Defense-in-Depth Security Updates for Microsoft Project (December 2024)

The Microsoft Project products are missing defense-in-depth security updates to help improve security-related features. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc...

Security Updates for Microsoft Excel Products (December 2024)

The Microsoft Excel Products are missing a security update. It is, therefore, affected by the following vulnerability: - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. CVE-2024-49069 Note that Nessus has no...

OESA-2024-2490 rubygem-sinatra security update

Sinatra is a DSL intended for quickly creating web-applications in Ruby with minimal effort. Security Fixes: Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a...

ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic

Name: ASA-2024-010: Mismatched bit-length in sdk.Int and sdk.Dec can lead to panic Component: Cosmos SDK / Math Criticality: High Considerable Impact, and Possible Likelihood per ACMv1.2 Affected versions: cosmossdk.io/math package versions !NOTE When on a lower version than cosmossdk.io/math...

Oracle Linux 8 : python3.12 (ELSA-2024-8836)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-8836 advisory. 3.12.6-1 - Update to 3.12.6 Resolves: RHEL-57405 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note th...

Security update for the Linux Kernel RT (Live Patch 17 for SLE 15 SP5)

This update for the Linux Kernel 5.14.21-1505001361 fixes several issues. The following security issues were fixed: CVE-2021-47598: schcake: do not call cakedestroy from cakeinit bsc1227471. CVE-2024-40954: net: do not leave a dangling sk pointer, when socket creation fails bsc1227808...

UBUNTU-CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between & and x...; in a hex numeric character reference &x...;. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML...

Multiple SQL injection vulnerabilities in Trend Micro Deep Discovery Inspector

Overview Trend Micro Incorporated has released a security update for Trend Micro Deep Discovery Inspector. Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. Impact Information disclosure due to multiple SQL injection vulnerabilities...

AZL-50646 CVE-2024-47756 affecting package kernel for versions less than 6.6.56.1-5

In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix if-statement expression in kspciequirk This code accidentally uses && where || was intended. It potentially results in a NULL dereference. Thus, fix the if-statement expression to use the correct condition...

PT-2024-39595 · WordPress · Bulk Images Optimizer

Name of the Vulnerable Software and Affected Versions: The Bulk images optimizer: Resize, optimize, convert to webp, rename … plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to a missing capability check on the save configuration function, allowing...

GHSA-68J8-FP38-P48Q Gematik Referenzvalidator has an XXE vulnerability that can lead to a Server Side Request Forgery attack

Impact The profile location routine in the referencevalidator commons package is vulnerable to XML External Entities attack due to insecure defaults of the used Woodstox WstxInputFactory. A malicious XML resource can lead to network requests issued by referencevalidator and thus to a Server Side...

PT-2024-28346 · Unknown · Smart Tyre Car & Bike

Name of the Vulnerable Software and Affected Versions: SMART TYRE CAR & BIKE version 4.2.0 Description: The issue allows attackers to perform a man-in-the-middle attack via Bluetooth communications. Recommendations: For SMART TYRE CAR & BIKE version 4.2.0, consider disabling Bluetooth...

Release Information for Veeam Backup for Microsoft Azure 7 Cumulative Patches

Requirements Please confirm that you are running version Veeam Backup for Microsoft Azure v7 build 7.0.0.467 or later before upgrading. You can find the currently installed build number Product version in the About section under Configuration | Support Information | Updates. After installing Veea...

Vulnerability fixed in Sonicwall SonicOS

Sonicwall has fixed a vulnerability in SonicOS for Gen5, Gen6 and Gen7 firewalls. The vulnerability is located in the management interface and SSLVPN and allows a malicious party to cause a Denial-of-Service and potentially access and modify system data. The NCSC is receiving signals from trusted...

OESA-2024-2074 moby security update

Docker is a product for you to build, ship and run any application as a lightweight container. Security Fixes: Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an...

SUSE CVE-2024-42486

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions on the 1.15.x branch prior to 1.15.8 and the 1.16.x branch prior to 1.16.1, ReferenceGrant changes are not correctly propagated in Cilium's GatewayAPI controller, which could lead to Gateway...

CVE-2024-25582

The CVE-2024-25582 issue affects Open-Xchange App Suite via the module savepoint mechanism. The root cause is that savepoints could be abused to inject references to malicious code delivered through the same domain, enabling attackers to perform malicious API requests or extract information from ...

Security Bulletin: Moment.js issue of validating, manipulating, and formatting dates

Summary Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm server users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale...

FreeBSD : OpenHAB CometVisu addon -- Multiple vulnerabilities (587ed8ac-5957-11ef-854a-001e676bf734)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 587ed8ac-5957-11ef-854a-001e676bf734 advisory. OpenHAB reports: This patch release addresses the following security advisories: All of these are relat...

Security Bulletin: Apache commons-fileupload vulnerability (CVE-2023-24998)

Summary Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option...