CVE-2024-41258

An issue was discovered in filestash v0.4. The usage of the ssh.InsecureIgnoreHostKey disables host key verification, possibly allowing attackers to obtain sensitive information via a man-in-the-middle attack...

CVE-2024-7326

CVE-2024-7326 concerns IObit DualSafe Password Manager 1.4.0.3. Connected data specifies an issue in the BPL Handler’s RTL120.BPL library that enables an uncontrolled search path, allowing a local attacker to execute arbitrary commands. The root cause is tied to the RTL120.BPL component within th...

CVE-2024-6977

Cato Networks Windows SDP Client has a vulnerability prior to version 5.10.34 where sensitive information can be written into trace/log files, potentially enabling an account takeover. The issue requires bypassing protections that modify the tunnel token on the attacker’s system. Affected softwar...

CVE-2024-7310

A vulnerability was found in SourceCodester Record Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file sortuser.php. The manipulation of the argument sort leads to cross site scripting. The attack can be initiated remotely. The exploit h...

CVE-2024-6255

A vulnerability in the JSON file handling of gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete any JSON file on the server, including critical configuration files such as config.json and dsconfigchatbot.json. This issue arises due to improper validation of file paths, enabling...

CVE-2024-41255

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go...

CVE-2024-41254

An issue was discovered in litestream v0.3.13. The usage of the ssh.InsecureIgnoreHostKey disables host key verification, possibly allowing attackers to obtain sensitive information via a man-in-the-middle attack...

CVE-2024-41256

Default configurations in the ShareProofVerifier function of filestash v0.4 causes the application to skip the TLS certificate verification process when sending out email verification codes, possibly allowing attackers to access sensitive data via a man-in-the-middle attack...

SUSE SLES12 Security Update : gvfs (SUSE-SU-2024:2681-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2681-1 advisory. - CVE-2019-12795: Fixed attack via local D-Bus method calls bsc1137930 Tenable has extracted the preceding description block directly from t...

CVE-2023-38001

IBM Aspera Orchestrator 4.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260206...

CVE-2024-6230

The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to denial of service due to cURL libcurl ( CVE-2022-32208, CVE-2022-32206 )

Summary cURL libcurl is used by IBM Cloud Pak for Data as part of the platform. CVE-2022-32208, CVE-2022-32206. Vulnerability Details CVEID:CVE-2022-32208 DESCRIPTION: cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw in the handling of message verification failures. An...

CVE-2024-7193

Summary of CVE-2024-7193 (Mp3tag): Affected software is Mp3tag up to version 3.26d, with the vulnerability located in the DLL Handler’s tak_deco_lib.dll. The issue is an uncontrolled search path resulting from code in tak_deco_lib.dll, enabling local-host exploitation. Public exploit information ...

CVE-2024-5285

CVE-2024-5285 affects the WordPress plugin WP Affiliate Platform (prior to v6.5.2). The Red Hat and CVE ecosystem entries confirm a CSRF protection omission when deleting affiliates, enabling a logged-in user to be coerced into deleting affiliates via CSRF. The issue is mitigated by upgrading to ...

CVE-2024-6569 Campaign Monitor for WordPress <= 2.8.15 - Unauthenticated Full Path Disclosure

The Campaign Monitor for WordPress plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.8.15. This is due the plugin not properly restricting direct access to /forms/views/admin/create.php and displayerrors being enabled. This makes it possible for...

CVE-2024-22444

A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a...

CVE-2024-41914

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...

DNS Message Flood Attacks

libbind9.so is vulnerable to DNS message flood attack. The vulnerability is due to inadequate handling of multiple DNS messages over TCP, causing the server to become unstable during the attack. Attackers can exploit this by sending numerous DNS messages over TCP, potentially leading to server...

CVE-2020-11640

AdvaBuild uses a command queue to launch certain operations. An attacker who gains access to the command queue can use it to launch an attack by running any executable on the AdvaBuild node. The executables that can be run are not limited to AdvaBuild specific executables. Improper Privilege...

CVE-2020-11640

ABB Advant MOD 300 AdvaBuild (versions 3.0–3.7 SP2) is affected by CVE-2020-11640 due to improper privilege management in the command queue. An attacker who gains access to the command queue can trigger execution of arbitrary executables on the AdvaBuild node, not limited to AdvaBuild utilities, ...