CBL Mariner 2.0 Security Update: containerd / cri-tools / docker-buildx / docker-compose / moby-containerd-cc (CVE-2023-47108)

The version of containerd / cri-tools / docker-buildx / docker-compose / moby-containerd-cc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-47108 advisory. - OpenTelemetry-Go Contrib is a collecti...

PT-2025-32214 · Unknown · Middleware

Name of the Vulnerable Software and Affected Versions: Middleware affected versions not specified Description: The middleware experiences excessive heap allocations when handling malicious preflight requests containing a large number of commas within the Access-Control-Request-Headers ACRH header...

CVE-2024-38472

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new...

CVE-2024-38472

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new...

GO-2023-2331 Denial of service in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service...

golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests

A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body up to 1GiB, causing the receiver to fail reading the response, possibly leading to a Denial of Servic...

lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Summary The latest version of lobe-chatby now v0.141.2 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. Details visit https://chat-preview.lobehub.com/settings/agent you...

PT-2024-19709 · Open Xchange Gmbh · Ox App Suite

Name of the Vulnerable Software and Affected Versions: No specific software name or affected versions are mentioned in the provided descriptions. Description: The issue concerns RSS feeds that contain malicious data attributes, which could be used to inject script code into a user's browser...

PT-2024-19708 · Open Xchange Gmbh · Ox App Suite

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: Upsell advertisement information of an account can be manipulated to execute script code in the context of the user's browser session. To exploit this, ...

Design/Logic Flaw

The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests...

CVE-2024-0387 EDS-4000/G4000 Series IP Forwarding Vulnerability

The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests...

CVE-2024-0387 EDS-4000/G4000 Series IP Forwarding Vulnerability

The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests...

Fedora 39 : caddy (2024-22b915e51a)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-22b915e51a advisory. Update to the latest upstream version, which includes a fix for CVE-2023-45142. https://github.com/caddyserver/caddy/releases/tag/v2.7.6 Tenable has extracte...

XunRuiCMS Cross-Site Scripting Vulnerability (CNVD-2024-12713)

XunRuiCMS XunRui CMS is an open source content management system CMS. A cross-site scripting vulnerability exists in XunRuiCMS v4.6.2 and earlier versions. The vulnerability stems from the application's lack of effective filtering and escaping of user-supplied data, which can be exploited by remo...

CVE-2024-24388

Cross-site scripting XSS vulnerability in XunRuiCMS versions v4.6.2 and before, allows remote attackers to obtain sensitive information via crafted malicious requests to the background login...

CVE-2024-24388

Cross-site scripting XSS vulnerability in XunRuiCMS versions v4.6.2 and before, allows remote attackers to obtain sensitive information via crafted malicious requests to the background login...

RHEL 8 : OpenShift Container Platform 4.12.48 (RHSA-2024:0489)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0489 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud...

K000138255: Go OpenTelemetry Contrib vulnerability CVE-2023-47108

Security Advisory Description OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port that have unbound cardinality. It leads to the...

Code injection

The vulnerability allows an unauthenticated remote attacker to send malicious network requests containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned log...

Denial Of Service (DoS)

github.com/cubefs/cubefs is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of incoming HTTP requests in a CubeFS HandlerNode that could allow an authenticated users to send maliciously-crafted requests that would crash the ObjectNode. An attacker can send a...