CVE-2024-56359 Cross-site Scripting vulnerability through HyperLink cells in grist-core

grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier meaning for example Ctrl+click could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context...

CVE-2024-56358

CVE-2024-56358 affects Grist Core prior to 1.3.2. The vulnerability is a cross-site scripting (XSS) condition where previewing an SVG-embedded JavaScript in a malicious document is executed in the user’s page context, potentially compromising the user’s account. Affected component: grist-core ser...

CVE-2024-56357

The vulnerability CVE-2024-56357 affects grist-core prior to version 1.3.1, allowing an attacker to coerce a user into executing JavaScript via the javascript: scheme in custom widget URLs and form redirect URLs. This can lead to user account compromise when a user visits a malicious document or ...

CVE-2024-56333

Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential...

CVE-2024-56330

Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication ICC is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in any Stardust build pa...

CVE-2024-56329

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

CVE-2024-56334 Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation

systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands. This...

CVE-2024-56330 Session VNC may be accessed by other sessions on the same host in stardust

Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication ICC is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in any Stardust build pa...

CVE-2024-56330 Session VNC may be accessed by other sessions on the same host in stardust

Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication ICC is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in any Stardust build pa...

CVE-2024-56330

CVE-2024-56330 affects Stardust, a platform for streaming isolated desktop containers. The issue allows inter container communication (ICC) to remain enabled, enabling a user in one container to access another container’s agent and potentially compromise access. The vulnerability is tied to ICC n...

CVE-2024-56329 Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

CVE-2024-56329 Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

CVE-2024-56333 Remote code execution in onyxia-api

Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential...

CVE-2024-56327 Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage

pyrage is a set of Python bindings for the rage file encryption library age in Rust. pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. S...

CVE-2024-56327 Malicious plugin names, recipients, or identities can cause arbitrary binary execution in pyrage

pyrage is a set of Python bindings for the rage file encryption library age in Rust. pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. S...

CVE-2024-52794 Magnific lightbox susceptible to Cross-site Scripting in Discourse

Discourse is an open source platform for community discussion. Users clicking on the lightbox thumbnails could be affected. This problem is patched in the latest version of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability...

CVE-2024-54150 Algorithm Confusion Vulnerability in cjwt

cjwt is a C JSON Web Token JWT Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS...

CVE-2024-54150 Algorithm Confusion Vulnerability in cjwt

cjwt is a C JSON Web Token JWT Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn't differentiate between an HMAC signed token and an RS/EC/PS...

Malicious code in eip-681-qr-generator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d6d992f1267c6eb7db2bca81d0ea6f421daa4852af6172164111cf8b51ffbbe7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2024-17738 · Unknown · Codezips Technical Discussion Forum

Name of the Vulnerable Software and Affected Versions: Codezips Technical Discussion Forum version 1.0 Description: A critical issue affects some unknown functionality of the file signinpost.php. The manipulation of the username argument leads to SQL injection. The attack may be launched remotely...