SonicWALL SonicOS Security Vulnerabilities

SonicWALL SonicOS is a set of operating systems designed for SonicWall firewall appliances from SonicWALL USA. A security vulnerability exists in the SonicWALL SonicOS HTTP server. A remote attacker could exploit this vulnerability to cause a denial of service DoS via the sscanf function...

Adobe Experience Manager 跨站脚本漏洞

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, an American company. A code execution vulnerability exists in versions prior to Google Chrome 126.0.6478.54, which can be exploited by an attacker to gain out-of-bounds access to memory via a crafted HTML page...

golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service DoS attack...

PT-2024-7228

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 126.0.6478.126 Description The issue is related to type confusion in the WebAssembly module of Google Chrome, which can be exploited by a remote attacker to execute arbitrary code via a crafted HTML page. The...

jetty: stop accepting new connections from valid clients

A flaw was found in Jetty, a Java based web server and servlet engine. If an HTTP/2 connection gets TCP congested, it remains open and idle, and connections may be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file...

The vulnerability of WebRTC implementations in Google Chrome and Microsoft Edge browsers allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of WebRTC implementations in Google Chrome and Microsoft Edge stems from the execution of operations beyond the buffer in memory. Exploiting this vulnerability allows a malicious actor to compromise the confidentiality, integrity, and accessibility of protected information by...

The vulnerability of the HTTP/3 QUIC module (ngx_http_v3_module) in NGINX Plus and NGINX OSS web servers allows a attacker to cause a service failure.

The vulnerability of the HTTP/3 QUIC module ngxhttpv3module in NGINX Plus and NGINX OSS servers is related to buffer overflow in the stack. Exploiting this vulnerability can allow a malicious actor to cause service interruptions by sending specially crafted HTTP/3 requests...

DEBIAN-CVE-2024-28103

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3...

eap-galleon: custom provisioning creates unsecured http-invoker

An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server...

The vulnerability of the Dawn component in browsers such as Google Chrome and Microsoft Edge allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the Dawn component in Google Chrome and Microsoft Edge relates to the use of memory after it is freed. Exploiting this vulnerability allows a remote attacker to compromise the confidentiality, integrity, and accessibility of protected information by loading a specially create...

CVE-2024-23670

An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI...

SUSE CVE-2024-5493

Heap buffer overflow in WebRTC in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

UBUNTU-CVE-2024-34006

The site log report required additional encoding of event descriptions to ensure any HTML in the content is displayed in plaintext instead of being rendered...

SUSE CVE-2024-35200

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate...

Moodle Security Breach

Moodle is a free, open source e-learning software platform, also known as a course management system, learning management system, or virtual learning environment. A security vulnerability exists in Moodle that stems from the failure to sanitize hypertext markup language in site logs...

DEBIAN-CVE-2024-5498

Use after free in Presentation API in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

Medium: amazon-ecr-credential-helper

Issue Overview: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed...

golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests

A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body up to 1GiB, causing the receiver to fail reading the response, possibly leading to a Denial of Servic...

The vulnerabilities of LOV components in terms of technical maintenance, repairs, and major overhauls of Oracle Complex Maintenance, Repair, and Overhaul systems—systems that enable attackers to gain access to read, modify, add, or delete data.

The vulnerability of LOV components in terms of technical maintenance, repairs, and major overhauls of Oracle system equipment exists due to insufficient verification of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to read, modify, add, or...