Method Exposure

orchid/platform is vulnerable to Method Exposure. The vulnerability is due to inadequate access control in the asynchronous modal functionality of the Orchid Platform, allows arbitrary methods within the Screen class to be called without proper validation, enabling attackers to exploit the expose...

SUSE SLES15 Security Update : kernel (Live Patch 20 for SLE 15 SP4) (SUSE-SU-2024:4276-1)

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:4276-1 advisory. This update for the Linux Kernel 5.14.21-1504002497 fixes several issues. The following security issues were fixed: - CVE-2024-36904: tcp: Use...

openSUSE 15 Security Update : cobbler (openSUSE-SU-2024:0382-1)

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2024:0382-1 advisory. Update to 3.3.7: Security: Fix issue that allowed anyone to connect to the API as admin CVE-2024-47533, boo1231332 bind - Fix bug that prevents cname...

December 10, 2024—Hotpatch KB5048800 (OS Build 20348.2908)

December 10, 2024—Hotpatch KB5048800 OS Build 20348.2908 Improvements and fixes This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the...

CVE-2024-47579

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows th...

CVE-2024-53281

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in Network WOL functionality in Synology Router Manager SRM before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive information and conduct...

CVE-2024-53285

Improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability in DDNS Record functionality in Synology Router Manager SRM before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitiv...

CVE-2024-53285

The CVE-2024-53285 flaw affects Synology Router Manager (SRM) versions prior to 1.3.1-9346-10, specifically within the DDNS Record component. The root cause is improper neutralization of input during web page generation, enabling Cross-site Scripting (XSS) by an administrator with full rights. Im...

Drugs.com: 2FA Bypass leads to impersonation of legimate users

The authentication system contained a logic flaw that allowed an attacker to impersonate a legitimate user who had not yet registered. By abusing the email change functionality and bypassing two-factor authentication, the attacker could retain access to the account until the legitimate user reset...

CVE-2024-10716

Pega Platform versions 8.1 to Infinity 24.2.0 are affected by an XSS issue with search...

CVE-2024-12232

CVE-2024-12232 affects Code-Projects Simple CRUD Functionality 1.0. The vulnerability occurs in an unknown code path of /index.php, where manipulation of the parameters newtitle and newdescr leads to cross-site scripting (XSS) . It is described as exploitable remotely with the exploit publicly di...

CVE-2024-12232 code-projects Simple CRUD Functionality index.php cross site scripting

A vulnerability has been found in code-projects Simple CRUD Functionality 1.0 and classified as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument newtitle/newdescr leads to cross site scripting. The attack can be initiated remotely. The...

CVE-2024-52815 Synapse allows a a malformed invite to break the invitee's `/sync`

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

CVE-2024-52815

Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects su...

PT-2024-36005 · Unknown · Mobile Security Framework

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework MobSF versions prior to 4.2.9 Description: The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the...

Restore to oVirt KVM VM Post-Restore Recommended Actions

Purpose This article documents recommended post-restore actions that should be taken after restoring VMs, physical machines, and cloud machines to the oVirt KVM hypervisor. Solution Starting in the oVirt KVM Plug-In included with Veeam Backup & Replication 12.3, a feature has been added that allo...

Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery

Impact A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection SSTI can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these...

CVE-2024-42333

CVE-2024-42333 is confirmed in multiple advisories as a memory leak caused by an out-of-bounds read in zabbix server code (src/libs/zbxmedia/email.c). The vulnerability affects Zabbix deployments and has been addressed in multiple distributions: Fedora 40 update to zabbix 6.0.36; Debian bullseye ...

CVE-2024-53102

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2024-7236

AVG AntiVirus Free icarus Arbitrary File Creation Denial of Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AVG AntiVirus Free. An attacker must first obtain the ability to execute low-privileged code on the...