OESA-2024-2074 moby security update

Docker is a product for you to build, ship and run any application as a lightweight container. Security Fixes: Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an...

SUSE CVE-2024-42486

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway...

CVE-2024-25582

The CVE-2024-25582 issue affects Open-Xchange App Suite via the module savepoint mechanism. The root cause is that savepoints could be abused to inject references to malicious code delivered through the same domain, enabling attackers to perform malicious API requests or extract information from ...

Security Bulletin: Moment.js issue of validating, manipulating, and formatting dates

Summary Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm server users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale...

FreeBSD : OpenHAB CometVisu addon -- Multiple vulnerabilities (587ed8ac-5957-11ef-854a-001e676bf734)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 587ed8ac-5957-11ef-854a-001e676bf734 advisory. OpenHAB reports: This patch release addresses the following security advisories: All of these are relat...

Security Bulletin: Apache commons-fileupload vulnerability (CVE-2023-24998)

Summary Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option...

OpenHAB CometVisu addon -- Multiple vulnerabilities

OpenHAB reports: This patch release addresses the following security advisories: SSRF/XSS CometVisu - GHSA-v7gr-mqpj-wwh3 Sensitive information disclosure CometVisu - GHSA-3g4c-hjhr-73rj RCE through path traversal CometVisu - GHSA-f729-58x4-gqgf Path traversal CometVisu - GHSA-pcwp-26pw-j98w All ...

GHSA-JMP3-39VP-FWG8 Wagtail regular expression denial-of-service via search query parsing

Impact A bug in Wagtail's parsequerystring would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parsequerystring would take an unexpectedly large amount of time to process, resulting in a denial of...

PT-2024-28716 · Unknown +1 · Privatebin +1

Name of the Vulnerable Software and Affected Versions: PrivateBin versions 1.5 through 1.7.3 Description: The issue is related to the YOURLS server-side proxy mechanism introduced in PrivateBin version 1.5. This mechanism allows using the YOURLs URL shortener without exposing the authentication...

Astra Linux – Vulnerability in Composer

Composer is a dependency manager for PHP. On the 2.x branch, prior to versions 2.2.24 and 2.7.7, the status, reinstall, and remove commands, when used with packages installed from sources via Git that contain specially crafted branch names in the repository, could allow for the execution of...

GHSA-3H5V-Q93C-6H6Q ws affected by a DoS when handling a request with many HTTP headers

Impact A request with a number of headers exceeding the server.maxHeadersCount threshold could be used to crash a ws server. Proof of concept js const http = require'http'; const WebSocket = require'ws'; const wss = new WebSocket.Server port: 0 , function const chars =...

GHSA-HJX6-F647-MVF9 Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components

Impact We have identified a Cross-Site Scripting XSS vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...

CGA-V64C-HF56-674V

Bulletin has no description...

AutomationDirect P3-550E Programming Software Connection scan_lib.bin library code injection vulnerability

Talos Vulnerability Report TALOS-2024-1943 AutomationDirect P3-550E Programming Software Connection scanlib.bin library code injection vulnerability May 28, 2024 CVE Number CVE-2024-23601 SUMMARY A code injection vulnerability exists in the scanlib.bin functionality of AutomationDirect P3-550E...

Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition

GitLab has fixed vulnerabilities in Enterprise Edition EE and Community Edition CE. A malicious party can exploit the vulnerabilities to cause a Denial-of-Service DoS, or collect sensitive data via a Cross-Site-Scripting attack XSS to take over accounts. GitLab has released updates to fix the...

CVE-2024-35187 Stalwart Mail Server has privilege escalation by design

Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user including web interface admins can gain complete root access to the system. Usually, system services are run as a separate user not as root to...

PT-2024-32996 · Ruijie · Ruijie Rg-Uac

Name of the Vulnerable Software and Affected Versions: Ruijie RG-UAC versions prior to 20240507 Description: A critical vulnerability exists in Ruijie RG-UAC. The manipulation of the name argument in an unknown function of the file /view/networkConfig/physicalInterface/interface commit.php leads ...

PT-2024-31593 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 15.4 through 16.9.7 GitLab CE/EE versions 16.10 through 16.10.5 GitLab CE/EE versions 16.11 through 16.11.2 Description: An issue has been discovered in GitLab CE/EE where abusing the API to filter branches and tags coul...

CVE-2024-23186

E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer...

PT-2024-25305 · Wpzoom · Wpzoom Addons For Elementor

Name of the Vulnerable Software and Affected Versions: WPZOOM Addons for Elementor versions 1.1.35 and earlier Description: The issue affects WPZOOM Addons for Elementor, allowing Stored XSS due to improper neutralization of input during web page generation. This is a Cross-site Scripting...