Fedora 43 : calibre (2025-355be35bb1)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-355be35bb1 advisory. Update to 8.14.0. Fixes rhbz2413304 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has no...

EUVD-2025-38333

calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve...

CVE-2025-64486 calibre is vulnerable to arbitrary code execution when opening FB2 files

calibre is an e-book manager. In versions 8.13.0 and prior, calibre does not validate filenames when handling binary assets in FB2 files, allowing an attacker to write arbitrary files on the filesystem when viewing or converting a malicious FictionBook file. This can be leveraged to achieve...

SUSE-SU-2025:20824-1 Security update for curl

This update for curl fixes the following issues: - CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 - CVE-2025-10148: Predictable WebSocket mask bsc1249348 - Fix the --ftp-pasv option in curl v8.14.1 bsc1246197 - tooloperate: fix return code when --retry is used but not triggere...

Security update for curl

This update for curl fixes the following issues: CVE-2025-9086: Fixed Out of bounds read for cookie path bsc1249191 CVE-2025-10148: Predictable WebSocket mask bsc1249348 Fix the --ftp-pasv option in curl v8.14.1 bsc1246197 tooloperate: fix return code when --retry is used but not triggered...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the decrypt function in CookieStore.php. An attacker can execute arbitrary code or cause a denial of service by sending a specially crafted cookie containing malicious serialized data which are...

CVE-2025-48951

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially...

OPENSUSE-SU-2025:15176-1 curl-8.14.0-1.1 on GA media

These are all security issues fixed in the curl-8.14.0-1.1 package on the GA media of openSUSE Tumbleweed...

Slackware Linux 15.0 / current curl Multiple Vulnerabilities (SSA:2025-148-01)

The version of curl installed on the remote host is prior to 8.14.0. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2025-148-01 advisory. New curl packages are available for Slackware 15.0 and -current to fix security issues. Tenable has extracted the preceding...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication due to the CookieStore configuration. An attacker can gain unauthorized access by brute-forcing the authentication tags of the session cookies. Note: This is only exploitable if the user has configured the sessio...

Elastic Kibana Security Vulnerability

Elastic Kibana is an application from the Dutch company Elastic. A free and open user interface that enables you to visualize Elasticsearch data and lets you navigate through the Elastic Stack. A security vulnerability exists in Elastic Kibana versions prior to 7.17.22 and prior to 8.14.0, which...

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...

Elasticsearch 8.14.0 Security Update (ESA-2024-13)

Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions ESA-2024-13 It was identified that if a cross-cluster API key restricts search for a given index using the query or the fieldsecurity parameter, and the same cross-cluster API key also grants replication for the...

Vulnerability fixed in Atlassian Bitbucket

Atlassian has fixed a vulnerability in Bitbucket. A malicious party could exploit the vulnerability to execute arbitrary code execute arbitrary code, possibly with elevated privileges. For successful abuse, the malicious party must be authenticated. Atlassian has released updates to fix the...

CVE-2023-23999 WordPress Google Analytics by Monster Insights Plugin <= 8.14.0 is vulnerable to Cross Site Scripting (XSS)

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in MonsterInsights plugin = 8.14.0 versions...

PT-2023-19348 · WordPress · Monsterinsights

Name of the Vulnerable Software and Affected Versions: MonsterInsights plugin versions = 8.14.0 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This vulnerability requires authentication and affects users with contributor or higher permissions. Recommendation...

WordPress plugin MonsterInsights 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on servers running PHP and MySQL. A cross-site scripting vulnerability exists...