CVE-2024-47870

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker ca...

CVE-2024-47870 Race condition in update_root_in_config may redirect user traffic in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker ca...

CVE-2024-47870 Race condition in update_root_in_config may redirect user traffic in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker ca...

CVE-2024-47870 Race condition in update_root_in_config may redirect user traffic in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker ca...

CVE-2024-47870

CVE-2024-47870 is a race condition in Gradio’s update_root_in_config function that lets an attacker modify the frontend-backend root URL, enabling redirection of user traffic to a malicious server. This can lead to interception of sensitive data (e.g., credentials, uploaded files) for users conne...

GHSA-XH2X-3MRM-FWQM Gradio has a race condition in update_root_in_config may redirect user traffic

Impact What kind of vulnerability is it? Who is impacted? This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect use...

Gradio has a race condition in update_root_in_config may redirect user traffic

Impact What kind of vulnerability is it? Who is impacted? This vulnerability involves a race condition in the updaterootinconfig function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect use...

Security Bulletin: There is a vulnerability in tinymce-6.8.1.min.js used by IBM Maximo Asset Management application (CVE-2024-38357, CVE-2024-38356)

Summary There is a vulnerability in tinymce-6.8.1.min.js used by IBM Maximo Asset Management application. Vulnerability Details CVEID:CVE-2024-38357 DESCRIPTION: TinyMCE is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the noscript elements. A remote...

Security Bulletin: IBM Storage Scale Install toolkit may be affected by a vulnerability in Jinja (CVE-2024-34064)

Summary There is a vulnerability in Jinja, used by Storage Scale Install toolkit which could allow a remote attacker to steal the victim's cookie-based authentication credentials. Vulnerability Details CVEID:CVE-2024-34064 DESCRIPTION: Jinja is vulnerable to cross-site scripting, caused by the...

CVE-2024-42056

Retool self-hosted enterprise through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered by an authenticated attacker via the /api/resources endpoint. The earliest affected version is 3.18.1...

CVE-2024-42056

Retool self-hosted enterprise through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered by an authenticated attacker via the /api/resources endpoint. The earliest affected version is 3.18.1...

CVE-2024-42056

Retool (self-hosted Enterprise) is affected through versions 3.18.1–3.40.0. The issue arises from inserting resource authentication credentials into sent data, enabling an authenticated attacker with low-privilege permissions (Use) to discover credentials via the /api/resources endpoint. Impact i...

Mozilla Firefox for iOS cross-site scripting vulnerability (CNVD-2024-36718)

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A cross-site scripting vulnerability exists in Mozilla Firefox for iOS. The vulnerability is caused due to improper validation of user-supplied input in the link context menu. An attacker could use thi...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja ( CVE-2024-22195 )

Summary Jinja is used by IBM Cloud Pak for Data as part of the platform. CVE-2024-22195. Vulnerability Details CVEID:CVE-2024-22195 DESCRIPTION: Pallets Jinja is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the xmlattr filter. A remote authenticated...

Security Bulletin: Vulnerability in dojo-dojo-release-1.12.1 affects Cloud Pak System [CVE-2018-6561]

Summary Vulnerability in dojo-dojo-release-1.12.1 affects Cloud Pak System. Vulnerability Details CVEID:CVE-2018-6561 DESCRIPTION: Dojo Toolkit is vulnerable to cross-site scripting in dijit.Editor, caused by improper validation of user-supplied input. A remote attacker could exploit this...

Apache Roller Cross-Site Scripting Vulnerability (CNVD-2024-35670)

Apache Roller is the United States Apache Apache Foundation of a Java-based multi-user open source blogging system. Apache Roller suffers from a cross-site scripting vulnerability that can be exploited by an attacker to obtain cookie-based authentication credentials...

Security Bulletin: There are multiple vulnerabilities that affect CICS Transaction Gateway Desktop Edition (CVE-2023-50310 and CVE-2023-50311).

Summary There are multiple vulnerabilities that affect CICS Transaction Gateway Desktop Edition. An update to CICS Transaction Gateway Desktop Edition has been released to address these vulnerabilities. Vulnerability Details CVEID:CVE-2023-50311 DESCRIPTION: IBM CICS Transaction Gateway could...

Insufficient Session Expiration

zfr/zfr-oauth2-server-module is vulnerable to Insufficient Session Expiration. The vulnerability is due to a lack of token validation for expiration and validity, allowing users to potentially use invalidated authentication credentials...

CVE-2024-30112

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...

CVE-2024-30112

CVE-2024-30112 concerns HCL Connections and describes a cross-site scripting (XSS) vulnerability. The issue allows an attacker to execute arbitrary script code in a user’s browser, which could enable theft of cookie-based authentication credentials and compromise of the user’s account, potentiall...