UBUNTU-CVE-2024-40630

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation via a format-agnostic API with a feature set, scalability, and robustness needed for feature film production. In affected versions there is a bug in the heif input...

PT-2024-9038 · Totolink · Totolink X18

Name of the Vulnerable Software and Affected Versions: TOTOLINK X18 version 9.1.0cu.2024 B20220329 Description: A critical issue has been found in the TOTOLINK X18, affecting some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the enable argument leads to os command...

PT-2024-5556

Name of the Vulnerable Software and Affected Versions FortiAIOps version 2.0.0 Description The issue is related to an improper neutralization of formula elements in a CSV file, which may allow a remote authenticated attacker to execute arbitrary commands on a client's workstation via poisoned CSV...

Malicious code in @zitterorg/quia-quasi-voluptas (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4692a97c40fb9dc47048b7597ef41fcf69d7df947c24e37c28ff7fcb91e107dc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2024-24827 · Johnson Controls · Kt1 +2

Name of the Vulnerable Software and Affected Versions: KT1, KT2, and KT400 controllers affected versions not specified Description: The issue concerns the broadcasting of sensitive information when the controller is in factory reset mode. Specifically, the controller broadcasts its MAC address,...

DEBIAN-CVE-2024-34750

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of...

SUSE CVE-2024-34580

Apache XML Security for C++ through 2.0.4 implements the XML Signature Syntax and Processing XMLDsig specification without protection against an SSRF payload in a KeyInfo element. NOTE: the project disputes this CVE Record on the grounds that any vulnerabilities are the result of a failure to...

Important: ecs-service-connect-agent

Issue Overview: Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedgeonpertrytimeout is enabled, 2. pertryidletimeout is enabled it can only be done in configuration, 3...

CVE-2024-21685

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to view sensitive information via an Information Disclosur...

CVE-2024-37893 MFA bypass in oauth flow in Firefly III

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from...

CVE-2024-37895 API Key Leak in lobe-chat

Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. This issu...

CVE-2024-6006

A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launch...

PT-2024-5462 · Google +6 · Google Chrome +6

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 126.0.6478.182 Microsoft Edge affected versions not specified Description: The issue is related to a use after free in the Media Stream component, which could allow a remote attacker to exploit heap corruption...

Low: postgresql

Issue Overview: postgresql: PostgreSQL pgstatsext and pgstatsextexprs lack authorization checks CVE-2024-4317 Affected Packages: postgresql Note: This advisory is applicable to Amazon Linux 2 - Postgresql14 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section...

Multiple vulnerabilities in "FreeFrom - the nostr client" App

Overview "FreeFrom - the nostr client" App provided by FreeFrom K.K. contains multiple vulnerabilities listed below. Improper verification of cryptographic signature CWE-347 - CVE-2024-36277 Reliance on obfuscation or encryption of security-relevant inputs without integrity checking CWE-649 -...

SUSE CVE-2022-29228

Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT in newer versions and corrupts memory on earlier versions. continueDecoding shouldn't ever ...

PT-2024-22656 · Dell · Dell Emc Data Protection Advisor

Name of the Vulnerable Software and Affected Versions: Dell Data Protection Advisor version 19.9 Description: The issue is related to inadequate encryption strength, which could be exploited by a low-privileged attacker with remote access, potentially leading to denial of service. Recommendations...

UBUNTU-CVE-2024-35226

Smarty is a template engine for PHP, facilitating the separation of presentation HTML/CSS from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. Al...

CVE-2024-35240 Stored Cross-site Scripting on Print Functionality in Umbraco Commerce

Umbraco Commerce is an open source dotnet ecommerce solution. In affected versions there exists a stored Cross-site scripting XSS issue which would enable attackers to inject malicious code into Print Functionality. This issue has been addressed in versions 12.1.4, and 10.0.5. Users are advised t...

Malicious code in cors-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f1dd6defac5ab9b43c54c52dec3926781b0bf0a2e9adbf6122ae560a52002ccb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...