CVE-2024-25626

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 before and included Yocto Project 4.3.1, with the Toaster server included in bitbake running, missing input...

Input validation

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 before and included Yocto Project 4.3.1, with the Toaster server included in bitbake running, missing input...

CVE-2024-25626 Yocto Project Security Advisory - BitBake/Toaster

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 before and included Yocto Project 4.3.1, with the Toaster server included in bitbake running, missing input...

CVE-2024-25626 Yocto Project Security Advisory - BitBake/Toaster

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 before and included Yocto Project 4.3.1, with the Toaster server included in bitbake running, missing input...

CVE-2024-25626 Yocto Project Security Advisory - BitBake/Toaster

Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 before and included Yocto Project 4.3.1, with the Toaster server included in bitbake running, missing input...

WonderCMS 4.3.2 Cross Site Scripting / Remote Code Execution

Author: prodigiousMind Exploit: Wondercms 4.3.2 XSS to RCE import sys import requests import os import bs4 if lensys.argv4: print"usage: python3 exploit.py loginURL IPAddress Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252" else: data = ''' var url =...

SUSE SLES15 / openSUSE 15 Security Update : squid (SUSE-SU-2024:0455-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0455-1 advisory. - CVE-2023-50269: fixed X-Forwarded-For Stack Overflow. bsc1217654 - CVE-2024-23638: fixed Denial of Service attack...

CVE-2024-22019

A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of...

Security Bulletin: Due to use of Apache Tomcat, App Connect Professional is vulnerable to HTTP request smuggling.

Summary App Connect Professional has addressed the following vulnerability reported in Apache Tomcat. CVE-2023-46589 Vulnerability Details CVEID:CVE-2023-46589 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP trailer headers. By sending a...

Node.js 20.x < 20.11.1, 21.x < 21.6.2 Multiple Vulnerabilities - Mac OS X

Node.js is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodejs:node.js"; ifdescription...

Internet Bug Bounty: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...

CVE-2024-1459

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories. Mitigation Mitigation for thi...

SUSE-SU-2024:0472-1 Security update for tomcat

This update for tomcat fixes the following issues: Updated to Tomcat 9.0.85: - CVE-2023-45648: Improve trailer header parsing bsc1216118. - CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows bsc1216120. - CVE-2023-42795: Improve handling of failures during recycle methods...

CVE-2024-23788

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an arbitrary HTTP request GET from the affected product...

Server side request forgery (ssrf)

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an arbitrary HTTP request GET from the affected product...

CVE-2024-23788

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an arbitrary HTTP request GET from the affected product...

CVE-2024-23788

CVE-2024-23788 affects Sharp Energy Management Controller with Cloud Services (JH-RV11/B0.1.9.1 and earlier). The issue is a server-side request forgery (SSRF) allowing a network-adjacent, unauthenticated attacker to send arbitrary HTTP GET requests from the affected device. Impact is high for co...

CVE-2024-23788

Server-side request forgery vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to send an arbitrary HTTP request GET from the affected product...

Information Disclosure

TYPO3 is vulnerable to Information Disclosure. The vulnerability is due to the plaintext value of the $GLOBALS'SYS''encryptionKey' displayed in the TYPO3 Install Tool user interface. This allows an attacker to utilize the value to generate cryptographic hashes to verify the authenticity of HTTP...

Wednesday February 14 2024 Security Releases

Wednesday February 14 2024 Security Releases Update 14-February-2024 Security releases available Updates are now available for the v18.x, v20.x and v21.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public...