OpenHAB CometVisu addon -- Multiple vulnerabilities

OpenHAB reports: This patch release addresses the following security advisories: SSRF/XSS CometVisu - GHSA-v7gr-mqpj-wwh3 Sensitive information disclosure CometVisu - GHSA-3g4c-hjhr-73rj RCE through path traversal CometVisu - GHSA-f729-58x4-gqgf Path traversal CometVisu - GHSA-pcwp-26pw-j98w All ...

GHSA-JMP3-39VP-FWG8 Wagtail regular expression denial-of-service via search query parsing

Impact A bug in Wagtail's parsequerystring would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parsequerystring would take an unexpectedly large amount of time to process, resulting in a denial of...

PT-2024-28716 · Unknown +1 · Privatebin +1

Name of the Vulnerable Software and Affected Versions: PrivateBin versions 1.5 through 1.7.3 Description: The issue is related to the YOURLS server-side proxy mechanism introduced in PrivateBin version 1.5. This mechanism allows using the YOURLs URL shortener without exposing the authentication...

Astra Linux – Vulnerability in Composer

Composer is a dependency manager for PHP. On the 2.x branch, prior to versions 2.2.24 and 2.7.7, the status, reinstall, and remove commands, when used with packages installed from sources via Git that contain specially crafted branch names in the repository, could allow for the execution of...

GHSA-3H5V-Q93C-6H6Q ws affected by a DoS when handling a request with many HTTP headers

Impact A request with a number of headers exceeding the server.maxHeadersCount threshold could be used to crash a ws server. Proof of concept js const http = require'http'; const WebSocket = require'ws'; const wss = new WebSocket.Server port: 0 , function const chars =...

GHSA-HJX6-F647-MVF9 Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components

Impact We have identified a Cross-Site Scripting XSS vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...

CGA-V64C-HF56-674V

Bulletin has no description...

AutomationDirect P3-550E Programming Software Connection scan_lib.bin library code injection vulnerability

Talos Vulnerability Report TALOS-2024-1943 AutomationDirect P3-550E Programming Software Connection scanlib.bin library code injection vulnerability May 28, 2024 CVE Number CVE-2024-23601 SUMMARY A code injection vulnerability exists in the scanlib.bin functionality of AutomationDirect P3-550E...

Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition

GitLab has fixed vulnerabilities in Enterprise Edition EE and Community Edition CE. A malicious party can exploit the vulnerabilities to cause a Denial-of-Service DoS, or collect sensitive data via a Cross-Site-Scripting attack XSS to take over accounts. GitLab has released updates to fix the...

CVE-2024-35187 Stalwart Mail Server has privilege escalation by design

Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user including web interface admins can gain complete root access to the system. Usually, system services are run as a separate user not as root to...

PT-2024-32996 · Ruijie · Ruijie Rg-Uac

Name of the Vulnerable Software and Affected Versions: Ruijie RG-UAC versions prior to 20240507 Description: A critical vulnerability exists in Ruijie RG-UAC. The manipulation of the name argument in an unknown function of the file /view/networkConfig/physicalInterface/interface commit.php leads ...

PT-2024-31593 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 15.4 through 16.9.7 GitLab CE/EE versions 16.10 through 16.10.5 GitLab CE/EE versions 16.11 through 16.11.2 Description: An issue has been discovered in GitLab CE/EE where abusing the API to filter branches and tags coul...

CVE-2024-23186

E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer...

PT-2024-25305 · Wpzoom · Wpzoom Addons For Elementor

Name of the Vulnerable Software and Affected Versions: WPZOOM Addons for Elementor versions 1.1.35 and earlier Description: The issue affects WPZOOM Addons for Elementor, allowing Stored XSS due to improper neutralization of input during web page generation. This is a Cross-site Scripting...

PYSEC-2024-163

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a default function is a very sparsely...

ALPINE-CVE-2022-24808

net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users shou...

FreeBSD : Gitlab -- Patch Release: 16.10.2, 16.9.4, 16.8.6 (dad6294c-f7c1-11ee-bb77-001b217b3468)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the dad6294c-f7c1-11ee-bb77-001b217b3468 advisory. - Gitlab reports: Stored XSS injected in diff viewer Stored XSS via autocomplete results Redos...

Gitlab -- Patch Release: 16.10.2, 16.9.4, 16.8.6

Gitlab reports: Stored XSS injected in diff viewer Stored XSS via autocomplete results Redos on Integrations Chat Messages Redos During Parse Junit Test Report...

CVE-2024-23191

Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured...

CVE-2024-23189

Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering...