Analysis of user password strength
The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of...
6.9AI Score
The Annual SaaS Security Report: 2025 CISO Plans and Priorities
Seventy percent of enterprises are prioritizing investment in SaaS security by establishing dedicated teams to secure SaaS applications, as part of a growing trend of maturity in this field of cybersecurity, according to a new survey released this month by the Cloud Security Alliance (CSA)....
7.2AI Score
Malicious code in resolve-uri-latest (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6184d59fa1e765738b50981a8e7094d0744e987e5eadeaeebd3747d036edd22a) The OpenSSF Package Analysis project identified 'resolve-uri-latest' @ 9.999.0 (npm) as malicious. It is considered malicious because: The...
7.3AI Score
CVE-2024-5899 Improper trust check in Bazel Build intellij plugin
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...
7.1AI Score
0.0004EPSS
CVE-2024-5899 Improper trust check in Bazel Build intellij plugin
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This...
0.0004EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.2AI Score
0.001EPSS
DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC...
3.1CVSS
6.3AI Score
0.0004EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.2AI Score
0.001EPSS
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow. Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.This issue affects Apache...
6.1AI Score
0.0004EPSS
Malicious code in vivid_framework (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (2010f8d2281230e81c4e7549be2af22ce8a41d11b5ae8d1920eb69b3aece581b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in rb-fare-breakup (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (25a5d54730dc9f0fde2c00fc22012602258fa2002141d77e8c09f61347a82e33) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in rb-info-banner (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (795c3e45bb638b1058118c99f65db4e6f84244a2af7acbb4d6bd09a19b94dca6) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in rb-accordion (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (435bf9e58c9f11fe55f80f865ec1f291beee55aaaf1ff78d0235dbf93b35202f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in rb-payment-input (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (57a9b44fcc5ba82938a7860faa1d7e0200a5e40758a5976f2b6970f4d24a21f0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in mediaa (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (51b2ce3294e1295bc15a9a9967ceaa66afaddf19884a6ca9ad9fdf2c28bc2526) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in desainlgo (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (6816a9ebbf76b673c2d99001909e8619eafde9886f10ecd02fada3b816e86908) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in stylee-logo (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (b57b986ab11403a14ac18370067dd40fc0a3deca0e7580b55605078ea441e720) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in logooo (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (f609b1731a83d9360a1399bb75931accaed83e36b964fd2778b16388a9ddd520) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in logo-stylee (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (d393decd83d9e9777b1412a8994e72ccb1fdccc3a8157a431f4e72fe8553e717) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in imagezz (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (99e6c0c1f9b6bc126d4f60e6fd0d83e2bdebb10bb44f0dd42b05f34923935e0e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Malicious code in detailimg (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (958f4802417b38ff187c6ffabc2a2c4d67c00b02a96c531501b5d899b5e70232) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Moderate: container-tools:rhel8 bug fix and enhancement update
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fix(es): podman: jose-go: improper handling of highly compressed data (CVE-2024-28180) buildah: jose-go: improper handling of highly compressed data (CVE-2024-28180) podman:...
4.9CVSS
4.8AI Score
0.0005EPSS
6.7AI Score
0.0004EPSS
This Week in Spring - June 18th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! I've just come from Paris, France, and now I'm in equally beautiful Krakow, Poland, for the amazing Devoxx PL event. We've got a ton of good stuff to dive into, so let's get going! In last week's installment of Spring Tips, I.....
7.3AI Score
KLA68998 Multiple vulnerabilities in Google Chrome
Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: Use after free vulnerability in Dawn can be exploited to cause denial of service or execute...
8.8CVSS
9.6AI Score
0.001EPSS
Google Chrome < 126.0.6478.114 Multiple Vulnerabilities
The version of Google Chrome installed on the remote Windows host is prior to 126.0.6478.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop_18 advisory. Type Confusion in V8. (CVE-2024-6100) Inappropriate implementation in...
8.8CVSS
9.4AI Score
0.001EPSS
8.8CVSS
6.7AI Score
0.0004EPSS
Stable Channel Update for Desktop
The Stable channel has been updated to 126.0.6478.114/115 for Windows, Mac and 126.0.6478.114 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. Security Fixes and Rewards Note: Access to bug details and links may be kept...
8.8CVSS
7.5AI Score
0.001EPSS
Google Chrome < 126.0.6478.114 Multiple Vulnerabilities
The version of Google Chrome installed on the remote macOS host is prior to 126.0.6478.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop_18 advisory. Type Confusion in V8. (CVE-2024-6100) Inappropriate implementation in...
8.8CVSS
9.3AI Score
0.001EPSS
Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec
Impact This issue is only relevant to clusters provisioned using RKE1 with secrets encryption configuration enabled. A vulnerability has been identified in which an RKE1 cluster keeps constantly reconciling when secrets encryption configuration is enabled (please see the RKE documentation). When...
6.1AI Score
EPSS
Rancher's External RoleTemplates can lead to privilege escalation
Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...
6.2AI Score
EPSS
rke's credentials are stored in the RKE1 Cluster state ConfigMap
Impact When RKE provisions a cluster, it stores the cluster state in a configmap called full-cluster-state inside the kube-system namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include the following sensitive data: ...
6AI Score
EPSS
Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider (AP). This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave...
6.5AI Score
EPSS
Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Details The attack process is described above. PoC Frontend: 1. Pass basic.....
5.7CVSS
6.9AI Score
0.0004EPSS
Firefly III has a MFA bypass in oauth flow
Impact A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an...
5.9CVSS
7.2AI Score
0.0004EPSS
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it...
4.4CVSS
7AI Score
0.0004EPSS
STRIMZI incorrect access control
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially...
6.8AI Score
0.0004EPSS
LNbits improperly handles potential network and payment failures when using Eclair backend
Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....
8.1CVSS
6.7AI Score
0.0004EPSS
DeepJavaLibrary API absolute path traversal
Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. Impacted versions:...
10CVSS
6.7AI Score
0.0004EPSS
A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been classified as problematic. This affects the function m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component MP4Box. The manipulation leads to null pointer dereference. An attack has to be approached...
3.3CVSS
6.8AI Score
0.0004EPSS
A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. It has been declared as problematic. This vulnerability affects the function xmt_node_end of the file src/scene_manager/loader_xmt.c of the component MP4Box. The manipulation leads to use after free. Local access is required to...
5.3CVSS
6.8AI Score
0.0004EPSS
Malvertising Campaign Leads to Execution of Oyster Backdoor
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev. Executive Summary Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and.....
7.3AI Score
A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this issue is the function swf_svg_add_iso_sample of the file src/filters/load_text.c of the component MP4Box. The manipulation leads to null pointer dereference. The attack needs to be...
3.3CVSS
6.8AI Score
0.0004EPSS
Gin-vue-admin is a backstage management system based on vue and gin. Gin-vue-admin <= v2.6.5 has SQL injection vulnerability. The SQL injection vulnerabilities occur when a web application allows users to input data into SQL queries without sufficiently validating or sanitizing the input. Failin...
8.8CVSS
7.9AI Score
0.0004EPSS
A vulnerability has been found in GPAC 2.5-DEV-rev228-g11067ea92-master and classified as problematic. Affected by this vulnerability is the function isoffin_process of the file src/filters/isoffin_read.c of the component MP4Box. The manipulation leads to infinite loop. It is possible to launch...
3.3CVSS
6.7AI Score
0.0004EPSS
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in [email protected] (e55e510) and backported to [email protected] (22c2876), [email protected] (eeb76d3), and...
7.5CVSS
7.4AI Score
0.0004EPSS
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it's possible to...
4.4CVSS
4.6AI Score
0.0004EPSS
ws affected by a DoS when handling a request with many HTTP headers
Impact A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server. Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars =...
7.5CVSS
6.5AI Score
0.0004EPSS
6.8AI Score
0.0004EPSS
Object Resolver Prototype Pollution
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via...
6.7AI Score
0.0004EPSS