AI Score
Keycloak Denial of Service via account lockout
In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his...
7.1AI Score
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before...
7AI Score
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before...
7AI Score
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
Summary By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click)....
7.1CVSS
7.1AI Score
0.001EPSS
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
Summary By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click)....
7.1CVSS
7.1AI Score
0.001EPSS
Telerik Report Server Auth Bypass and Deserialization RCE
This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new.....
9.9CVSS
10AI Score
0.938EPSS
Summary If Jazz Authentication Service is enabled, IBM Jazz Reporting System shows the JSA Client Secret in plain text. Vulnerability Details ** CVEID: CVE-2024-25052 DESCRIPTION: **IBM Jazz Reporting Service stores user credentials in plain clear text which can be read by an Admin user. CVSS...
4.4CVSS
6.3AI Score
0.0004EPSS
Lessons from the Snowflake Breaches
Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of a live event company's...
7.4AI Score
Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw
Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day, according to new findings from Symantec. The security flaw in question is CVE-2024-26169 (CVSS score: 7.8), an...
7.8CVSS
7.1AI Score
0.001EPSS
The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...
6.5CVSS
7.2AI Score
0.0005EPSS
The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...
6.5CVSS
0.0005EPSS
The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
8.7AI Score
0.001EPSS
The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
0.001EPSS
The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
0.001EPSS
Critical Outlook RCE Vulnerability Exploits Preview Pane – Patch Now!
A critical vulnerability (CVE-2024-30103) in Microsoft Outlook allows attackers to execute malicious code simply by opening an email. This "zero-click" exploit doesn't require user interaction and poses a serious threat. Learn how this vulnerability works and how to stay...
8.8CVSS
7.5AI Score
0.001EPSS
New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers
Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE. "WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional...
7AI Score
Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability
Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024. Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month....
9.8CVSS
8.7AI Score
0.05EPSS
The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...
6.4CVSS
0.001EPSS
The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...
6.4CVSS
5.7AI Score
0.001EPSS
The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...
6.4CVSS
0.001EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in...
7.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix NULL dereference in nfs3svc_encode_getaclres In error cases the dentry may be NULL. Before 20798dfe249a, the encoder also checked dentry and d_really_is_positive(dentry), but that looks like overkill to me--zero status...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL deref in cifs_compose_mount_options() The optional @ref parameter might contain an NULL node_name, so prevent dereferencing it in cifs_compose_mount_options(). Addresses-Coverity: 1476408 ("Explicit null...
6.9AI Score
0.0004EPSS
openSUSE: Security Advisory for go1.22 (SUSE-SU-2024:1970-1)
The remote host is missing an update for...
9.8CVSS
7.1AI Score
0.001EPSS
Unbreakable Enterprise kernel security update
[5.15.0-207.156.6] - uek-container: Add advanced routing options (Boris Ostrovsky) [Orabug: 36691279] - slub: use count_partial_free_approx() in slab_out_of_memory() (Jianfeng Wang) [Orabug: 36655468] - slub: introduce count_partial_free_approx() (Jianfeng Wang) [Orabug: 36655468] - Revert...
6.5CVSS
7.8AI Score
EPSS
Description The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie....
9CVSS
7.3AI Score
0.0004EPSS
WooCommerce Dropshipping <= 5.0.4 - Missing Authorization to Unauthenticated Arbitrary Email Send
Description The WooCommerce Dropshipping Premium plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on a function in all versions up to, and including, 5.0.4. This makes it possible for unauthenticated attackers to send arbitrary...
5.3CVSS
6.8AI Score
0.0005EPSS
Securing Online Business Transactions: Essential Tools and Practices
Enhance your online transaction security with encryption, VPNs, and authentication. Understand threats, address vulnerabilities, and use secure payment gateways. Stay compliant with PCI DSS and regulatory standards to protect your business and build customer...
7.4AI Score
Creating Secure CRM Pipelines in Construction: Best Practices and Essential Strategies
Secure your construction company's CRM pipeline to protect client data and streamline operations. A specialized CRM enhances communication, reduces errors, and supports scalable growth with advanced security features and automation...
7.3AI Score
TellYouThePass Ransomware Exploits Critical PHP Flaw, Patch NOW
Urgent alert for PHP users: Update your server immediately to protect against the newly exploited CVE-2024-4577 by...
9.8CVSS
7AI Score
0.967EPSS
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...
9.8CVSS
6.6AI Score
0.001EPSS
Traefik has unexpected behavior with IPv4-mapped IPv6 addresses
Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...
9.8CVSS
7AI Score
0.001EPSS
Microsoft and Adobe Patch Tuesday, June 2024 Security Update Review
Microsoft's June Patch Tuesday is here, bringing fixes for vulnerabilities impacting its multiple products. This month's release highlights the ongoing battle against cybersecurity threats, from critical updates to important fixes. Let's dive into the crucial insights from Microsoft's Patch...
9.8CVSS
9.3AI Score
0.003EPSS