Fedora: Security Advisory for qt5ct (FEDORA-2024-2e27372d4c)
The remote host is missing an update for...
6.8AI Score
0.0004EPSS
TokenController formName not sanitized in hidden input
Impact TokenController get parameter formName not sanitized in returned input field leads to XSS. What kind of vulnerability is it? Who is impacted? Patches Has the problem been patched? What versions should users upgrade to? Workarounds Is there a way for users to fix or remediate the...
6.1CVSS
6.2AI Score
0.0004EPSS
TokenController formName not sanitized in hidden input
Impact TokenController get parameter formName not sanitized in returned input field leads to XSS. What kind of vulnerability is it? Who is impacted? Patches Has the problem been patched? What versions should users upgrade to? Workarounds Is there a way for users to fix or remediate the...
6.1CVSS
6.3AI Score
0.0004EPSS
Authentication bypass in dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
8.6AI Score
0.0004EPSS
Authentication bypass in dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
10AI Score
0.0004EPSS
Issue Overview: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. (CVE-2024-4367) If the browser.privatebrowsing.autostart...
7.9AI Score
0.0004EPSS
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
0.0004EPSS
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
10AI Score
0.0004EPSS
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them....
7.3CVSS
0.0004EPSS
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them....
7.3CVSS
6.1AI Score
0.0004EPSS
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them....
7.3CVSS
5.8AI Score
0.0004EPSS
CVE-2024-3408 Authentication Bypass and RCE in man-group/dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
0.0004EPSS
CVE-2024-3408 Authentication Bypass and RCE in man-group/dtale
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled....
9.8CVSS
8.5AI Score
0.0004EPSS
CVE-2024-3110 Stored XSS leading to admin account takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them....
7.3CVSS
0.0004EPSS
CVE-2024-3110 Stored XSS leading to admin account takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them....
7.3CVSS
5.8AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 27, 2024 to June 2, 2024)
_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...
10CVSS
9.6AI Score
EPSS
The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level.....
4.3CVSS
4.3AI Score
0.001EPSS
The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level.....
4.3CVSS
6.7AI Score
0.001EPSS
CVE-2024-5489 Wbcom Designs - Custom Font Uploader <= 2.3.4 - Missing Authorization to Font Deletion
The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level.....
4.3CVSS
4.3AI Score
0.001EPSS
Hackers Exploit Legitimate Packer Software to Spread Malware Undetected
Threat actors are increasingly abusing legitimate and commercially available packer software such as BoxedApp to evade detection and distribute malware such as remote access trojans and information stealers. "The majority of the attributed malicious samples targeted financial institutions and...
7.1AI Score
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
6.4CVSS
6.1AI Score
0.0004EPSS
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
5.4CVSS
5.7AI Score
0.0004EPSS
CVE-2024-5221 Qi Blocks <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
6.4CVSS
5.8AI Score
0.0004EPSS
CVE-2024-5221 Qi Blocks <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...
6.4CVSS
5.7AI Score
0.0004EPSS
The Custom Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and.....
4.4CVSS
6AI Score
0.0004EPSS
The Custom Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and.....
4.4CVSS
4.3AI Score
0.0004EPSS
CVE-2024-4942 Custom Dash <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Custom Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and.....
4.4CVSS
5.8AI Score
0.0004EPSS
CVE-2024-4942 Custom Dash <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Custom Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and.....
4.4CVSS
4.3AI Score
0.0004EPSS
7.4AI Score
Kadence Blocks Pro < 2.3.8 - Contributor+ Arbitrary Option Access
Description The plugin does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the database. PoC 1. ADMIN: Install Kadence Blocks Pro 2. CONTRIBUTOR: Add shortcode to any post and specify/guess the option name and save.....
6.5AI Score
0.0004EPSS
7.4AI Score
Kadence Blocks Pro < 2.3.8 - Contributor+ Arbitrary Option Access
Description The plugin does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the...
6.8AI Score
0.0004EPSS
[slackware-security] Slackware 15.0 kernel
New kernel packages are available for Slackware 15.0 to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/linux-5.15.160/*: Upgraded. These updates fix various bugs and security issues. Be sure to upgrade your initrd after upgrading the kernel...
8CVSS
7.9AI Score
EPSS
By-passing Protection of PharStreamWrapper Interceptor
Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details.....
7.5AI Score
By-passing Protection of PharStreamWrapper Interceptor
Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. In July 2018, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the TYPO3 core. For more details.....
7.5AI Score
CVE-2024-4956 This repository contains a Python utility for...
7.5CVSS
7.6AI Score
0.013EPSS
Mattermost crashes web clients via a malformed custom status in...
4.3CVSS
4.6AI Score
0.0004EPSS
X-Recon - A Utility For Detecting Webpage Inputs And Conducting XSS Scans
A utility for identifying web page inputs and conducting XSS scanning. Features: Subdomain Discovery: Retrieves relevant subdomains for the target website and consolidates them into a whitelist. These subdomains can be utilized during the scraping process. Site-wide Link Discovery: Collects...
6.3AI Score
Chinese State-Backed Cyber Espionage Targets Southeast Asian Government
An unnamed high-profile government organization in Southeast Asia emerged as the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation codenamed Crimson Palace. "The overall goal behind the campaign was to maintain access to the target network for cyberespionage in.....
7AI Score
Rebranded Knight Ransomware Targeting Healthcare and Businesses Worldwide
An analysis of a nascent ransomware strain called RansomHub has revealed it to be an updated and rebranded version of Knight ransomware, itself an evolution of another ransomware known as Cyclops. Knight (aka Cyclops 2.0) ransomware first arrived in May 2023, employing double extortion tactics to.....
7.8AI Score
The Responsive Addons – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output.....
6.4CVSS
6AI Score
0.001EPSS
The Responsive Addons – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output.....
5.4CVSS
5.7AI Score
0.001EPSS
The Responsive Addons – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output.....
6.4CVSS
5.8AI Score
0.001EPSS
The Responsive Addons – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output.....
6.4CVSS
5.7AI Score
0.001EPSS
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....
5.4CVSS
5.7AI Score
0.0004EPSS
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....
6.4CVSS
6AI Score
0.0004EPSS
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....
6.4CVSS
5.2AI Score
0.0004EPSS
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with.....
6.4CVSS
5.8AI Score
0.0004EPSS
[SECURITY] Fedora 40 Update: qt5ct-1.1-24.fc40
qt5ct allows users to configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt...
6.6AI Score
0.0004EPSS
Wbcom Designs - Custom Font Uploader < 2.4.0 - Missing Authorization to Font Deletion
Description The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with...
4.3CVSS
6.4AI Score
0.001EPSS