PT-2024-28029 · Dell · Os10

Name of the Vulnerable Software and Affected Versions: Dell SmartFabric OS10 Software versions 10.5.5.4 through 10.5.5.10 and 10.5.6.x Description: The issue is related to an Improper Neutralization of Special Elements used in a Command, also known as a 'Command Injection' vulnerability. This cou...

Malicious code in bitcoin-message (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e20fe5a331a209f88ded16d3d0a0317fb3bbd42e9b2d3177deb803a64a453728 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-43801 Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

MAL-2024-8266 Malicious code in @diotoborg/ducimus-ducimus-sed (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 51e3d070dd2234e66afab6a0c54ee82655fefcf13aa9b18bacd181aa7beb102e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2024-43805

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user c...

UBUNTU-CVE-2024-43805

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user c...

CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability

The OpenTelemetry Collector module AWS firehose receiver is for ingesting AWS Kinesis Data Firehose delivery stream messages and parsing the records received based on the configured record type. awsfirehosereceiver allows unauthenticated remote requests, even when configured to require a key...

SUSE CVE-2024-43802

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tboff position within the...

ALPINE-CVE-2024-43802

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tboff position within the...

Medium: ruby3.2

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 ruby: Arbitrary memory address read vulnerability with Regex search CVE-2024-27282 Affected Packages: ruby3.2 Issue Correction: Run dnf update ruby3.2 --releasever 2023.5.20240819 or dnf update --advisory...

Important: tomcat

Issue Overview: Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn l...

CVE-2024-7490

Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwipdhcpfindoption. This issue affect...

CVE-2024-42347 URL preview setting for a room is controllable by the homeserver in matrix-react-sdk

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the...

UBUNTU-CVE-2024-35198

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowedurls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a fi...

CVE-2024-35198 TorchServe bypass allowed_urls configuration

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowedurls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a fi...

CVE-2024-39681 WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users...

CVE-2024-39679 WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users...

CVE-2024-40641 Unsigned code template execution through workflows in projectdiscovery/nuclei

Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In...

AZL-45435 CVE-2024-39908 affecting package ruby for versions less than 3.1.7-1

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as . If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix...