CVE-2024-11619 macrozheng mall JWT Token default key

A vulnerability, which was classified as problematic, has been found in macrozheng mall up to 1.0.3. Affected by this issue is some unknown functionality of the component JWT Token Handler. The manipulation leads to use of default cryptographic key. The complexity of an attack is rather high. The...

GO-2024-3282 Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager

Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager...

GO-2024-3280 Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher

Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

GO-2024-3281 github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve

github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve...

GO-2024-3140 Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running "git remote get-url origin". If credentials are included in the repository URI for instance, to allow for fetching of private...

GO-2024-3122 Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark

Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark...

Security Bulletin: IBM QRadar Pre-Validation App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that might be identified and exploited with automated tools. IBM has addressed the vulnerabilities. This product is only used by IBM QRadar SIEM app developers and external business partners and is not relevant for users...

podman security update

5.2.2-9.0.1 - Add devices on container startup, not on creation - overlay: Put should ignore ENINVAL for Unmount Orabug: 36234694 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117404 4:5.2.2-9 - update to the latest content of...

Exploit for CVE-2024-42640

CVE-2024-42640 Unauthenticated Remote Code Execution via Angul...

GO-2024-3267 Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy

Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

CVE-2024-52587

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...

CVE-2024-52587 Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`

StepSecurity's Harden-Runner provides network egress filtering and runtime security for GitHub-hosted and self-hosted runners. Versions of step-security/harden-runner prior to v2.10.2 contain multiple command injection weaknesses via environment variables that could potentially be exploited under...

CVE-2024-52583

The CVE-2024-52583 issue concerns WesHacks GitHub repository's schedule.html (pre-17 November 2024 or commit 93dfb83), which links to Leostop, a site hosting a malicious injected JavaScript file triggered when bootstrap and jquery run. Leostop may be a tracking malware and creates two JavaScript ...

CVE-2024-52583 WesHacks code includes links to Leostop tracking spyware infested files

The WesHacks GitHub repository provides the official Hackathon competition website source code for the Muweilah Wesgreen Hackathon. The page schedule.html before 17 November 2024 or commit 93dfb83 contains links to Leostop, a site that hosts a malicious injected JavaScript file that occurs when...

CVE-2024-11217

A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options...

CVE-2024-11217 Oauth-server-container: oauth-server-container logs client secret in debug level

A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options...

CVE-2024-11217

CVE-2024-11217 affects the OAuth-server (including oauth-server-container). The vulnerability causes the OAuth2 client secret to be logged when the logLevel is set to Debug or higher for OIDC/GitHub/GitLab/Google IDP logins. Impact is exposure of OAuth2 client secrets via logs (confidentiality ri...

CVE-2024-11217 Oauth-server-container: oauth-server-container logs client secret in debug level

A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login options...

Metasploit Weekly Wrap-Up: 11/15/2024

Palo Alto Expedition RCE module This week's release includes an exploit module for the Palo Alto Expedition exploit chain that's been making headlines recently. The first vulnerability, CVE-2024-5910, allows attackers to reset the password of the admin user. The second vulnerability, CVE-2024-946...

Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/edituser.inc.php

Summary A Stored Cross-Site Scripting XSS vulnerability in the "Manage User Access" page allows authenticated users to inject arbitrary JavaScript through the "billname" parameter when creating a new bill. This vulnerability can lead to the execution of malicious code when visiting the "Bill...