Got2000 Series; Got Simple Series; Gt Softgot2000; Tension Controller Security Vulnerabilities

GHSA-M425-MQ94-257G vulnerabilities

Vulnerabilities for packages: pulumi-language-dotnet, kubescape, dex, terraform, weaviate, cilium-envoy, oauth2-proxy, pulumi-language-java, dynamic-localpv-provisioner, gitlab-pages, keda, aactl, flux-notification-controller, mc, gatekeeper, kubeflow-katib, kubernetes-csi-livenessprobe,...

CVE-2024-29902 vulnerabilities

Vulnerabilities for packages: kubescape, wolfictl, zot, vexctl, aactl, apko, slsa-verifier, goreleaser, neuvector-sigstore-interface, spire-server, falco, gitsign, tekton-chains, ko, zarf, skaffold, tkn, policy-controller, flux-source-controller, melange,...

GHSA-45X7-PX36-X8W8 vulnerabilities

Vulnerabilities for packages: tigera-operator, caddy, dex, oauth2-proxy, loki, vexctl, aactl, gatekeeper, libssh, cortex, slsa-verifier, git-lfs, step, istio-operator, istio-cni, argo-cd, goreleaser, kube-rbac-proxy, traefik, cloudflared, falco, vault, spark-operator, cosign, nats,...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: dex, dotnet, cilium-envoy, oauth2-proxy, tomcat, aactl, gatekeeper, nghttp2, cortex, slsa-verifier, git-lfs, argo-cd, goreleaser, gke-gcloud-auth-plugin, traefik, falco, spark-operator, cosign, nats, kubernetes-csi-node-driver-registrar, prometheus-blackbox-exporter,.....

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: litefs, tigera-operator, kubernetes-dashboard-metrics-scraper, chartmuseum, caddy, dex, aws-ebs-csi-driver, kustomize, nri-apache, loki, vexctl, gatekeeper, speedtest-go, cortex, slsa-verifier, yam, cri-tools, nri-discovery-kubernetes, argo-cd, nri-memcached,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: litefs, tigera-operator, kubernetes-dashboard-metrics-scraper, chartmuseum, caddy, dex, aws-ebs-csi-driver, kustomize, nri-apache, loki, vexctl, gatekeeper, speedtest-go, cortex, slsa-verifier, yam, cri-tools, nri-discovery-kubernetes, argo-cd, nri-memcached,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: litefs, tigera-operator, kubernetes-dashboard-metrics-scraper, chartmuseum, caddy, dex, aws-ebs-csi-driver, kustomize, nri-apache, loki, vexctl, gatekeeper, speedtest-go, cortex, slsa-verifier, yam, cri-tools, nri-discovery-kubernetes, argo-cd, nri-memcached,...

GHSA-MW99-9CHC-XW7R vulnerabilities

Vulnerabilities for packages: pulumi-language-dotnet, zot, pulumi-language-java, tekton-pipelines, apko, argo-cd, flux-kustomize-controller, pulumi-language-yaml, goreleaser, src-fingerprint, gitsign, gitness, go-licenses, pulumi, scorecard, kubevela, bom, nuclei, gomplate, kots,...

GHSA-V53G-5GJP-272R vulnerabilities

Vulnerabilities for packages: eksctl, helm-operator, cert-manager, k8sgpt, chartmuseum, k9s, istio-operator, kubescape, helm-push, zot, cilium-cli, trivy, kots, flux-helm-controller, flux-source-controller, zarf,...

CVE-2023-29402 vulnerabilities

Vulnerabilities for packages: policy-controller, falco,...

CVE-2023-29404 vulnerabilities

Vulnerabilities for packages: policy-controller, falco,...

GHSA-68G3-2P3G-W9PQ vulnerabilities

Vulnerabilities for packages: policy-controller, falco,...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: litefs, tigera-operator, kubernetes-dashboard-metrics-scraper, grafana-agent-operator, chartmuseum, caddy, go, hcloud, dex, aws-ebs-csi-driver, oauth2-proxy, kustomize, loki, aactl, cortex, cri-tools, git-lfs, step, istio-operator, flannel, sonobuoy,...

GHSA-236W-P7WF-5PH8 vulnerabilities

Vulnerabilities for packages: kubernetes-dashboard-metrics-scraper, chartmuseum, caddy, go, aactl, gatekeeper, cri-tools, flannel, istio-cni, nri-memcached, bazelisk, local-static-provisioner, cloudflared, configmap-reload, newrelic-infra-operator, dagger, vcluster, go-md2man,...

GHSA-XW73-RW38-6VJC vulnerabilities

Vulnerabilities for packages: helm-operator, gitlab-runner, k3s, kubescape, zot, loki, tekton-pipelines, aactl, vexctl, docker-credential-gcr, kubeflow-katib, slsa-verifier, cri-tools, argo-workflows, kargo, goreleaser, nerdctl, ctop, datadog-agent, telegraf, flux-helm-controller, helm, timoni,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: litefs, tigera-operator, kubernetes-dashboard-metrics-scraper, chartmuseum, caddy, dex, aws-ebs-csi-driver, kustomize, nri-apache, loki, vexctl, gatekeeper, speedtest-go, cortex, slsa-verifier, yam, cri-tools, nri-discovery-kubernetes, argo-cd, nri-memcached,...

CVE-2023-49568 vulnerabilities

Vulnerabilities for packages: pulumi-language-dotnet, zot, pulumi-language-java, tekton-pipelines, apko, argo-cd, flux-kustomize-controller, pulumi-language-yaml, goreleaser, src-fingerprint, gitsign, gitness, go-licenses, pulumi, scorecard, kubevela, bom, nuclei, gomplate, kots,...

GHSA-XR7R-F8XQ-VFVV vulnerabilities

Vulnerabilities for packages: ingress-nginx-controller, k3s, kubescape, wolfictl, zot, docker, nvidia-device-plugin, nerdctl, telegraf, datadog-agent, ctop, k3d, cadvisor, buildkitd, syft, trivy, skopeo, zarf, grype, skaffold, newrelic-infrastructure-agent, runc, kubernetes, kots, k9s,...

CVE-2024-25943

iDRAC9, versions prior to 7.00.00.172 for 14th Generation and 7.10.50.00 for 15th and 16th Generations, contains a session hijacking vulnerability in IPMI. A remote attacker could potentially exploit this vulnerability, leading to arbitrary code execution on the vulnerable...

Metasploit Weekly Wrap-Up 06/28/2024

Unauthenticated Command Injection in Netis Router This week's Metasploit release includes an exploit module for an unauthenticated command injection vulnerability in the Netis MW5360 router which is being tracked as CVE-2024-22729. The vulnerability stems from improper handling of the password...

Exploit for SQL Injection in Progress Moveit Cloud

CVE-2023-34362: MOVEit Transfer Unauthenticated RCE For a...

Exploit for SQL Injection in Progress Moveit Cloud

CVE-2023-34362: MOVEit Transfer Unauthenticated RCE For a...

Exploit for CVE-2024-34102

🇮🇱 **#BringThemHome...

Glastonbury ticket hijack vulnerability fixed

The Glastonbury ticket website was vulnerable to a relatively simple attack that that allowed ticket theft and data leakage. What’s the issue? An attacker could scrape collaborative ticket buying websites (e.g. Reddit) to gather people’s details, use a flaw in the registration process and session.....

Combatting the Evolving SaaS Kill Chain: How to Stay Ahead of Threat Actors

The modern kill chain is eluding enterprises because they aren't protecting the infrastructure of modern business: SaaS. SaaS continues to dominate software adoption, and it accounts for the greatest share of public cloud spending. But enterprises and SMBs alike haven't revised their security...

New SnailLoad Attack Exploits Network Latency to Spy on Users' Web Activities

A group of security researchers from the Graz University of Technology have demonstrated a new side-channel attack known as SnailLoad that could be used to remotely infer a user's web activity. "SnailLoad exploits a bottleneck present on all Internet connections," the researchers said in a study...

CVE-2024-2795

The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected...

CVE-2024-2795

The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected...

CVE-2024-2795 SEO SIMPLE PACK <= 3.2.1 - Information Exposure

The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected...

CVE-2024-5729

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5570

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update...

CVE-2024-5570

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update...

CVE-2024-5729

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5729 Simple AL Slider <= 1.2.10 - Reflected XSS

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2024-5570 Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update...

EulerOS 2.0 SP12 : kernel (EulerOS-SA-2024-1859)

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init When the...

AI Pulse: Siri Says Hi to OpenAI, Deepfake Olympics & more

AI Pulse is a new blog series from Trend Micro on the latest cybersecurity AI news. In this edition: Siri says hi to OpenAI, fraud hogs the AI cybercrime spotlight, and why the Paris Olympics could be a hotbed of...

K000140188: PostgreSQL vulnerability CVE-2024-0985

Security Advisory Description Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of...

EulerOS 2.0 SP12 : shim (EulerOS-SA-2024-1862)

According to the versions of the shim packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications...

EulerOS 2.0 SP12 : kernel (EulerOS-SA-2024-1873)

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init When the...

EulerOS 2.0 SP12 : shim (EulerOS-SA-2024-1876)

According to the versions of the shim package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications...

K000140189: Linux kernel vulnerability CVE-2021-47572

Security Advisory Description In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IPv6 nexthop and IPv6 is not enabled (!CONFIG_IPV6) we'll hit a NULL pointer dereference[1] in the error path.....

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Summary There are vulnerabilities in IBM® Java™ Version 8 and IBM WebSphere Application Server Liberty used by IBM Cognos Analytics. IBM Cognos Analytics has addressed these vulnerabilities by upgrading IBM® Java™ and IBM WebSphere Application Server Liberty. There are vulnerabilities in...

An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack

On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin (see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins). After adding the malicious code to our...

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 17, 2024 to June 23, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

&#8216;Poseidon&#8217; Mac stealer distributed via Google ads

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows...

How to Use Python to Build Secure Blockchain Applications

Did you know it's now possible to build blockchain applications, known also as decentralized applications (or "dApps" for short) in native Python? Blockchain development has traditionally required learning specialized languages, creating a barrier for many developers… until now. AlgoKit, an...

Toward greater transparency: Unveiling Cloud Service CVEs

Welcome to the second installment in our series on transparency at the Microsoft Security Response Center (MSRC). In this ongoing discussion, we discuss our commitment to provide comprehensive vulnerability information to our customers. At MSRC, our mission is to protect our customers,...

CVE-2024-39459

A vulnerability was found in the Jenkins Plain Credentials Plugin, which stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system. Users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission...

The Windows Registry Adventure #3: Learning resources

Posted by Mateusz Jurczyk, Google Project Zero When tackling a new vulnerability research target, especially a closed-source one, I prioritize gathering as much information about it as possible. This gets especially interesting when it's a subsystem as old and fundamental as the Windows registry......