Tuesday, July 2, 2024 Security Releases
Summary The Node.js project will release new versions of the 22.x, 20.x, 18.x releases lines on or shortly after, Tuesday, July 2, 2024 in order to address: 1 high severity issues. 2 medium severity issues. 3 low severity issues. Node.js fetch will be upgraded to undici v6.19.2 on Node.js 18.x...
7AI Score
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...
6.1CVSS
EPSS
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....
9.8CVSS
EPSS
The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....
4.3CVSS
EPSS
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...
6.4CVSS
EPSS
The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive...
7.5CVSS
EPSS
CVE-2024-5889 Events Manager <= 6.4.8 - Reflected Cross-Site Scripting
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...
6.1CVSS
6.4AI Score
EPSS
CVE-2024-5889 Events Manager <= 6.4.8 - Reflected Cross-Site Scripting
The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...
6.1CVSS
EPSS
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...
6.4CVSS
5.8AI Score
EPSS
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...
6.4CVSS
EPSS
9.8CVSS
9.7AI Score
0.002EPSS
GHSA-2G68-C3QC-8985 vulnerabilities
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-jupyter-web-app, py3-werkzeug, superset,...
7.5AI Score
GHSA-84PR-M4JR-85G5 vulnerabilities
Vulnerabilities for packages: kubeflow-volumes-web-app, py3-flask-cors,...
7.5AI Score
7.5AI Score
CVE-2024-34069 vulnerabilities
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-jupyter-web-app, py3-werkzeug, superset,...
7.5CVSS
7.8AI Score
0.0004EPSS
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-pipelines, py3-idna, kubeflow-jupyter-web-app, k8s-sidecar, jwt-tool, kubeflow-katib, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, kubeflow-pipelines-visualization-server, kubeflow-volumes-web-app, datadog-agent,...
6.7AI Score
EPSS
GHSA-JJG7-2V4V-X38H vulnerabilities
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-pipelines, py3-idna, kubeflow-jupyter-web-app, k8s-sidecar, jwt-tool, kubeflow-katib, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, kubeflow-pipelines-visualization-server, kubeflow-volumes-web-app, datadog-agent,...
7.5AI Score
GHSA-H75V-3VVJ-5MFJ vulnerabilities
Vulnerabilities for packages: pytorch, py3-jinja2, kubeflow-jupyter-web-app, reflex, confluent-docker-utils, superset, kubeflow-volumes-web-app,...
7.5AI Score
GHSA-G4MX-Q9VG-27P4 vulnerabilities
Vulnerabilities for packages: kubeflow-jupyter-web-app, py3-tensorflow-serving-api, py3-urllib3, jwt-tool,...
7.5AI Score
CVE-2023-45803 vulnerabilities
Vulnerabilities for packages: kubeflow-jupyter-web-app, py3-tensorflow-serving-api, py3-urllib3, jwt-tool,...
4.2CVSS
7.1AI Score
0.0004EPSS
CVE-2024-34064 vulnerabilities
Vulnerabilities for packages: pytorch, py3-jinja2, kubeflow-jupyter-web-app, reflex, confluent-docker-utils, superset, kubeflow-volumes-web-app,...
5.4CVSS
6.1AI Score
0.0004EPSS
GHSA-9WX4-H78V-VM56 vulnerabilities
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-pipelines, patroni, airflow, kubeflow-jupyter-web-app, k8s-sidecar, reflex, jwt-tool, kubeflow-katib, mlflow, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, superset, kubeflow-volumes-web-app,...
7.5AI Score
CVE-2024-37891 vulnerabilities
Vulnerabilities for packages: kubeflow-pipelines, airflow, kubeflow-jupyter-web-app, k8s-sidecar, py3-urllib3, reflex, kubeflow-katib, mlflow, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, superset, kubeflow-volumes-web-app,...
4.4CVSS
4.9AI Score
0.0004EPSS
Vulnerabilities for packages: kubeflow-volumes-web-app, py3-flask-cors,...
5.3CVSS
6AI Score
0.0004EPSS
GHSA-V845-JXX5-VC9F vulnerabilities
Vulnerabilities for packages: kubeflow-jupyter-web-app, k8s-sidecar, py3-urllib3, kube-downscaler, kubeflow-volumes-web-app,...
7.5AI Score
CVE-2023-43804 vulnerabilities
Vulnerabilities for packages: kubeflow-jupyter-web-app, k8s-sidecar, py3-urllib3, kube-downscaler, kubeflow-volumes-web-app,...
8.1CVSS
7.7AI Score
0.001EPSS
CVE-2023-46136 vulnerabilities
Vulnerabilities for packages: airflow, kubeflow-jupyter-web-app, py3-tensorflow-serving-api, py3-werkzeug,...
8CVSS
7.9AI Score
0.001EPSS
GHSA-HRFV-MQP8-Q5RW vulnerabilities
Vulnerabilities for packages: airflow, kubeflow-jupyter-web-app, py3-tensorflow-serving-api, py3-werkzeug,...
7.5AI Score
GHSA-34JH-P97F-MPXF vulnerabilities
Vulnerabilities for packages: kubeflow-pipelines, airflow, kubeflow-jupyter-web-app, k8s-sidecar, py3-urllib3, reflex, kubeflow-katib, mlflow, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, superset, kubeflow-volumes-web-app,...
7.5AI Score
CVE-2024-35195 vulnerabilities
Vulnerabilities for packages: py3.10-tensorflow-core, kubeflow-pipelines, patroni, airflow, kubeflow-jupyter-web-app, k8s-sidecar, reflex, jwt-tool, kubeflow-katib, mlflow, az, ggshield, confluent-docker-utils, py3-cassandra-medusa, superset, kubeflow-volumes-web-app,...
5.6CVSS
6.2AI Score
0.0004EPSS
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to...
6.1CVSS
EPSS
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to...
6.1CVSS
6AI Score
EPSS
CVE-2024-6405 Floating Social Buttons <= 1.5 - Cross-Site Request Forgery
The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to...
6.1CVSS
EPSS
Polyfill.io Supply Chain Attack
The polyfill.js is a popular open-source library that supports older browsers. Thousands of sites embed it using the cdn[.]polyfill[.]io domain. In February 2024, a Chinese company (Funnull) bought the domain and the GitHub account. The company has modified Polyfill.js so malicious code would be...
7.7AI Score
bartlettltd.co.uk Cross Site Scripting vulnerability OBB-3939500
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be...
7AI Score
9.8CVSS
9.6AI Score
0.038EPSS
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length...
6.7AI Score
EPSS
Summary A cross-site request forgery vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details ** CVEID: CVE-2024-31902 DESCRIPTION: **IBM InfoSphere Information Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and.....
6.4AI Score
EPSS