Gambio Online Webshop 4.9.2.0 Remote Code Execution Exploit
A remote code execution vulnerability in Gambio online webshop versions 4.9.2.0 and below allows remote attackers to run arbitrary commands via an unauthenticated HTTP POST request. The identified vulnerability within Gambio pertains to an insecure deserialization flaw, which ultimately allows an.....
9.8CVSS
10AI Score
0.374EPSS
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2024:1322-2)
The remote host is missing an update for...
7.8CVSS
8.3AI Score
EPSS
9.8CVSS
9.7AI Score
0.374EPSS
FortiNet FortiClient EMS 7.2.2 / 7.0.10 SQL Injection / Remote Code Execution Exploit
A remote SQL injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server) versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized platform for overseeing enrolled...
9.8CVSS
10AI Score
0.711EPSS
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2024:1332-1)
The remote host is missing an update for...
7.8CVSS
8.1AI Score
EPSS
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2024:1332-2)
The remote host is missing an update for...
7.8CVSS
8.1AI Score
EPSS
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the Service template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this...
7.1CVSS
6.8AI Score
0.0004EPSS
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the Service template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this...
7.1CVSS
6.9AI Score
0.0004EPSS
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the Service template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this...
7.1CVSS
6.4AI Score
0.0004EPSS
CVE-2024-32479 LibreNMS's Improper Sanitization on Service template name leads to Stored XSS
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the Service template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this...
7.1CVSS
7AI Score
0.0004EPSS
Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites......
6.8AI Score
LibreNMS uses Improper Sanitization on Service template name leads to Stored XSS
Summary There is improper sanitization on Service template name which is reflecting in delete button onclick event. This value can be modified and crafted as any other javascript code. Vulnerable Code...
7.1CVSS
6.9AI Score
0.0004EPSS
LibreNMS uses Improper Sanitization on Service template name leads to Stored XSS
Summary There is improper sanitization on Service template name which is reflecting in delete button onclick event. This value can be modified and crafted as any other javascript code. Vulnerable Code...
7.1CVSS
6.9AI Score
0.0004EPSS
libapache2-mod-auth-openidc is vulnerable to Denial Of Service (DoS). The vulnerability is due to missing input validation on the mod_auth_openidc_session_chunks cookie value and the server struggling with requests for a long time and eventually returning a 500 error when the value of the cookie...
7.5CVSS
6.6AI Score
0.0004EPSS
Over the past two years, a shocking 51% of organizations surveyed in a leading industry report have been compromised by a cyberattack. Yes, over half. And this, in a world where enterprises deploy an average of 53 different security solutions to safeguard their digital domain. Alarming?...
7.3AI Score
Billions of scraped Discord messages up for sale
Four billions public Discord messages are for sale on an internet scraping service called Spy.pet. At first sight there doesn’t seem to be much that is illegal about it. The messages were publicly accessible and there are no laws against scraping data. However, it turns out the site did disregard.....
6.8AI Score
Ransomware Double-Dip: Re-Victimization in Cyber Extortion
**Between crossovers - Do threat actors play dirty or desperate? ** In our dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack, we noticed that some victims re-occur. Consequently, the question arises why we observe a re-victimization and whether....
6.8AI Score
ToddyCat is making holes in your infrastructure
We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts...
7.6AI Score
github.com/owncast/owncast is vulnerable to Path Traversal. The vulnerability is due to inadequate input validation on the emoji/delete endpoint, allowing attackers with administrative privileges to delete arbitrary files outside the intended...
2.7CVSS
7.1AI Score
0.0004EPSS
Unitronics Vision Standard line of controllers allow the Information Mode password to be retrieved without...
7.5CVSS
7.6AI Score
0.0004EPSS
Unitronics Vision Standard line of controllers allow the Information Mode password to be retrieved without...
7.5CVSS
6.9AI Score
0.0004EPSS
CVE-2024-1480 Unitronics Vision Standard Unauthenticated Password Retrieval
Unitronics Vision Standard line of controllers allow the Information Mode password to be retrieved without...
7.5CVSS
7.8AI Score
0.0004EPSS
Denial of Service Vulnerability in Rustls Library
Summary rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. Details Verified at 0.22 and 0.23 rustls, but 0.21 and 0.20 release lines are also affected. tokio-rustls and rustls-ffi do not call complete_io and are not affected. rustls::Stream and...
7.5CVSS
7.3AI Score
0.0004EPSS
Denial of Service Vulnerability in Rustls Library
Summary rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. Details Verified at 0.22 and 0.23 rustls, but 0.21 and 0.20 release lines are also affected. tokio-rustls and rustls-ffi do not call complete_io and are not affected. rustls::Stream and...
7.5CVSS
7.3AI Score
0.0004EPSS
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
2.7CVSS
7.1AI Score
0.0004EPSS
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
2.7CVSS
3.7AI Score
0.0004EPSS
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
2.7CVSS
6.7AI Score
0.0004EPSS
CVE-2024-31450 Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The...
2.7CVSS
4AI Score
0.0004EPSS
How Attackers Can Own a Business Without Touching the Endpoint
Attackers are increasingly making use of "networkless" attack techniques targeting cloud apps and identities. Here's how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services. Before getting into the details...
7.5AI Score
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2024:1322-1)
The remote host is missing an update for...
7.8CVSS
8.3AI Score
EPSS
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2024:1320-1)
The remote host is missing an update for...
7.8CVSS
6.3AI Score
EPSS
Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/{projectId}/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope......
6.5CVSS
6.9AI Score
0.0004EPSS
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in...
6.5CVSS
7.1AI Score
0.0004EPSS
Mental health company Cerebral failed to protect sensitive personal data, must pay $7 million
The Federal Trade Commission (FTC) has reached a settlement with online mental health services company Cerebral after the company was charged with failing to secure and protect sensitive health data. Cerebral has agreed to an order that will restrict how the company can use or disclose sensitive...
7.5AI Score
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform...
7.6AI Score
Cannabis investment scam JuicyFields ends in 9 arrests
Europol and its associates have arrested 9 people in conjunction with a cannabis investment scam known as "JuicyFields". The suspects used social media to lure investors to their website. There they found information about a “golden opportunity” to invest in the cultivation, harvesting and...
6.8AI Score
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:1322-1)
The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1322-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A...
7.8CVSS
8.4AI Score
EPSS
SUSE SLES15 Security Update : kernel (SUSE-SU-2024:1321-1)
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1321-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A...
7.8CVSS
8AI Score
EPSS
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
7.3AI Score
0.0004EPSS
Enforce and Report on PCI DSS v4 Compliance with Rapid7
The PCI Security Standards Council (PCI SSC) is a global forum that connects stakeholders from the payments and payment processing industries to craft and facilitate adoption of data security standards and relevant resources that enable safe payments worldwide. According to the PCI SSC website,...
7.3AI Score
OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. The results of the investigation have shown that the...
7AI Score
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
7.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
6.7AI Score
0.0004EPSS
CVE-2024-26846 nvme-fc: do not wait in vain when unloading module
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
7.8AI Score
0.0004EPSS
SoumniBot: the new Android banker’s unique techniques
The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very...
7.4AI Score
In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers and freeing 'left over IDs'. To prevent double free a synchronization between nvme_delete_ctrl and ida_destroy has...
7.6AI Score
0.0004EPSS
Exploit for Command Injection in Paloaltonetworks Pan-Os
Cyberspace Mapping Dork Fofa ```...
10CVSS
9.9AI Score
0.957EPSS
Exploit for Command Injection in Paloaltonetworks Pan-Os
Cyberspace Mapping Dork Fofa ```...
10CVSS
9.9AI Score
0.957EPSS
Exploit for Command Injection in Paloaltonetworks Pan-Os
Cyberspace Mapping Dork Fofa ```...
10CVSS
7.3AI Score
0.957EPSS