GHSA-W2WJ-HW98-233H Duplicate Advisory: Keycloak Potential Variable Reference in Model Storage Services

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8hxp-qmph-w5gq. This link is maintained to preserve external references. Original Description A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes...

Keycloak 安全漏洞

Keycloak is an open source identity and access management solution from Keycloak Open Source. A security vulnerability exists in Keycloak that stems from the possibility of injecting malicious content during placeholder substitution, which could lead to injection attacks...

Hackers Are Finding New Ways to Hide Malware in DNS Records

Newly published research shows that the domain name system—a fundamental part of the web—can be exploited to hide malicious code and prompt injection attacks against chatbots...

Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks

Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence AI systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. "Unlike direct prompt injections,...

CVE-2024-8270

The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control TCC policies, enabling the exploitation or abuse of permissions specified in its entitlements e.g., microphone, camera, automation, network client. Since Rocket.Chat was not...

CVE-2024-8270

The macOS Rocket.Chat application is affected by a vulnerability that allows bypassing Transparency, Consent, and Control TCC policies, enabling the exploitation or abuse of permissions specified in its entitlements e.g., microphone, camera, automation, network client. Since Rocket.Chat was not...

CVE-2025-3951

The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations...

CVE-2024-20417

Multiple vulnerabilities in the REST API of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to conduct blind SQL injection attacks. These vulnerabilities are due to insufficient validation of user-supplied input in REST API calls. An attacker could exploit these...

CVE-2024-5892

The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘supportunfilteredfilesupload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-48918

RDS Light is a simplified version of the Reflective Dialogue System RDS, a self-reflecting AI framework. Versions prior to 1.1.0 contain a vulnerability that involves a lack of input validation within the RDS AI framework, specifically within the user input handling code in the main module main.p...

CVE-2023-5235

The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'userscanregister' and 'defaultrole'. It also unserializes user input in the...

CVE-2023-28952

IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463...

CVE-2022-34294

totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not enough entropy to prevent traffic injection attacks...

CVE-2022-25337

Ibexa DXP ezsystems/ezpublish-kernel 7.5.x before 7.5.26 and 1.3.x before 1.3.12 allows injection attacks via image filenames...

CVE-2021-36124

An issue was discovered in Echo ShareCare 8.15.5. It does not perform authentication or authorization checks when accessing a subset of sensitive resources, leading to the ability for unauthenticated users to access pages that are vulnerable to attacks such as SQL injection...

CVE-2019-14761

An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application's UI e.g.,...

CVE-2013-3573

HP Insight Diagnostics 9.4.0.4710 allows remote attackers to conduct unspecified injection attacks via unknown vectors...

CANTXSec: a Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations

Despite being a legacy protocol with various known security issues, Controller Area Network CAN still represents the de-facto standard for communications within vehicles, ships, and industrial control systems. Many research works have designed Intrusion Detection Systems IDSs to identify attacks ...

The vulnerability in the web-based interface of UserGate Next-Generation Firewall (NGFW), the unified management center UserGate Management Center (UGMC), the log collection system UserGate Log Analyzer (LogAn), and the event tracking and analysis tool UserGate Security Information and Event Management (SIEM) allows a perpetrator to execute injection requests and trigger built-in database functions.

The vulnerability in the web-based interface of the UserGate Next-Generation Firewall NGFW, the unified management center UserGate Management Center UGMC, and the log collection system UserGate Log Analyzer LogAn is related to insufficient validation of input data. Exploiting this vulnerability...

WordPress WoWHead Tooltips plugin <= 2.0.1 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by johska in WordPress Plugin WoWHead Tooltips versions = 2.0.1...