CVE-2023-6189 Improper Permission Handling in M-Files Server

Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods...

CVE-2023-6189

The CVE-2023-6189 entry concerns the M-Files server prior to version 23.11.13156.0, where a lack of proper access permissions checks allows an attacker to perform data write and export operations via the M-Files API. Affected component: M-Files server; root cause: missing access control on API me...

Microsoft named a Leader in 2023 Gartner® Magic Quadrant™ for Access Management for the 7th year​​

Protecting identity from compromise is top of mind for security professionals as identity attacks continue to intensify. Earlier this year we reported that we had observed a nearly three-fold increase in password attacks per second in the last two years, from 579 in 2021 to 4,000 in 2023.1 Identi...

Paid Memberships Pro < 2.12.4 - Subscriber+ Arbitrary File Upload

Description The plugin does not properly validate file type in its pmpropaypalexpresssessionvarsforuserfields function, which could allow any authenticated users, such as subscriber to upload arbitrary files on the server. Note: Exploitation of the issue requires 2Checkout deprecated since versio...

CVE-2023-44350 ColdFusion | Deserialization of Untrusted Data (CWE-502)

Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction...

Oracle Linux 9 : avahi (ELSA-2023-6707)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6707 advisory. - Fix CVE-2023-1981 2186689 - Fix CVE-2021-3502 1949949 Tenable has extracted the preceding description block directly from the Oracle Linux security...

Microsoft Windows Authentication Methods Security Vulnerability

Microsoft Windows is a suite of operating systems for use on personal devices from the U.S.-based Microsoft Corporation Microsoft. A security vulnerability exists in Microsoft Windows Authentication Methods. An attacker could exploit this vulnerability to obtain sensitive information. The followi...

Driver Disk for Microsemi smartpqi 2.1.26_030 - For Citrix Hypervisor 8.2 Cumulative Update 1 LTSR

Who should install this driver disk? Customers running the Citrix Hypervisor 8.2 Cumulative Update 1 LTSR release who use Microsemi's smartpqi driver and wish to use the latest version of the following: Driver Module| Driver Type| Version ---|---|--- smartpqi| SAS/Storage Controller| 2.1.26030...

Microsoft Windows Authentication Methods Security Vulnerability

Microsoft Windows is a suite of operating systems for use on personal devices from the U.S.-based Microsoft Corporation Microsoft. A security vulnerability exists in Microsoft Windows Authentication Methods. An attacker could exploit the vulnerability to elevate privileges. The following products...

curl security update

7.76.1-26 - unify the upload/method handling CVE-2023-28322 - fix host name wildcard checking CVE-2023-28321 7.76.1-25 - adapt the fix of CVE-2023-27535 for RHEL 9 curl 7.76.1-24 - fix SSH connection too eager reuse still CVE-2023-27538 - fix GSS delegation too eager connection re-use...

Fedora 39 : pypy3.10 (2023-ddde191e04)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-ddde191e04 advisory. Automatic update for pypy3.10-7.3.12-1.3.10.fc39. Changelog Wed Jul 26 2023 Miro Hronok - 7.3.12-1.3.10 - Initial PyPy 3.10 package Wed Jul 26 2023...

DEBIAN-CVE-2023-43665

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars and words methods when used with html=True are subject to a potential DoS denial of service attack via certain inputs with very long, potentially malformed HTML text. The chars and words...

CLSA-2023-1698945913 python3: Fix of CVE-2020-26116

CVE-2020-26116: prevent header injection in http methods...

PT-2023-35556 · Unknown · Checkstyle

Name of the Vulnerable Software and Affected Versions: Checkstyle affected versions not specified Description: A security exception occurs due to a crash in the getInnerBopAst function of JavaAstVisitor class in Checkstyle. The issue is related to the ReferencePipeline$3$1.accept and...

The vulnerability of the EisBaer SCADA system, related to the use of dangerous methods or functions, allows a intruder to execute arbitrary codes.

The vulnerability of the EisBaer SCADA system is related to the use of dangerous methods or functions. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...

GHSA-885R-HHPR-CC9P Jenkins Gogs Plugin uses non-constant time webhook token comparison

Jenkins Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is n...

GHSA-8859-V9JP-CPHF Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication o...

GHSA-86J9-25M2-9W97 Non-constant time webhook token hash comparison in Jenkins Zanata Plugin

Jenkins Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, ther...

Jenkins Gogs Plugin uses non-constant time webhook token comparison

Jenkins Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is n...

Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this...