SUSE-SU-2026:0877-1 Security update for tomcat11

This update for tomcat11 fixes the following issues: Update to Tomcat 11.0.18: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping bsc1258371. - CVE-2026-24733: improper input validation on HTTP/0.9 requests bsc1258385. - CVE-2026-24734: certificate revocation...

EUVD-2017-14349

Malware in sbrugna...

EUVD-2020-7752

Malware in sbrugna...

EUVD-2023-0689

Malicious code in bioql PyPI...

CVE-2019-10315

Jenkins GitHub Authentication Plugin 0.31 and earlier did not use the state parameter of OAuth to prevent CSRF...

Veeam ONE Report Error "Invalid query string"

Challenge When previewing a report in Veeam ONE Web Client, the report fails to load with the error: Error Invalid query string Cause This error occurs when the URL used to access the Veeam ONE Web Client does not match the URL of the report preview. For example, if the URL used to access Veeam O...

GHSA-G8X5-P9QC-CF95 @fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

Impact All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be...

GHSA-C57V-HC7M-8PX2 Cross-site Scripting in Quarkus

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

Cross-site Scripting in Quarkus

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

Design/Logic Flaw

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

CVE-2023-0044 concerns Quarkus Form Authentication: if the session cookie Path is set to “/”, a cross-site attack may disclose information. The issue is described across multiple sources tied to Quarkus advisories (Red Hat RHSA entries and IBM/OSV records) and is mitigated by the Quarkus CSRF Pre...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

CVE-2023-0044

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...

Stored XSS - XSS in RSS link href attribute

📜 Description Cross-site scripting XSS is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent or stored XSS vulnerability is a more devastating variant of a...

The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

PT-2022-28174 · Apollo · Apollo Server 2 +1

Name of the Vulnerable Software and Affected Versions: Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled Description: The graphql-upload npm package can execute GraphQL operations contained in...

CVE-2022-2986

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk...

Admin Management Xtended < 2.4.5 - Post Visibility/Date/Comment Status Update via CSRF

The plugin does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status draft, published, slug, post date, comment status enabled, disabled and more. PoC The following PoC codes a...