10CVSS
7AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....
9CVSS
0.0004EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....
9CVSS
9.1AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....
9CVSS
9.1AI Score
0.0004EPSS
CVE-2024-37899 Disabling a user account changes its author, allowing RCE from user account in XWiki
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable.....
9CVSS
0.0004EPSS
XWiki Platform allows remote code execution from user account
Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about...
9CVSS
6.7AI Score
0.0004EPSS
XWiki Platform allows remote code execution from user account
Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about...
9CVSS
7.1AI Score
0.0004EPSS
XWiki < 14.10.14 - Cross-Site Scripting
XWiki is vulnerable to reflected cross-site scripting (RXSS) via the rev parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the....
9.6CVSS
7AI Score
0.005EPSS
XWiki < 4.10.20 - Remote code execution
XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have...
10CVSS
8.2AI Score
0.738EPSS
CVE-2024-27348 🪶 CVE-2024-27348 Proof of concept Exploit RCE...
7.5AI Score
0.001EPSS
RHEL 7 : groovy (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. Apache Groovy: Remote code execution via deserialization (CVE-2016-6814) Note that Nessus has not tested for this...
9.8CVSS
9.8AI Score
0.037EPSS
Apache HugeGraph-Server - Remote Command Execution
Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution...
6.5AI Score
0.001EPSS
A sandbox bypass vulnerability was found in the Jenkins Script Security Plugin within the sandbox-defined classes, enabling the circumvention of security restrictions. This flaw allows authenticated attackers to define and execute sandboxed scripts, including Pipelines, bypassing sandbox...
7.5AI Score
0.0004EPSS
A sandbox bypass vulnerability was found in the Jenkins Script Security Plugin involving crafted constructor bodies, enabling the circumvention of security restrictions. With crafted constructor bodies, this flaw allows authenticated attackers to define and execute sandboxed scripts, including...
7.5AI Score
0.0004EPSS
Jenkins Script Security Plugin sandbox bypass vulnerability
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.8AI Score
0.0004EPSS
Jenkins Script Security Plugin sandbox bypass vulnerability
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.5AI Score
0.0004EPSS
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.8AI Score
0.0004EPSS
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call...
7.6AI Score
0.0004EPSS
Jenkins plugins Multiple Vulnerabilities (2024-05-02)
According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: High Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are...
6.5CVSS
7.9AI Score
0.002EPSS
RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3198)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3198 advisory. maven: Block repositories using http by default (CVE-2021-26291) SnakeYaml: Constructor Deserialization Remote Code Execution...
9.9CVSS
8.2AI Score
0.972EPSS
RHEL 8 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0560 advisory. google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization...
9.9CVSS
7.4AI Score
0.012EPSS
RHEL 8 : OpenShift Developer Tools and Services for OCP 4.12 (RHSA-2023:1064)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:1064 advisory. Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin...
9.9CVSS
6.7AI Score
0.01EPSS
RHEL 8 : OpenShift Container Platform 4.8.56 (RHSA-2023:0017)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0017 advisory. http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048) Pipeline Shared Groovy Libraries: Untrusted users can modify some...
8.8CVSS
7.2AI Score
0.012EPSS
RHEL 8 : OpenShift Container Platform 4.9.56 (RHSA-2023:0777)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:0777 advisory. google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization...
9.9CVSS
8.7AI Score
0.022EPSS
Xwiki is prone to a remote code execution (RCE) ...
9.6CVSS
7.9AI Score
0.0004EPSS
Xwiki is prone to a remote code execution (RCE) ...
9.9CVSS
7.9AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by....
9.6CVSS
9.3AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by....
9.6CVSS
9.2AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by....
9.6CVSS
9.3AI Score
0.0004EPSS
CVE-2024-31988 XWiki Platform CSRF remote code execution through the realtime HTML Converter API
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by....
9.6CVSS
9.5AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can...
9.9CVSS
9.7AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can...
9.9CVSS
9.8AI Score
0.0004EPSS
XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can...
9.9CVSS
9.8AI Score
0.0004EPSS
CVE-2024-31984 XWiki Platform: Remote code execution through space title and Solr space facet
XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can...
9.9CVSS
10AI Score
0.0004EPSS
XWiki Platform CSRF remote code execution through the realtime HTML Converter API
Impact When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the...
9.6CVSS
7.5AI Score
0.0004EPSS
XWiki Platform CSRF remote code execution through the realtime HTML Converter API
Impact When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the...
9.6CVSS
7.8AI Score
0.0004EPSS
XWiki Platform: Remote code execution through space title and Solr space facet
Impact By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises...
9.9CVSS
7.8AI Score
0.0004EPSS
XWiki Platform: Remote code execution through space title and Solr space facet
Impact By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises...
9.9CVSS
8.1AI Score
0.0004EPSS
XWiki Platform: Remote code execution from edit in multilingual wikis via translations
Impact In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). This can be exploited for remote code...
9.9CVSS
7.7AI Score
0.0004EPSS
XWiki Platform: Remote code execution from edit in multilingual wikis via translations
Impact In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). This can be exploited for remote code...
9.9CVSS
8AI Score
0.0004EPSS
XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet
Impact Any user with edit right on any page can execute any code on the server by adding an object of type XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an...
9.9CVSS
7AI Score
0.0004EPSS
XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet
Impact Any user with edit right on any page can execute any code on the server by adding an object of type XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an...
9.9CVSS
7.3AI Score
0.0004EPSS
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gradle, gradle-bootstrap (SUSE-SU-2024:1119-1)
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1119-1 advisory. The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for...
9.8CVSS
9.4AI Score
0.006EPSS
openSUSE: Security Advisory for gradle, gradle (SUSE-SU-2024:1119-1)
The remote host is missing an update for...
9.8CVSS
7.5AI Score
0.005EPSS
In Janitza GridVis through 9.0.66, exposed dangerous methods in the de.janitza.pasw.project.server.ServerDatabaseProject project load functionality allow remote authenticated administrative users to execute arbitrary Groovy...
7.3AI Score
0.0004EPSS
In Janitza GridVis through 9.0.66, exposed dangerous methods in the de.janitza.pasw.project.server.ServerDatabaseProject project load functionality allow remote authenticated administrative users to execute arbitrary Groovy...
7.1AI Score
0.0004EPSS
In Janitza GridVis through 9.0.66, exposed dangerous methods in the de.janitza.pasw.project.server.ServerDatabaseProject project load functionality allow remote authenticated administrative users to execute arbitrary Groovy...
7.3AI Score
0.0004EPSS
Metasploit Weekly Wrap-Up 02/23/2024
LDAP Capture module Metasploit now has an LDAP capture module thanks to the work of JustAnda7. This work was completed as part of the Google Summer of Code program. When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for.....
9.8CVSS
9.8AI Score
0.969EPSS
8.8CVSS
7.4AI Score
0.92EPSS
8.8CVSS
7.4AI Score
0.92EPSS