SUSE-SU-2025:0357-1 Security update for etcd

This update for etcd fixes the following issues: Security Update to version 3.5.18: Ensure all goroutines created by StartEtcd to exit before closing the errc mvcc: restore tombstone index if it's first revision Bump go toolchain to 1.22.11 Avoid deadlock in etcd.Close when stopping during...

CVE-2024-12159

The CVE-2024-12159 entry concerns the WordPress plugin “Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords” (Muzaara AdWords Optimize Dashboard) with information exposure in versions up to 3.1. The issue stems from the public accessibility of print_php_information.php, allowi...

CVE-2024-12250

The Accept Authorize.NET Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2 via the cf7adn-info.php file. This makes it possible for unauthenticated attackers to extract configuration data which can be used to aid in...

CVE-2024-12250 Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure

The Accept Authorize.NET Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2 via the cf7adn-info.php file. This makes it possible for unauthenticated attackers to extract configuration data which can be used to aid in...

ABB Cylon Aspect 3.08.02 Unauthenticated Configuration Disclosure

Summary ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Description The ABB Cylon Aspect BMS/BAS system suffers from an unauthenticated...

CVE-2024-51542

Configuration Download vulnerabilities allow access to dependency configuration information. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02...

CVE-2024-51543

Information Disclosure vulnerabilities allow access to application configuration information. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02...

CVE-2024-21703

This Medium severity Security Misconfiguration vulnerability was introduced in version 8.8.1 of Confluence Data Center and Server for Windows installations. This Security Misconfiguration vulnerability, with a CVSS Score of 6.4 allows an authenticated attacker of the Windows host to read sensitiv...

CVE-2024-42450

The Versa Director uses PostgreSQL Postgres to store operational and configuration data. It is also needed for High Availability function of the Versa Director. The default configuration has a common password across all instances of Versa Director. By default, Versa Director configures Postgres t...

CVE-2024-31141

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also...

CVE-2024-11023 Session Hijacking in Firebase JavaScript SDK

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

CVE-2024-11023 Session Hijacking in Firebase JavaScript SDK

Firebase JavaScript SDK utilizes a "FIREBASEDEFAULTS" cookie to store configuration data, including an "authTokenSyncURL" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the "authTokenSyncURL" to point to thei...

PT-2024-16712 · Google · Firebase Javascript Sdk

Name of the Vulnerable Software and Affected Versions: Firebase JavaScript SDK versions prior to 10.9.0 Description: The Firebase JavaScript SDK utilizes a "FIREBASE DEFAULTS" cookie to store configuration data, including an " authTokenSyncURL" field used for session synchronization. If this cook...

CVE-2021-1464

A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization checking and gain restricted access to the configuration information of an affected system. This vulnerability exists because the affected software has insufficient input...

Vulnerability discovered in Fortinet FortiManager

UPDATE Public proof of concept PoC code for the vulnerability is available. It applies to FortiManager variants that have not yet been patched. Also, researchers have discovered that Fortinet's patch did not fix the full chain of exploitation. Thus, it is still possible to execute code on a patch...

CVE-2024-50334

Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...

CVE-2024-50334 Semicolon Path Injection on API /api;/config

Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...

CVE-2024-50334

Scoold

PT-2024-29298 · Tropos · Tro600 Series Radios

Name of the Vulnerable Software and Affected Versions: TRO600 series radios affected versions not specified Description: The issue concerns the extraction of profile files from TRO600 series radios in both plain-text and encrypted file formats. These profile files contain valuable configuration...

PT-2024-34147 · Scoold · Scoold

Name of the Vulnerable Software and Affected Versions: Scoold versions prior to 1.64.0 Description: A semicolon path injection vulnerability was found on the "/api;/config" endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorized access to sensitive...