CVE-2024-54139

Combodo iTop is affected by a cross-site scripting (XSS) vulnerability that can lead to cross-site request forgery (CSRF) via the _table_id parameter. Impact is described as high/critical in CVE sources. Affected versions: prior to 2.7.11, 3.1.2, and 3.2.0. Patches are available in versions 2.7.1...

CVE-2024-10783 MainWP Child <= 5.2 - Missing Authorization to Unauthenticated Privilege Escalation

The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the registersite function in all versions up to, and including, 5.2 when a site is left in an unconfigured stat...

XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation e.g., Trigger on any job. If the operation is successful...

GHSA-2R87-74CX-2P7C XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList

Impact Any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor...

CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

CVE-2024-55662 XWiki allows remote code execution through the extension sheet

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. This vulnerability has been fixed in...

CVE-2024-53273

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The register function in RegisterLoginReset.vue contains a reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious...

PT-2024-16335 · WordPress · Paid Membership Plugin

Name of the Vulnerable Software and Affected Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.15 Description: The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form,...

CVE-2024-56651 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-56651 affecting package kernel for versions less than 5.15.173.1-1. A patched version of the package is available...

About the security content of Safari18.2

About the security content of Safari18.2 This document describes the security content of Safari 18.2. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available...

PT-2024-36966

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74 Description A vulnerability in the Linux kernel has been resolved, related to the ALSA control, where the use of WARN for showing symlink creation errors was downgraded to dev err to avoid confusing fuzzer...

CVE-2024-55601

Hugo, a static site generator, is affected in versions 0.123.0 through 0.139.3 (prior to 0.139.4). The issue: certain HTML attributes in Markdown in internal templates are not escaped in render hooks, specifically in templates _default/_markup/render-link.html (v0.123.0), _default/_markup/render-...

SUSE-SU-2024:4256-1 Security update for the Linux Kernel (Live Patch 42 for SLE 15 SP3)

This update for the Linux Kernel 5.3.18-15030059153 fixes several issues. The following security issues were fixed: - CVE-2024-36904: tcp: Use refcountincnotzero in tcptwskunique bsc1225733. - CVE-2024-43861: Fix memory leak for not ip packets bsc1229553. - CVE-2021-47598: schcake: do not call...

CVE-2024-50403 QTS, QuTS hero

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to obtain secret data or modify memory. We have already fixed the...

Oracle Linux 8 : perl-App-cpanminus:1.7044 (ELSA-2024-10219)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-10219 advisory. - Patch the code to use https instead of http CVE-2024-45321 perl-CPAN-DistnameInfo perl-CPAN-Meta-Check perl-File-pushd perl-Module-CPANfile perl-Parse-PMFile...

Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Veeam has released security updates to address a critical flaw impacting Service Provider Console VSPC that could pave the way for remote code execution on susceptible instances. The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted...

PT-2024-35143 · Tenda · Tenda Ac6V2

Name of the Vulnerable Software and Affected Versions: Tenda AC6V2 versions through 15.03.06.50 Description: The issue is a stack-based buffer overflow vulnerability in the setDoublePppoeConfig-guest ip check modules of Tenda AC6V2, where the mask argument can cause buffer overflows...

Fedora 41 : mingw-python3 (2024-e6b1e638d1)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-e6b1e638d1 advisory. Backport fix for CVE-2024-9287 ---- Update to python-3.11.0. Tenable has extracted the preceding description block directly from the Fedora security advisory...

CVE-2024-53844

CVE-2024-53844 affects labsai/eddi (EDDI), a middleware for LLM API bots. The vulnerability is a path traversal in the backup export functionality, exploitable via the botFilename parameter in RestExportService.java. Input is not properly sanitized, allowing attackers to access arbitrary files in...

Oracle Linux 9 : python3.12-urllib3 (ELSA-2024-9457)

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-9457 advisory. 1.26.18-2.1 - Security fix for CVE-2024-37891 Resolves: RHEL-59997 Tenable has extracted the preceding description block directly from the Oracle Linux security...