CVE-2024-41656

Sentry vulnerability CVE-2024-41656 affects self-hosted Sentry versions 10.0.0 to before 24.7.1, where an unsanitized payload from an Integration platform could store arbitrary HTML that is later rendered on the Issues page. The issue is mitigated for Sentry SaaS (already patched) and on sentry.i...

GHSA-G92J-QHMH-64V2 Sentry's Python SDK unintentionally exposes environment variables to subprocesses

Impact The bug in Sentry's Python SDK subprocess.checkoutput"env", env="TEST":"1" b'TEST=1\n' If you'd want to not pass any variables, you can set an empty dict: subprocess.checkoutput"env", env= b'' However, the bug in Sentry SDK 2.8.0 causes all environment variables to be passed to the...

Important: git

Issue Overview: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a...

UBUNTU-CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory...

PT-2024-14882 · Unknown · Dvr Firmware

Name of the Vulnerable Software and Affected Versions: DVR firmware affected versions not specified Description: A flaw has been discovered in the DVR firmware's encryption logic, which is inappropriate and allows for decryption. The issue was found by Vladimir Kononovich, a security researcher...

CVE-2024-32657

Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is...

DEBIAN-CVE-2024-32459

FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available...

Vulnerability fixed in Putty

Putty has fixed a vulnerability in Putty Client. The vulnerability in Putty is in how the ECDSA nonce is created when using NIST P-521. This makes possible for a malicious person to guess the nonce and use using the signed text to retrieve the private key. Putty is also used in the following...

UBUNTU-CVE-2024-28871

LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Version 0.5.46 may parse malformed request traffic, leading to excessive CPU usage. Version 0.5.47 contains a patch for the issue. No known workarounds are available...

PT-2024-4017

Name of the Vulnerable Software and Affected Versions: Ivanti Endpoint Manager versions 2022 SU5 and prior Description: The issue is related to an unspecified SQL Injection vulnerability in the Core server of Ivanti Endpoint Manager. This vulnerability allows an unauthenticated attacker within th...

WordPress Site Reviews Plugin <= 6.11.4 is vulnerable to Cross Site Scripting (XSS)

Software Site Reviews Type Plugin Vulnerable versions = 6.11.4 Fixed in 6.11.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-2293 Patch priority Low CVSS severity Low 6.5 Developer Gemini Labs PSID 905ece02271d Credits stealthcopter Required...

CVE-2023-51652 OWASP.AntiSamy mXSS when preserving comments

OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources. Prior to version 1.2.0, there is a potential for a mutation cross-site scripting mXSS vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerabilit...

VulnCheck KEV: CVE-2022-21661

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WPQuery, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in...

ALPINE-CVE-2023-43804

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

SUSE CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests...

Vulnerability fixed in Splunk SOAR

Splunk has fixed a vulnerability in Splunk SOAR. The vulnerability allows an unauthenticated malicious person to inject inject ANSI escape code into a log file. To do so, the malicious party must send a specially prepared HTTP request to the Spunk SOAR instance. When this log file is read in a...

Vulnerability fixed in Apache Jackrabbit

Apache Foundation has fixed a vulnerability in Jackrabbit. A malicious party could exploit the vulnerability to execute arbitrary execute code with permissions from the application using of Jackrabbit. Because Jackrabbit is executed with the privileges of the application, it cannot be ruled out...

Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software

Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability,...

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14...

Vulnerabilities fixed in Synology Mail Station

Synology has fixed vulnerabilities in MailStation. A malicious party can exploit the vulnerabilities to use SQL injection to execute arbitrary code, or gain access to sensitive data. No CVE identifiers have been disclosed for the vulnerabilities yet. Synology gives the vulnerabilities the status...