CVE-2024-4536 Eclipse EDC: OAuth2 Credential Exfiltration Vulnerability
In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security...
6.8CVSS
6.8AI Score
0.0004EPSS
3.7CVSS
4.4AI Score
0.001EPSS
Custom WooCommerce Checkout Fields Editor < 1.3.2 - Missing Authorization
Description The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and...
4.3CVSS
6.4AI Score
0.0004EPSS
Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-6765-1)
The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6765-1 advisory. In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed...
7.8CVSS
7.5AI Score
EPSS
ADFO – Custom data in admin dashboard < 1.9.1 - Reflected Cross-Site Scripting
Description The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dbp_id' parameter in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
6.1CVSS
6.5AI Score
0.001EPSS
Custom Field Suite < 2.6.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Description The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cfs[fields][*][name]' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,.....
4.4CVSS
5.9AI Score
0.001EPSS
GLSA-202405-18 : Xpdf: Multiple Vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202405-18 (Xpdf: Multiple Vulnerabilities) In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed t3GlyphStack->cache, which causes an heap-use-after-free problem. The...
7.8CVSS
8.2AI Score
0.003EPSS
3.7CVSS
4.4AI Score
0.001EPSS
libvirt security and bug fix update
[10.0.0-6.2.0.1] - Set SOURCE_DATE_EPOCH from changelog [Orabug: 32019554] [10.0.0-6.2.el9_4] - qemu: Fix migration with custom XML (RHEL-32654) [10.0.0-6.1.el9_4] - Fix off-by-one error in udevListInterfacesByStatus (CVE-2024-1441, RHEL-25081) - remote: check for negative array lengths before...
6.2CVSS
8.3AI Score
0.001EPSS
RegistrationMagic < 5.3.2.1 - Reflected Cross-Site Scripting
Description The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 5.3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for...
7.1CVSS
6.5AI Score
0.0004EPSS
Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-6767-1)
The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6767-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able...
7.8CVSS
6.7AI Score
0.0004EPSS
ADFO – Custom data in admin dashboard < 1.9.1 - Cross-Site Request Forgery
Description The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. This is due to missing or incorrect nonce validation on several functions hooked via the controller() function. This makes it possible....
4.3CVSS
6.6AI Score
0.0005EPSS
Post Grid Master <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.4.8 due to insufficient input...
6.5CVSS
5.8AI Score
0.0004EPSS
New capabilities to help you secure your AI transformation
AI is transforming our world, unlocking new possibilities to enhance human abilities and to extend opportunities globally. At the same time, we are also facing an unprecedented threat landscape with the speed, scale, and sophistication of attacks increasing rapidly. To meet these challenges, we...
7.4AI Score
China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices
The recently uncovered cyber espionage campaign targeting perimeter network devices from several vendors, including Cisco, may have been the work of China-linked actors, according to new findings from attack surface management firm Censys. Dubbed ArcaneDoor, the activity is said to have commenced.....
8.6CVSS
7.2AI Score
0.002EPSS
Important: unbound security update
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es): A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. The default...
8CVSS
6.5AI Score
0.0004EPSS
An update is available for unbound. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The unbound packages provide a validating, recursive, and caching DNS or...
8CVSS
7AI Score
0.0004EPSS
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for...
6.4CVSS
5.9AI Score
0.0004EPSS
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for...
6.4CVSS
6.3AI Score
0.0004EPSS
(RHSA-2024:2696) Important: unbound security update
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es): bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator (CVE-2023-50387) bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources (CVE-2023-50868) A...
7.7AI Score
0.05EPSS
Rocky Linux 8 : firefox (RLSA-2024:1912)
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1912 advisory. The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites....
7.3AI Score
0.0004EPSS
GLSA-202405-15 : Mozilla Firefox: Multiple Vulnerabilities
The remote host is affected by the vulnerability described in GLSA-202405-15 (Mozilla Firefox: Multiple Vulnerabilities) When storing and re-accessing data on a networking channel, the length of buffers may have been confused, resulting in an out-of-bounds memory read. This vulnerability...
7.8AI Score
0.0004EPSS
RHEL 8 : unbound (RHSA-2024:2696)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2696 advisory. The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver. Security Fix(es): * bind9: KeyTrap - Extreme CPU...
8CVSS
8.4AI Score
0.05EPSS
CentOS 8 : thunderbird (CESA-2024:1939)
The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2024:1939 advisory. The permission prompt input delay could expire while the window is not in focus. This makes it vulnerable to clickjacking by malicious websites....
7.3AI Score
0.0004EPSS
Debian dsa-5681 : affs-modules-5.10.0-29-4kc-malta-di - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5681 advisory. Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an...
8CVSS
8.2AI Score
0.0005EPSS
Database Connection String Disclosure
Most of the web applications rely on a database to provide features to their users. In secure designs, consuming these private or cloud databases will require authentication like username and password based credentials. Developers sometimes hard code such data in various places of their...
8AI Score
Background Setuptools is a manager for Python packages. Description A vulnerability has been discovered in Setuptools. See the impact field. Impact An inefficiency in a regular expression may end in a denial of service if an user is fetching malicious HTML from a package in PyPI or a custom...
5.9CVSS
8.7AI Score
0.005EPSS
GLSA-202405-10 : Setuptools: Denial of Service
The remote host is affected by the vulnerability described in GLSA-202405-10 (Setuptools: Denial of Service) Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a...
5.9CVSS
7AI Score
0.005EPSS
JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients. Changelogs Major changes are documented in the project Announcements:...
5.9AI Score
Microsoft Outlook Flaw Exploited by Russia's APT28 to Hack Czech, German Entities
Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S. The.....
9.8CVSS
7.6AI Score
0.902EPSS
7.4AI Score
7.4AI Score
7.4AI Score
SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:1490-1)
The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1490-1 advisory. In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of...
7.8CVSS
7.6AI Score
EPSS
Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications
Threat actors have been increasingly weaponizing Microsoft Graph API for malicious purposes with the aim of evading detection. This is done to "facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services," the Symantec Threat Hunter Team, part of...
7.7AI Score
Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities
Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details **...
8.7CVSS
9.7AI Score
0.008EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through...
7.1CVSS
7.2AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through...
7.1CVSS
6.8AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through...
7.1CVSS
7.7AI Score
0.0004EPSS
[2.06-77.0.1] - Support setting custom kernels as default kernels [Orabug: 36043978] - Bump SBAT metadata for grub to 3 [Orabug: 34872719] - Fix CVE-2022-3775 [Orabug: 34871953] - Enable signing for aarch64 EFI - Fix signing certificate names - Enable back btrfs grub module for EFI pre-built image....
7.8CVSS
7.2AI Score
0.001EPSS
Jeg Elementor Kit < 2.6.5 - Contributor+ Stored XSS via Elementor Widget URL Custom Attributes
Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as...
6.4CVSS
6AI Score
0.0004EPSS
A vulnerability in the Web Audio component of Microsoft Edge and Google Chrome browsers is related to memory usage after it has been freed. Exploitation of the vulnerability could allow an attacker acting remotely, execute arbitrary code A vulnerability in the Skia graphics library of Google...
9.8CVSS
8.7AI Score
0.001EPSS
Oracle Linux 7 : grub2 (ELSA-2024-2002)
The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-2002 advisory. A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value,...
8.6CVSS
7.3AI Score
0.001EPSS
Breakdance < 1.7.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta
Description The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for.....
6.4CVSS
5.7AI Score
0.0004EPSS
[10.0.0-6.0.1] - Set SOURCE_DATE_EPOCH from changelog [Orabug: 32019554] [10.0.0-6] - qemu: virtiofs: do not crash if cgroups are missing (RHEL-7386) - qemu: virtiofs: set correct label when creating the socket (RHEL-7386) - qemu: virtiofs: error out if getting the group or user name fails...
5CVSS
7.3AI Score
0.0004EPSS
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the profile_pic_remove function in versions up to, and including, 3.1.5. This makes it possible for...
6.5CVSS
6.5AI Score
0.001EPSS
The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected...
5.3CVSS
5.1AI Score
0.0005EPSS
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the profile_pic_remove function in versions up to, and including, 3.1.5. This makes it possible for...
6.5CVSS
6.2AI Score
0.001EPSS
The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected...
5.3CVSS
5.1AI Score
0.0005EPSS