MiniOrange's Google Authenticator Security Vulnerabilities

CGA-jhcr-g7wj-9vq2

Bulletin has no...

CGA-pcxv-43r4-92mm

Bulletin has no...

CGA-9c85-rg9h-4w8m

Bulletin has no...

CGA-f35m-rxrc-jf4f

Bulletin has no...

CGA-hxgx-rg66-hvqr

Bulletin has no...

CGA-w76m-mrwf-j7rf

Bulletin has no...

CGA-x56p-7vj3-wq3q

Bulletin has no...

CGA-rmv6-gv8r-23fq

Bulletin has no...

CGA-jmr7-jr2v-rjcq

Bulletin has no...

CGA-4m9j-264v-7mr3

Bulletin has no...

CGA-gvhx-fgcw-f546

Bulletin has no...

CGA-25vp-ggq8-49x6

Bulletin has no...

CGA-cp3f-8rch-xvmv

Bulletin has no...

CGA-34mp-wg56-2ph9

Bulletin has no...

CGA-g7w9-f9fj-j6gv

Bulletin has no...

CGA-3xf3-vx56-c5h8

Bulletin has no...

CGA-f9x4-gc5p-g8jr

Bulletin has no...

CGA-cq5p-922f-8wjg

Bulletin has no...

CGA-28fj-7rmv-xw55

Bulletin has no...

Malicious code in kami-richtext (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (9634fe3bee06c80f43ca27ad558c4834386dc1bb31779583c7911b679f550bff) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

cups vulnerability

Rory McNamara discovered that when starting the cupsd server with a Listen configuration item, the cupsd process fails to validate if bind call passed. An attacker could possibly trick cupsd to perform an arbitrary chmod of the provided argument, providing world-writable access to the...

libhibernate3-java vulnerability

It was discovered that Hibernate incorrectly handled certain inputs with unsanitized literals. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive...

CGA-gwpm-7fhq-3wh2

Bulletin has no...

Cross site scripting in Apache JSPWiki

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or...

Improper line feed handling in zenml

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

CGA-66p9-3frq-6mmw

Bulletin has no...

CVE-2024-4460

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

Malicious code in @elza/keepalive (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (36898e173038cb4c2df4e969d539b9594821fc6f2c6b1c8750d717d5f637eea4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @elza/auto-route-plugin (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (c0394416e392791c5f23be36b82f8800fa29bfd1381f8be67c7362338279c0d2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Remote Code Execution in create_conda_env function in lollms

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and...

composer - regression update

Bulletin has no...

Stable Channel Update for Desktop

The Stable channel has been updated to 126.0.6478.126/127 for Windows, Mac and 126.0.6478.126 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. Security Fixes and Rewards Note: Access to bug details and links may be kept...

Google Chrome < 126.0.6478.126 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 126.0.6478.126. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop_24 advisory. Use after free in Dawn. (CVE-2024-6290, CVE-2024-6292, CVE-2024-6293) ...

Google Chrome < 126.0.6478.126 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 126.0.6478.126. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop_24 advisory. Use after free in Dawn. (CVE-2024-6290, CVE-2024-6292, CVE-2024-6293) ...

Important: python3.11 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security...

Malicious code in govgen-governance (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (f3c3227cdc330d6755ef62c0fe1cdd3a59c6d22c31cf37af347ef213050680b9) The OpenSSF Package Analysis project identified 'govgen-governance' @ 2.2.1 (npm) as malicious. It is considered malicious because: The package...

Malicious code in @amops/fetch (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (d9eb323a3c294832e925d2ed472560ab37507fc32711add225d99db97b08bc74) The OpenSSF Package Analysis project identified '@amops/fetch' @ 1.4.1 (npm) as malicious. It is considered malicious because: The package...

Moderate: libreswan security update

Libreswan is an implementation of IPsec and IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks such as virtual private network (VPN).....

Remote Code Execution via path traversal bypass in lollms

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension() function. The vulnerability arises from the /mount_extension endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory...

CVE-2024-5443

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension() function. The vulnerability arises from the /mount_extension endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory...

Warning: New Adware Campaign Targets Meta Quest App Seekers

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust. "The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes,"...

Malicious code in openstad-component-forms (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (ce99b034a6f67b0bd613755012e00352d254a5b438c7d65a687a2e2e2458cd7e) The OpenSSF Package Analysis project identified 'openstad-component-forms' @ 1.0.0 (npm) as malicious. It is considered malicious because: The...

Open redirect in gradio

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others....

Arbitrary File Creation in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

Zip slip in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

SQL injection in opencart

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...