CVE-2021-37678

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafeload which can perform arbitrary code execution...

CVE-2022-36097

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the...

CVE-2022-36098

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field...

CVE-2022-24768

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5...

Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection

Threat actors are attempting to take advantage of a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution RCE. The vulnerability in question, CVE-2024-52875 , refers to a carriage return...

CVE-2024-7696

Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit l...

PT-2025-17967

Name of the Vulnerable Software and Affected Versions NVIDIA GPU Driver versions affected versions not specified nvidia-graphics-drivers affected versions not specified nvidia-graphics-drivers-legacy-390xx affected versions not specified nvidia-graphics-drivers-tesla-418 affected versions not...

PT-2024-29618 · Nvr · Nvr

Name of the Vulnerable Software and Affected Versions: NVR affected versions not specified Description: A flaw has been discovered that allows for remote code execution on the NVR. An attacker can create an NVR log file in a directory one level higher on the system, which can be used to corrupt...

PT-2024-40482 · Wasmvm +1 · Wasmvm +1

Name of the Vulnerable Software and Affected Versions: wasmvm versions 2.1.0 through 2.1.2 wasmvm versions 2.0.0 through 2.0.3 wasmvm versions prior to 1.5.5 cosmwasm-vm versions 2.1.0 through 2.1.3 cosmwasm-vm versions 2.0.0 through 2.0.6 cosmwasm-vm versions prior to 1.5.8 Description: The issu...

PT-2024-40031 · Wasmvm +1 · Wasmvm +1

Name of the Vulnerable Software and Affected Versions: wasmvm versions 2.1.0 through 2.1.2 wasmvm versions 2.0.0 through 2.0.3 wasmvm versions prior to 1.5.5 cosmwasm-vm versions 2.1.0 through 2.1.3 cosmwasm-vm versions 2.0.0 through 2.0.6 cosmwasm-vm versions prior to 1.5.8 Description: The issu...

Vulnerabilities fixed in Palo Alto PAN OS

Palo Alto Networks has actively fixed exploited vulnerabilities in PAN-OS. UPDATE Public PoC has now appeared to exploit CVE-2024-0012. The vulnerability with attribute CVE-2024-0012 allows a malicious person with access to the management web interface to gain administrator privileges. Through th...

MF Teacher Performance Management System vulnerable to cross-site scripting

Overview MF Teacher Performance Management System provided by Media Fusion Co.,Ltd. contains a cross-site scripting vulnerability CWE-79. Akira Sumiyoshi, Takuto Matsuhashi, Kei Watanabe, Akio Yamaguchi, Syunji Yazaki and Hideaki Tsuchiya of UEC-CSIRT, The University of Electro-Communications...

Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)

Summary Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September CSA 4.6 Patch 519. Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in...

DEBIAN-CVE-2024-8948

A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpzasbytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and ma...

ALPINE-CVE-2024-41946

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability...

CVE-2024-40822

This issue was addressed by restricting options offered on a locked device. This issue is fixed in watchOS 10.6, macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6, iOS 16.7.9 and iPadOS 16.7.9. An attacker with physical access to a device may be able to access contacts from the lock screen...

CVE-2024-41656

Sentry vulnerability CVE-2024-41656 affects self-hosted Sentry versions 10.0.0 to before 24.7.1, where an unsanitized payload from an Integration platform could store arbitrary HTML that is later rendered on the Issues page. The issue is mitigated for Sentry SaaS (already patched) and on sentry.i...

GHSA-G92J-QHMH-64V2 Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact The bug in Sentry's Python SDK subprocess.checkoutput"env", env="TEST":"1" b'TEST=1\n' If you'd want to not pass any variables, you can set an empty dict: subprocess.checkoutput"env", env= b'' However, the bug in Sentry SDK 2.8.0 causes all environment variables to be passed to the...

Important: git

Issue Overview: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a...

UBUNTU-CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory...