Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to....
5CVSS
5.1AI Score
0.0004EPSS
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to....
5CVSS
7.4AI Score
0.0004EPSS
CVE-2023-5122 SSRF in CSV Datasource Plugin
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to....
5CVSS
5.4AI Score
0.0004EPSS
Update now! Microsoft fixes two zero-days on February Patch Tuesday
Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild. The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security...
9.8CVSS
8.5AI Score
0.006EPSS
CVE-2023-47218: QNAP QTS and QuTS Hero Unauthenticated Command Injection (FIXED)
Rapid7 has identified an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry- and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for...
5.8CVSS
8.5AI Score
0.003EPSS
Unbreakable Enterprise kernel security update
[5.15.0-203.146.5.1] - Revert 'selftests/bpf: Test tail call counting with bpf2bpf and data on stack' (Samasth Norway Ananda) [Orabug: 36277693] - Revert 'tcp: fix excessive TLP and RACK timeouts from HZ rounding' (Sherry Yang) [Orabug: 36277684] [5.15.0-203.146.5] - i2c: core: Fix atomic xfer...
9.8CVSS
7.4AI Score
0.001EPSS
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
4.8CVSS
6AI Score
0.0004EPSS
Concrete CMS vulnerable to stored XSS via the Role Name field
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
4.8CVSS
6AI Score
0.0004EPSS
Concrete CMS vulnerable to stored XSS via the Role Name field
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
4.8CVSS
6.1AI Score
0.0004EPSS
Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
4.8CVSS
6.1AI Score
0.0004EPSS
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
4.8CVSS
6.1AI Score
0.0004EPSS
Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
4.8CVSS
6.1AI Score
0.0004EPSS
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
4.8CVSS
5AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
4.8CVSS
4AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
4.8CVSS
4.9AI Score
0.0004EPSS
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
4.8CVSS
4AI Score
0.0004EPSS
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
4.8CVSS
6.2AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
4.8CVSS
6.1AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description...
2.4CVSS
5.2AI Score
0.0004EPSS
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the...
2CVSS
5.2AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
4.8CVSS
5AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
4.8CVSS
4AI Score
0.0004EPSS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
4.8CVSS
6.2AI Score
0.0004EPSS
CVE-2024-1247 Concrete CMS version 9 before 9.2.5 vulnerable to stored XSS via the Role Name field
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the...
2CVSS
5.2AI Score
0.0004EPSS
Raspberry Robin Malware Upgrades with Discord Spread and New Exploits
The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the...
8.4CVSS
7.9AI Score
0.006EPSS
ProPump and Controls Osprey Pump Controller (Update A)
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: ProPump and Controls, Inc. Equipment: Osprey Pump Controller Vulnerabilities: Insufficient Entropy, Use of GET Request Method with Sensitive Query Strings, Use of.....
9.8CVSS
10AI Score
0.002EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Qolsys, Inc. Equipment: IQ Panel 4, IQ4 Hub Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of this vulnerability could allow the panel...
9.8CVSS
7.2AI Score
0.001EPSS
Security Bulletin: NVIDIA DGX Station A100 and DGX Station A800 - February 2024
NVIDIA has released a firmware security update for the NVIDIA DGX™ Station A100 and DGX™ Station A800 systems. To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal. Go to NVIDIA Product Security. Details This section provides a summary of...
8.8CVSS
9.4AI Score
0.001EPSS
Dell Client BIOS DoS (DSA-2023-176)
The Dell BIOS on the remote device is missing a security patch and is, therefore, affected by a denial of service vulnerability. Due to a signed to unsigned conversion error, a local attacker with administrator privileges can cause a denial of service condition on an affected device. Note that...
6.7CVSS
4.8AI Score
0.0004EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable locally Vendor: HID Global Equipment: iCLASS SE, OMNIKEY Vulnerability: Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read data from reader configuration cards...
7.8CVSS
7.7AI Score
0.0004EPSS
HID Global Reader Configuration Cards
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Low attack complexity Vendor: HID Global Equipment: Reader Configuration Cards Vulnerability: Improper Authorization 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read the credential and device...
5.3CVSS
5.4AI Score
0.001EPSS
Dell BIOS contains a Signed to Unsigned Conversion Error vulnerability. A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to denial of...
6.7CVSS
4.5AI Score
0.0004EPSS
go.etcd.io/etcd/client/pkg/v3 is vulnerable to Insecure Transport. The vulnerability is due to default weak ciphers...
7AI Score
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
8.6AI Score
0.001EPSS
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
6.4AI Score
0.001EPSS
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
8.8CVSS
7.1AI Score
0.001EPSS
CVE-2023-5800 Insufficient input validation in VAPIX API create_overlay.cgi
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service...
5.4CVSS
8.9AI Score
0.001EPSS
SonicWall SonicOS Multiple Vulnerabilities (SNWLID-2023-0012)
According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by multiple vulnerabilities with impact to SonicOS Management Web Interface and SSLVPN Portal, but not SonicWall SSLVPN SMA100 and SMA1000 series products. These vulnerabilities...
8.8CVSS
7.4AI Score
0.001EPSS
OpenSSL: Multiple Vulnerabilities
Background OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Description Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced....
7.5CVSS
7.7AI Score
0.004EPSS
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
Etcd pkg Insecure ciphers are allowed by default
Vulnerability type Cryptography Detail The TLS ciphers list supported by etcd by default contains weak ciphers. Workarounds Provide a desired ciphers using the --cipher-suites flag as described with examples in the security documentation References Find out more on this vulnerability in the...
7.1AI Score
AVEVA Edge products (formerly known as InduSoft Web Studio)
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: AVEVA Edge products (formerly known as InduSoft Web Studio) Vulnerability: Uncontrolled Search Path Element 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an...
7.3CVSS
8AI Score
0.0004EPSS
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable Remotely/Low attack complexity Vendor: Gessler GmbH Equipment: WEB-MASTER Vulnerabilities: Use of Weak Credentials, Use of Weak Hash 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a user to take...
9.8CVSS
7.9AI Score
0.001EPSS
Post-quantum Cryptography for the Go Ecosystem
filippo.io/mlkem768 is a pure-Go implementation of ML-KEM-768 optimized for correctness and readability. ML-KEM (formerly known as Kyber, renamed because we can't have nice things) is a post-quantum key exchange mechanism in the process of being standardized by NIST and adopted by most of the...
6.8AI Score
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.3AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
6.9AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.5AI Score
0.001EPSS
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
7AI Score
0.001EPSS
CVE-2024-1019 WAF bypass of the ModSecurity v3 release line
ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string...
8.6CVSS
8.7AI Score
0.001EPSS