CVE-2024-23639

Affected product: Micronaut Framework (micronaut-core). Vulnerability: Enabled but unsecured management endpoints allow drive-by localhost attacks when a malicious site issues HTTP requests to localhost, potentially bypassing CORS checks for some simple requests. Impact: Local development environ...

PYSEC-2024-125

DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known...

CVE-2024-24825 TokenManager not checking permissions on cached tokens in DIRAC

DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known...

CVE-2024-24830 OpenObserve Privilege Escalation Vulnerability in Users API

OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/orgid/users" endpoint. This vulnerability allows any authenticated regular user 'member' to add new users with...

AZL-35782 CVE-2024-24806 affecting package cmake for versions less than 3.28.2-6

libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...

CVE-2024-24806 Improper Domain Lookup that potentially leads to SSRF attacks in libuv

libuv is a multi-platform support library with a focus on asynchronous I/O. The uvgetaddrinfo function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c, truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses...

Important: redis6

Issue Overview: Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4. CVE-2023-41056...

PT-2024-6708 · Synology · Synology Drive Client

Name of the Vulnerable Software and Affected Versions: Synology Drive Client versions prior to 3.3.0-15082 Description: The issue is related to the inclusion of functionality from an untrusted control sphere in the OpenSSL DLL component. This allows local users to execute arbitrary code via...

MAL-2024-774 Malicious code in wlwz-2312-6701 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 87424c1db327fdb6fcdada86c19c1a4bbe8cf04e87a535b21eabc66bab4df6e6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in wlwz-2312-1106 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a4f61a2649cb1e02df29460e01f9c357290aaa9f3592eb13e4a8a4fbe544393f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

anchor-token (>=0.0.1 <=0.3.0-alpha.1), archid-marketplace (>=1.0.5 <=1.0.8) +150 more potentially affected by CVE-2024-58264 via serde-json-wasm (>=0.1.3 <=0.4.1)

serde-json-wasm CARGO version =0.1.3, =0.0.1, =1.0.5, =1.0.0, =1.0.0, =0.3.1, =0.1.0, =2.5.2, =0.1.0, =1.0.0, =0.4.0, =1.0.0, =2.2.0-rc3 - cosmwasm-contract-migratable-std =0.1.0 and more Source cves: CVE-2024-58264 Source advisory: OSV:RUSTSEC-2024-0012...

CVE-2024-22420 Stored cross site scripting in Markdown Preview in JupyterLab

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the...

CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

PT-2024-19411 · Unknown · Jupyterlab

Name of the Vulnerable Software and Affected Versions: JupyterLab versions prior to 4.0.11 Description: This issue depends on user interaction by opening a malicious Markdown file using JupyterLab's preview feature. A malicious user can access any data that the attacked user has access to and...

CVE-2024-22419

CVE-2024-22419 affects the Vyper compiler/runtime: the built-in concat can write past the allocated memory buffer, potentially corrupting memory and changing contract semantics. The root cause is the build_IR path not properly conforming to the copy_bytes API for versions &gt;= 0.3.2, enabling a ...

CVE-2024-22411 Cross site scripting in Action messages on Avo

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12, any HTML inside text that is passed to error or succeed in an Avo::BaseAction subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A maliciou...

PT-2024-1219 · Oracle · Oracle Audit Vault/Database Firewall

Name of the Vulnerable Software and Affected Versions: Oracle Audit Vault and Database Firewall versions 20.1 through 20.9 Description: The issue is related to insufficient input validation in the Firewall component of Oracle Audit Vault and Database Firewall. It allows a high-privileged attacker...

PT-2024-1444 · Unknown · Rapid Scada

Name of the Vulnerable Software and Affected Versions: Rapid SCADA versions prior to Version 5.8.4 Description: The issue is related to the use of open redirection due to incorrect data cleaning on the user login page. This allows an attacker to redirect users to malicious pages through the login...

Medium: squid

Issue Overview: Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to...

Important: bluez

Issue Overview: bluez: unauthorized HID device connections allows keystroke injection and arbitrary commands execution CVE-2023-45866 Affected Packages: bluez Issue Correction: Run dnf update bluez --releasever 2023.3.20240108 or dnf update --advisory ALAS2023-2024-473 --releasever 2023.3.2024010...