Trend Micro Apex One modOSCE SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One. Authentication is required to exploit this vulnerability. The specific flaw exists within the client management functionality. The issue results from the lack of proper validati...

Improper Access Control

github.com/mattermost/mattermost-server is vulnerable to Improper Access Control. The vulnerability is due to the createPost function not preventing users from specifying a RemoteId for their posts, allowing attackers to create posts with user-defined post IDs. Attackers can use this to cause...

MetaMask: Missing Line Terminator on allowedOrigins enables origin spoofing

The vulnerability identified by @pkkr was related to the Snaps allowedOrigins functionality, which allows Snap developers to control which origins can interact with certain Snap APIs. Due to a missing regex terminator, the origin control could be bypassed, enabling a malicious domain to access...

CVE-2024-6428 Limited DoS due to permitting creating users with user-defined IDs

Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2, 9.5.x = 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken...

CVE-2024-6428

CVE-2024-6428 affects Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x

CVE-2024-39361

CVE-2024-39361 affects Mattermost 9.8.0, 9.7.x up to 9.7.4, 9.6.x up to 9.6.2, and 9.5.x up to 9.5.5. The issue is that the CreatePost API does not prevent users from supplying a RemoteId for posts, allowing an attacker to specify both a remoteId and the post ID and thereby create posts with user...

CVE-2024-39361 Creating posts with user-defined IDs permitted in CreatePost API

Mattermost versions 9.8.0, 9.7.x = 9.7.4, 9.6.x = 9.6.2 and 9.5.x = 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken...

Progress Software WhatsUp Gold SessionControler Server-Side Request Forgery Information Disclosure Vulnerability

This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Progress Software WhatsUp Gold. Authentication is required to exploit this vulnerability. The specific flaw exists within the SessionControler class. The issue results from the lack ...

CBL Mariner 2.0 Security Update: mysql / rust / cmake / curl / tensorflow (CVE-2023-23914)

The version of mysql / rust / cmake / curl / tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-23914 advisory. - A cleartext transmission of sensitive information vulnerability exists in...

CVE-2024-3826 Broken SAML Validation

In versions of Akana in versions prior to and including 2022.1.3 validation is broken when using the SAML Single Sign-On SSO functionality...

CVE-2024-39348

Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager SRM before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors...

CVE-2024-39347

Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager SRM before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors...

CVE-2024-39348

Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager SRM before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors...

CVE-2024-39348

CVE-2024-39348 affects Synology Router Manager (SRM) by a vulnerability in the AirPrint functionality where code is downloaded without integrity checks. This can allow a remote attacker to execute arbitrary code via unspecified vectors, with network access and user interaction required. Affected ...

CVE-2024-39347

Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager SRM before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors...

CVE-2024-39347

CVE-2024-39347 concerns Synology Router Manager (SRM) firewall: incorrect default permissions in SRM’s firewall functionality allow attackers to access highly sensitive intranet resources. Affected releases include SRM before 1.2.5-8227-11 and before 1.3.1-9346-8. Public sources describe the flaw...

CVE-2024-39347

Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager SRM before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors...

CVE-2024-4395

The XPC service within the audit functionality of Jamf Compliance Editor before version 1.3.1 on macOS can lead to local privilege escalation...

CVE-2024-4395 Lack of Client Validation in Jamf Compliance Editor's Helper Service May Result in Privilege Escalation

The XPC service within the audit functionality of Jamf Compliance Editor before version 1.3.1 on macOS can lead to local privilege escalation...

CVE-2024-5933

A Cross-site Scripting XSS vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser...