173 matches found
dify 安全漏洞
dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in dify version v0.10.1, which stems from unverified password reset code that could lead to full account control...
Oxidized Web RANCID migration page allows unauthenticated user to gain control over Linux user account
In oxidized-web aka Oxidized Web before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web...
CVE-2022-29168
Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering @mentions in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim...
CVE-2022-24799
wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious...
CVE-2020-36713
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'updateuserprofile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delet...
CVE-2024-40638
GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17...
CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User
OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/orgid/users/emailid allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the...
CVE-2024-53272 GHSL-2024-109: Reflected XSS in /login in habitica
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The login and social media function in RegisterLoginReset.vue contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify...
CVE-2024-53272 GHSL-2024-109: Reflected XSS in /login in habitica
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The login and social media function in RegisterLoginReset.vue contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify...
New Stealer Uses Invalid Cert To Compromise Systems
New Stealer Uses Invalid Cert To Compromise Systems By Mohinder Gill, Mallikarjun Wali and Sangram Mohapatro · November 07, 2024 A new Stealer has been making the rounds. Its name: Fickle. Fickle Stealer is a new Rust-based information stealer that spreads through various attack vectors, includin...
Exploit for CVE-2024-53588
iTop-privesc MY FIRST 0-DAY!!! - CVE-2024-53588 A privileg...
September 10, 2024—KB5043067 (OS Build 22000.3197)
None None...
September 10, 2024—KB5043092 (Security-only update)
None None...
September 10, 2024—KB5043051 (OS Build 14393.7336) - EXPIRED
None None...
July 9, 2024—KB5040434 (OS Build 14393.7159) - EXPIRED
None None...
Cybercriminals Exploit Free Software Lures to Deploy Hijack Loader and Vidar Stealer
Threat actors are luring unsuspecting users with free or pirated versions of commercial software to deliver a malware loader called Hijack Loader, which then deploys an information stealer known as Vidar Stealer. "Adversaries had managed to trick users into downloading password-protected archive...
Yealink VP59 安全漏洞
YeaLink VP59 is a flagship smart video phone from China-based YeaLink. A security vulnerability exists in the Yealink VP59 Teams Editions version 91.15.0.118, which stems from a flaw that allows an attacker to take control of an account via the factory reset process...
CVE-2024-30939
An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure...
PT-2024-23683 · Yealink · Yealink Vp59 Teams Editions
Name of the Vulnerable Software and Affected Versions: Yealink VP59 Teams Editions version 91.15.0.118 Description: An issue in the factory reset procedure of Yealink VP59 Teams Editions allows a physically proximate attacker to gain control of an account. Recommendations: For Yealink VP59 Teams...
Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package
A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named "oscompatible," was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included ...