MyCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin Security Vulnerabilities

Insecure Direct Object Reference (IDOR)

jweiland/events2 is vulnerable to Insecure Direct Object Reference (IDOR). The vulnerability is due to missing access checks in the management plugin, which allows an attacker to activate or delete events without...

CVE-2024-4900

The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious...

CVE-2024-4899

The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting...

CVE-2024-4900

The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious...

CVE-2024-4899

The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting...

CVE-2024-4899 SEOPress < 7.8 - Contributor+ Stored XSS

The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting...

CVE-2024-4900 SEOPress < 7.8 - Contributor+ Open Redirect

The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious...

Malicious code in @elza/auto-route-plugin (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (c0394416e392791c5f23be36b82f8800fa29bfd1381f8be67c7362338279c0d2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Oracle Linux 9 : libreswan (ELSA-2024-4050)

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-4050 advisory. [4.12-2.0.1.1] - Add libreswan-oracle.patch to detect Oracle Linux distro [4.12-2.1] - Fix CVE-2024-3652 (RHEL-40102) Tenable has extracted the preceding...

Amazon Linux 2 : qemu (ALAS-2024-2572)

The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2572 advisory. A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio- crypto), where the...

Amazon Linux 2 : golang (ALAS-2024-2576)

The version of golang installed on the remote host is prior to 1.22.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2576 advisory. The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip...

Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2024-643)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-643 advisory. In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets (CVE-2024-36905) In the Linux kernel, the following...

CentOS 9 : kernel-5.14.0-467.el9

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the kernel-5.14.0-467.el9 build changelog. In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not...

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2024-646)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-646 advisory. The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file...

Amazon Linux 2 : webkitgtk4 (ALAS-2024-2577)

The version of webkitgtk4 installed on the remote host is prior to 2.42.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2577 advisory. An injection issue was addressed with improved validation. This issue is fixed in Safari 17.4, macOS Sonoma 14.4,...

RHEL 8 : Red Hat OpenStack Platform 16.2 (RHSA-2024:4053)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:4053 advisory. Affected components: * python-yaql: a library that contains a large set of commonly used functions * openstack-tripleo-heat-templates: Heat...

Stable Channel Update for Desktop

The Stable channel has been updated to 126.0.6478.126/127 for Windows, Mac and 126.0.6478.126 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. Security Fixes and Rewards Note: Access to bug details and links may be kept...

WooCommerce 8.8.0 - 8.9.2 - Reflected XSS

Description The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...

WooCommerce 8.8.0 - 8.9.2 - Reflected XSS

Description The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Hibernate vulnerability (USN-6845-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6845-1 advisory. It was discovered that Hibernate incorrectly handled certain inputs with unsanitized literals. If a user or an automated system were...

FreeBSD : emacs -- Arbitrary shell code evaluation vulnerability (4f6c4c07-3179-11ef-9da5-1c697a616631)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4f6c4c07-3179-11ef-9da5-1c697a616631 advisory. GNU Emacs developers report: Emacs 29.4 is an emergency bugfix release intended to fix a security...

AlmaLinux 8 : python3.11 (ALSA-2024:4058)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:4058 advisory. * python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597) * python: The zipfile module is vulnerable to zip-bombs leading to denial of...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gnome-settings-daemon (SUSE-SU-2024:2168-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2168-1 advisory. - CVE-2024-38394: Fixed mismatches in interpreting USB authorization policy (bsc#1226423). Tenable has...

Amazon Linux 2 : booth (ALAS-2024-2575)

The version of booth installed on the remote host is prior to 1.0-8.ef769ef.git. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2575 advisory. A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(),...

Amazon Linux 2023 : ansible-core, ansible-test (ALAS2023-2024-644)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-644 advisory. Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, &gt;, or...

Amazon Linux 2 : php (ALASPHP8.1-2024-005)

The version of php installed on the remote host is prior to 8.1.29-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2PHP8.1-2024-005 advisory. The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default),...

Amazon Linux 2 : kernel (ALASKERNEL-5.4-2024-073)

The version of kernel installed on the remote host is prior to 5.4.149-73.259. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2024-073 advisory. A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a ...

WordPress 6.0 < 6.5.5

WordPress versions 6.0 &lt; 6.5.5 are affected by one or more...

Amazon Linux 2 : python-crypto (ALASANSIBLE2-2024-011)

It is, therefore, affected by a vulnerability as referenced in the ALAS2ANSIBLE2-2024-011 advisory. Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted...

AlmaLinux 9 : libreswan (ALSA-2024:4050)

The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2024:4050 advisory. * libreswan: IKEv1 default AH/ESP responder can crash and restart (CVE-2024-3652) Tenable has extracted the preceding description block directly from the AlmaLinux.....

Amazon Linux 2 : python3-jinja2 (ALAS-2024-2573)

The version of python3-jinja2 installed on the remote host is prior to 2.7.2-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2573 advisory. Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing...

Amazon Linux 2 : kernel (ALAS-2024-2581)

The version of kernel installed on the remote host is prior to 4.14.348-265.562. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2581 advisory. In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on...

Amazon Linux 2 : ecs-service-connect-agent (ALASECS-2024-037)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.29.5.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2024-037 advisory. Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling...

Oracle Linux 8 : python3.11 (ELSA-2024-4058)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-4058 advisory. - Security fixes for CVE-2023-6597 and CVE-2024-0450 Tenable has extracted the preceding description block directly from the Oracle Linux security...

Amazon Linux 2 : libndp (ALAS-2024-2571)

The version of libndp installed on the remote host is prior to 1.2-7. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2571 advisory. A vulnerability was found in libndp. A buffer overflow in NetworkManager that can be triggered by sending a malformed IPv6 router...

Fedora 40 : python-PyMySQL (2024-b26f07d27b)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-b26f07d27b advisory. Update to 1.1.1 to fix CVE CVE-2024-36039 Tenable has extracted the preceding description block...

SUSE SLES12 Security Update : qpdf (SUSE-SU-2024:2173-1)

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2173-1 advisory. - CVE-2018-9918: Fixed mishandled 'expected dictionary key but found non-name object' cases that could have allowed attackers to cause a...

Amazon Linux 2 : python3-jinja2 (ALAS-2024-2582)

The version of python3-jinja2 installed on the remote host is prior to 2.7.2-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2582 advisory. In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. (CVE-2019-10906) Tenable has extracted the preceding.....

Amazon Linux AMI : kernel (ALAS-2024-1942)

The version of kernel installed on the remote host is prior to 4.14.348-187.562. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2024-1942 advisory. In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on...

Amazon Linux 2 : python-jinja2 (ALAS-2024-2574)

The version of python-jinja2 installed on the remote host is prior to 2.7.2-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2574 advisory. Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing...

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2024-647)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-647 advisory. Envoy is a cloud-native, open source edge and service proxy. A theoretical request smuggling vulnerability exists through Envoy if a server can be tricked into adding an upgrade header into...

SUSE SLES15 Security Update : gnome-settings-daemon (SUSE-SU-2024:2170-1)

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2170-1 advisory. - CVE-2024-38394: Fixed mismatches in interpreting USB authorization policy (bsc#1226423). Tenable has extracted the preceding description...

RHEL 9 : pki-core (RHSA-2024:4051)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:4051 advisory. The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System. Security Fix(es): * dogtag ca:...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : wget (SUSE-SU-2024:2174-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2174-1 advisory. - CVE-2024-38428: Fix mishandled semicolons in the userinfo subcomponent of a URI. (bsc#1226419) ...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : libarchive (SUSE-SU-2024:2171-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2171-1 advisory. - CVE-2024-20696: Fixed heap based out-of-bounds write (bsc#1225971). Tenable has extracted the...

Amazon Linux 2 : iperf3 (ALAS-2024-2579)

The version of iperf3 installed on the remote host is prior to 3.1.7-2. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2579 advisory. It is possible for a malicious or malfunctioning client to send lessthan the expected amount of data to the server. If this...

RHEL 8 : python3.11 (RHSA-2024:4058)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4058 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

Amazon Linux 2 : kernel (ALASKERNEL-5.10-2024-061)

The version of kernel installed on the remote host is prior to 5.10.201-191.748. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.10-2024-061 advisory. In the Linux kernel, the following vulnerability has been resolved: tipc: Change nla_policy for bearer-related...

Amazon Linux AMI : tomcat8 (ALAS-2024-1941)

The version of tomcat8 installed on the remote host is prior to 8.5.99-1.97. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2024-1941 advisory. Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to...

RHEL 8 : Red Hat Certificate System 10.4 for RHEL 8 (RHSA-2024:4070)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:4070 advisory. Red Hat Certificate System (RHCS) is a complete implementation of an enterprise software system designed to manage enterprise Public Key...