CVE-2024-30215 Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
The Resource Settings page allows a high privilege attacker to load exploitable payload to be stored and reflected whenever a User visits the page. In a successful attack, some information could be obtained and/or modified. However, the attacker does not have control over what information is...
4.8CVSS
5.2AI Score
0.0004EPSS
CVE-2024-30214 Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client...
4.8CVSS
5.3AI Score
0.0004EPSS
SAP Group Reporting Data Collection does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation, specific data can be changed via the Enter Package Data app although the user does not have sufficient authorization...
6.5CVSS
7AI Score
0.0004EPSS
CVE-2024-27901 Directory Traversal vulnerability in SAP Asset Accounting
SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Thus, causing a considerable impact on confidentiality, integrity and availability of the...
7.2CVSS
6.9AI Score
0.0004EPSS
Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both...
8.8CVSS
8.8AI Score
0.0004EPSS
CVE-2024-27898 Server-Side Request Forgery in SAP NetWeaver
SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request...
5.3CVSS
5.5AI Score
0.0004EPSS
CVE-2024-25646 Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the...
7.7CVSS
7.5AI Score
0.0004EPSS
This Week in Spring - April 9th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Las Vegas, NV, at the moment, preparing for my part in the huuuuuge Google Cloud Next keynote. I'm so excited! And then it's off to the amazing and glorious Devnexus event! If you're at either event, please say Hi!. ...
7.3AI Score
Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08
This week on the Lock and Code podcast… A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site. In March, PornHub blocked access to visitors connecting to its website from Texas. It marked....
7.1AI Score
CVE-2024-3116_RCE_in_pgadmin_8.4 Making a lab and testing the...
7.4CVSS
8AI Score
0.0004EPSS
I wrote a short document describing how I maintain open source projects, to link it from my global CODE_OF_CONDUCT, CONTRIBUTING, and SECURITY files. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations. It got...
7.6AI Score
HackerOne: Any user could upload attachments to pentest scoping form they don't have access to
hello team in my recent testing i found that any users could upload attachments to any users pentest scoping form without having access to it as long as they have the scope id. note: before you start you will require two account to test for this bug. steps to reproduce: 1. create a sandbox 2. go...
7.1AI Score
Friday Squid Blogging: SqUID Bots
They're AI warehouse robots. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines...
7.2AI Score
7.5CVSS
7.4AI Score
0.001EPSS
Pixel Watch Security Bulletin—April 2024
The Pixel Watch Security Bulletin contains details of security vulnerabilities affecting Pixel Watch devices (Google Devices). For Google devices, security patch levels of 2024-04-05 or later address all applicable issues in the April 2024 Android Security Bulletin and all issues in this bulletin.....
8AI Score
As my manager knows, I'm not the biggest fan of working in a physical office. I'm a picky worker -- I like my workspace to be borderline frigid, I hate dark mode on any software, and I want any and all lighting cranked all the way up. So, know that I'm biased going into this, but I also can't get.....
10CVSS
7.7AI Score
0.133EPSS
my-home-zen-spa.com Cross Site Scripting vulnerability OBB-3902522
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
Exploit for Embedded Malicious Code in Tukaani Xz
ansible-CVE-2024-3094 Ansible playbooks designed to check and...
10CVSS
9.7AI Score
0.133EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
7AI Score
0.0004EPSS
Ubuntu 20.04 LTS : Firefox regressions (USN-6710-2)
The remote Ubuntu 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6710-2 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...
7.3AI Score
Releases Ubuntu 20.04 LTS Packages firefox - Mozilla Open Source web browser Details USN-6710-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Original advisory details: Manfred Paul discovered that Firefox did not properly...
8.2AI Score
0.0005EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,.....
7.1AI Score
0.0004EPSS
Exploit for Vulnerability in Orthanc-Server Orthanc
CVE-2023-33466 This POC targets Orthanc DICOM server...
8.8CVSS
7AI Score
0.002EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,.....
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start !=...
7.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,.....
7.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
7.1AI Score
0.0004EPSS
CVE-2024-26726 btrfs: don't drop extent_map for free space inode on write error
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,.....
8AI Score
0.0004EPSS
CVE-2024-26708 mptcp: really cope with fastopen race
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
6.7AI Score
0.0004EPSS
CVE-2024-26708 mptcp: really cope with fastopen race
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
6.9AI Score
0.0004EPSS
Hello fellow readers! Have you ever wondered how the GitHub Security Lab performs security research? In this post, you'll learn how we leverage GitHub products and features such as code scanning, CodeQL, Codespaces, and private vulnerability reporting. By the time we conclude, you'll have mastered....
6.9AI Score
‘The Manipulaters’ Improve Phishing, Still Fail at Opsec
Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming....
7.3AI Score
Class-Action Lawsuit against Google’s Incognito Mode
The lawsuit has been settled: Google has agreed to delete "billions of data records" the company collected while users browsed the web using Incognito mode, according to documents filed in federal court in San Francisco on Monday. The agreement, part of a settlement in a class action lawsuit...
6.9AI Score
Exploit for Embedded Malicious Code in Tukaani Xz
CVE-2024-3094 SSH Backdoor Container Env This is an...
10CVSS
7.3AI Score
0.133EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(),...
7.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't drop extent_map for free space inode on write error While running the CI for an unrelated change I hit the following panic with generic/648 on btrfs_holes_spacecache. assertion failed: block_start != EXTENT_MAP_HOLE,.....
7.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: really cope with fastopen race Fastopen and PM-trigger subflow shutdown can race, as reported by syzkaller. In my first attempt to close such race, I missed the fact that the subflow status can change again before the...
6.6AI Score
0.0004EPSS
This Week in Spring - April 2nd, 2024
Welcome, welcome, welcome, to another installment of This Week in Spring! You know, we've come a long way since you and I last spoke. It's April already! A new month! How bizarre. And, with the dawning of a new month, we're also more than 25% through this year! I sure hope you're paying attention.....
7.1AI Score
AT&T confirms 73 million people affected by data breach
Telecommunications giant AT&T has finally confirmed that 73 million current and former customers have been caught up in a massive dark web data leak. The leaked data includes names, addresses, mobile phone numbers, dates of birth, and social security numbers. Malwarebytes VP of Consumer Privacy,...
7.4AI Score
Through a 2010 FOIA request (yes, it took that long), we have copies of the NSA's KRYPTOS Society Newsletter, "Tales of the Krypt," from 1994 to 2003. There are many interesting things in the 800 pages of newsletter. There are many redactions. And a 1994 review of Applied Cryptography by...
7.3AI Score
Challenges Drive Career Growth: Meet Rudina Tafhasaj
Starting a career for the first time in a new country can be intimidating. For Rudina Tafhasaj, her path to Senior Application Engineer at Rapid7 was paved with both unique challenges, and incredible rewards. Growing up, Rudina was inspired to get into technology by her older brother. “He loved...
6.9AI Score
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(),...
7.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(),...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(),...
6AI Score
0.0004EPSS
CVE-2024-26671 blk-mq: fix IO hang from sbitmap wakeup race
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered with the following blk_mq_get_driver_tag() in case of getting driver tag failure. Then in __sbitmap_queue_wake_up(),...
7.6AI Score
0.0004EPSS
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the...
5.8AI Score
0.0004EPSS
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the...
6AI Score
0.0004EPSS
CVE-2024-1274 My Calendar < 3.4.24 - Authenticated Stored XSS
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the...
6AI Score
0.0004EPSS