Pdoc Python Library <= 14.5.1 (CVE-2024-38526)

pdoc provides API Documentation for Python Projects. Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1. Note that Nessus has not tested for this issue but...

CVE-2024-8918

The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, ...

PYSEC-2024-220

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Cross-Site Scripting XSS on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users...

CVE-2024-47872 Cross-site Scripting on Gradio server via upload of HTML files, JS files, or SVG files

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Cross-Site Scripting XSS on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users...

CVE-2024-47872 Cross-site Scripting on Gradio server via upload of HTML files, JS files, or SVG files

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves Cross-Site Scripting XSS on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users...

GHSA-GVV6-33J7-884G Gradio has an XSS on every Gradio server via upload of HTML files, JS files, or SVG files

Impact What kind of vulnerability is it? Who is impacted? This vulnerability involves Cross-Site Scripting XSS on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view...

PT-2024-32452 · Agnai · Agnai

Name of the Vulnerable Software and Affected Versions: Agnai versions prior to 1.0.330 Description: A vulnerability in Agnai permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This...

Number withdrawn

RequireJS is RequireJS open source a library . It is used to load normal JavaScript files as well as more defined modules. This CVE number has been withdrawn...

CVE-2024-38526 pdoc embeds link to malicious CDN if math mode is enabled

pdoc provides API Documentation for Python Projects. Documentation generated with pdoc --math linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1...

Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware. "These campaigns typically involve a recognizable infection chain involving oversized...

CVE-2023-27133

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILESX86%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remot...

CVE-2023-27133

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILESX86%\TSplus-RemoteWork\Clients\www folder. This may enable privilege escalation if a different local user modifies a file. NOTE: CVE-2023-31067 and CVE-2023-31068 are only about the TSplus Remot...

PT-2023-20971 · Tsplus · Tsplus Remote Work

Name of the Vulnerable Software and Affected Versions: TSplus Remote Work version 16.0.0.0 Description: The issue is related to weak permissions for certain file types, including .exe, .js, and .html files, located under the %PROGRAMFILESX86%TSplus-RemoteWorkClientswww folder. This weakness may...

Dependabot impersonators cause trouble on GitHub

GitHub is experiencing issues of the "breached account and malicious code" variety. ITPro reports that unnamed individuals have been compromising accounts and using them to install malware capable of password theft. Its a fairly elaborate scam which even includes imitation of GitHubs popular...

Ascensio System ONLYOFFICE Buffer Error Vulnerability

Ascensio System ONLYOFFICE is an office software from Ascensio System, Latvia. A buffer error vulnerability exists in Ascensio System ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2, which stems from the presence of an out-of-bounds memory access vulnerability. An attacker could exploit th...

GHSA-VH2G-6C4X-5HMP Path traversal and code execution via prototype vulnerability

Impact Due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. Patches Patched in v2.8.7...

CVE-2023-32476

Dell Hybrid Client version 2.0 contains a Sensitive Data Exposure vulnerability. An unauthenticated malicious user on the device can access hard coded secrets in javascript files...

CVE-2023-32476

Dell Hybrid Client version 2.0 contains a Sensitive Data Exposure vulnerability. An unauthenticated malicious user on the device can access hard coded secrets in javascript files...

Hardcoded credentials

Dell Hybrid Client version 2.0 contains a Sensitive Data Exposure vulnerability. An unauthenticated malicious user on the device can access hard coded secrets in javascript files...

CVE-2023-32476

Dell Hybrid Client version 2.0 contains a Sensitive Data Exposure vulnerability. An unauthenticated malicious user on the device can access hard coded secrets in javascript files...