Description of the security update for SharePoint Server Subscription Edition: July 9, 2024 (KB5002606)

Description of the security update for SharePoint Server Subscription Edition: July 9, 2024 KB5002606 Summary This security update resolves a Microsoft SharePoint Server remote code execution vulnerability, Microsoft SharePoint remote code execution vulnerability, and Microsoft SharePoint Server...

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library "polyfill.js" to redirect users to malicious and scam sites. "Protecting our users is our top priority. We detected a security...

Description of the security update for SharePoint Server 2019: June 11, 2024 (KB5002602)

Description of the security update for SharePoint Server 2019: June 11, 2024 KB5002602 Summary This security update resolves a Microsoft SharePoint Server remote code execution vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2024-30100...

CVE-2024-23636 SOFARPC Remote Command Execution(RCE) Vulnerbility

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...

CVE-2024-23636 SOFARPC Remote Command Execution(RCE) Vulnerbility

SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA Hessian protocol to deserialize received data, while the SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But, prior to version 5.12.0, there i...

Command Execution Vulnerability in Electronic Document Security Management System of Beijing Yisetong Technology Development Co., Ltd (CNVD-2024-07742)

Electronic document security management system is a controllable authorization of electronic document security sharing management system, using real-time dynamic encryption and decryption protection technology and real-time rights recovery mechanism, to provide all kinds of electronic documents...

The vulnerability of microprogramming software in programming and hardware environments for monitoring and security protection of IT infrastructure arises from the implementation of physical threats. This vulnerability is related to incorrect restrictions on the visible layers or frames of the user interface. This allows attackers to compromise data integrity.

The vulnerability of the microprogramming software used in IT infrastructure monitoring and security monitoring hardware devices in NetBotz 4 is related to incorrect restrictions on the layers or frames that can be visualized in the user interface. Exploiting this vulnerability could allow a...

CVE-2023-25765

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller J...

Cron execution command field allows attackers with admin privilege to execute OS command as root

Description - Cron execution command value is written into cronfile without any security protection mechanism. - If an attacker gained admin access, he/she can run OS command as root. Proof of Concept 1/ Navigate to http://webserver/froxlor/adminsettings.php?page=overview&part=crond 2/ In the Cro...

The vulnerability of microprogramming software in the software-hardware environment for monitoring and security protection of IT infrastructure against physical threats, such as the implementation of NetBotz 4, allows a intruder to execute arbitrary code.

The vulnerability of microprogramming software in programming-and-software-based environments for monitoring and security protection of IT infrastructure arises due to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a remote attacker to execute...

InHand Networks InRouter302 httpd port 4444 upload.cgi leftover debug code vulnerability

Talos Vulnerability Report TALOS-2022-1522 InHand Networks InRouter302 httpd port 4444 upload.cgi leftover debug code vulnerability October 27, 2022 CVE Number CVE-2022-29888 SUMMARY A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks...

InHand Networks InRouter302 Incorrect fixes privilege escalation vulnerability

Talos Vulnerability Report TALOS-2022-1523 InHand Networks InRouter302 Incorrect fixes privilege escalation vulnerability October 27, 2022 CVE Number CVE-2022-25932 SUMMARY The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are...

CVE-2022-2939

The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the /cerber-load.php file. In...

CVE-2022-2939

CVE-2022-2939 affects the WP Cerber Security plugin for WordPress up to version 9.0. The vulnerability arises from improper validation of the author parameter in cerber-load.php, where non-numeric input can bypass the numeric-only protection, enabling user enumeration by unauthenticated attackers...

Design/Logic Flaw

This vulnerability allows local user to delete arbitrary file in the system and bypassing security protection which can be abused for local privilege escalation on affected F-Secure & WithSecure windows endpoint products. An attacker must have code execution rights on the victim machine prior to...

CVE-2022-28877 Local Privilege Escalation Vulnerability in F-Secure & WithSecure Windows Endpoint Products

This vulnerability allows local user to delete arbitrary file in the system and bypassing security protection which can be abused for local privilege escalation on affected F-Secure & WithSecure windows endpoint products. An attacker must have code execution rights on the victim machine prior to...

Command Execution Vulnerability in Netnifty Vulnerability Scanning System

Beijing Netnifty Information Technology Co., Ltd. covers network border security protection, application and data security protection, network security risk management, professional security solutions and professional security services. A command execution vulnerability exists in the Netnifty...

GHSA-4QRJ-99R6-JFRH Missing hostname validation in Email Extension Plugin

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. Email Extension Plugin 2.76 validates the SMTP hostname when...

MantisBT XSS via move_attachments_page.php

A cross-site scripting XSS vulnerability in the MantisBT Move Attachments page moveattachmentspage.php, part of admin tools allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection CSP settings allows it. This is fixed in 1.3.9, 2.1.3, an...

GHSA-X53V-V9XP-GF6G MantisBT XSS via move_attachments_page.php

A cross-site scripting XSS vulnerability in the MantisBT Move Attachments page moveattachmentspage.php, part of admin tools allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection CSP settings allows it. This is fixed in 1.3.9, 2.1.3, an...