PT-2024-4507 · Siemens · Simatic Rtls Locating Manager

Name of the Vulnerable Software and Affected Versions: SIMATIC RTLS Locating Manager versions prior to V3.0.1.1 Description: The affected application does not properly limit the size of specific logs, which could allow an unauthenticated remote attacker to exhaust system resources by creating a...

PT-2024-24787 · Kognetiks · Kognetiks Chatbot For Wordpress

Name of the Vulnerable Software and Affected Versions: Kognetiks Chatbot for WordPress versions n/a through 2.0.0 Description: The issue is related to an Unrestricted Upload of File with Dangerous Type, which affects the Kognetiks Chatbot for WordPress. This allows for the upload of files with...

PT-2024-19178 · Zte · Zxun-Epdg

Name of the Vulnerable Software and Affected Versions: ZTE ZXUN-ePDG product versions up to 5.20.19 Description: The ZTE ZXUN-ePDG product, which serves as the network node of the VoWifi system, uses a set of non-unique cryptographic keys by default configuration when establishing a secure...

PT-2024-25558 · Google · Embed Google Fonts

Name of the Vulnerable Software and Affected Versions: Embed Google Fonts versions n/a through 3.1.0 Description: The issue is related to a Missing Authorization vulnerability in Embed Google Fonts. This vulnerability affects Embed Google Fonts from version n/a through 3.1.0. Recommendations: For...

UBUNTU-CVE-2024-30251

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST multipart/form-data request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further request...

CVE-2024-23335

CVE-2024-23335 affects MyBB prior to 1.8.38. The backup management module in Admin CP may accept ".htaccess" as the backup file name, potentially exposing stored backups over HTTP on Apache servers. The fixed version is MyBB 1.8.38. Remediation: upgrade to 1.8.38 (no public workarounds documented...

CVE-2024-32966 Stored Cross-site Scripting in directory listings via file names in static-web-server

Static Web Server SWS is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like .txt will allow JavaScript code...

CVE-2024-3191

A vulnerability, which was classified as critical, has been found in MailCleaner up to 2023.03.14. This issue affects some unknown processing of the component Email Handler. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the...

CVE-2024-3931

A vulnerability was found in Totara LMS up to 18.7. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component User Selector. The manipulation of the argument ID Number leads to cross site scripting. The attack may be...

PT-2024-24410

Name of the Vulnerable Software and Affected Versions NextMove Lite versions through 2.18.1 Description The issue is a Cross-Site Request Forgery CSRF vulnerability in XLPlugins NextMove Lite. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a we...

PT-2024-23076

Name of the Vulnerable Software and Affected Versions Evolution Controller versions 2.04.560.31.03.2024 and below Description The Web interface of Evolution Controller contains poorly configured access control on the DESKTOP EDIT USER GET CARD endpoint, allowing an unauthenticated attacker to...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code in the form of malicious .m4 files in the tarball distributions which have since been taken down. These malicious build files contain build instructions not present in the upstream repository...

Vulnerability fixed in liblzma (XZ Utils)

Malicious code has been found in liblzma XZ Utils software. XZ Utils is used for compression of data and may be present in Linux distributions. The vulnerability has been labeled CVE-2024-3094 and has been found in versions 5.6.0 and 5.6.1 of XZ Utils. A malicious party can exploit the...

PT-2024-22961 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7 Description: A Cross-Site Request Forgery CSRF issue was discovered in DedeCMS, specifically via the component /src/dede/makehtml homepage.php, allowing a remote attacker to execute arbitrary code. Recommendations: For...

PT-2024-13025 · Win Zapp · Win Zapp

Name of the Vulnerable Software and Affected Versions: Win ZApp versions prior to 4.3.0.121 Description: The issue is related to a missing password type validation in the Revert Password check. This could be disabled for some features, potentially leading to security issues. Recommendations: For...

OESA-2024-1320 python-aiosmtpd security update

This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3. Security Fixes: aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP...

SUSE CVE-2024-28849

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

AZL-36895 CVE-2024-28849 affecting package reaper for versions less than 3.1.1-9

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

DEBIAN-CVE-2024-28849

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which contains credentials...

PYSEC-2024-221

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send...