HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

CVE-2023-43118

Cross Site Request Forgery CSRF vulnerability in Chalet application in Extreme Networks Switch Engine EXOS before 32.5.1.5, fixed in 31.7.2 and 32.5.1.5 allows attackers to run arbitrary code and cause other unspecified impacts via /jsonrpc API...

Fortinet FortiEDR 代码问题漏洞

Fortinet FortiEDR is an endpoint security solution built from the ground up by Fortinet. Fortinet FortiEDR suffers from an Access Control Error vulnerability that stems from insufficient handling of session expiration times, which can be exploited by an attacker to execute unauthorized code or...

PT-2023-29102 · Unknown · Fwk-Display

Name of the Vulnerable Software and Affected Versions: Fwk-Display module affected versions not specified Description: The issue concerns an API permission management vulnerability in the Fwk-Display module. Successful exploitation of this vulnerability may cause features to perform abnormally...

CVE-2023-34992

A improper neutralization of special elements used in an os command 'os command injection' vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests...

PT-2023-6001 · Fortinet · Fortisiem

Name of the Vulnerable Software and Affected Versions: FortiSIEM versions 6.4.0 through 6.4.2 FortiSIEM versions 6.5.0 through 6.5.1 FortiSIEM versions 6.6.0 through 6.6.3 FortiSIEM versions 6.7.0 through 6.7.5 FortiSIEM version 7.0.0 Description: The issue is related to an improper neutralizatio...

Important: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Important: Red Hat Security Advisory: python3.11 security update

An update for python3.11 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fro...

python: TLS handshake bypass

Python ssl.SSLSocket is vulnerable to a bypass of the TLS handshake in certain instances for HTTPS servers and other server-side protocols that use TLS client authentication such as mTLS. This issue may result in a breach of integrity as its possible to modify or delete resources that are...

Analysis and Config Extraction of Lu0Bot, a Node.js Malware with Considerable Capabilities

Nowadays, more malware developers are using unconventional programming languages to bypass advanced detection systems. The Node.js malware Lu0Bot is a testament to this trend. By targeting a platform-agnostic runtime environment common in modern web apps and employing multi-layer obfuscation,...

ALSA-2023:5456 Important: python3.11 security update

Python is an accessible, high-level, dynamically typed, interpreted programming language, designed with an emphasis on code readability. It includes an extensive standard library, and has a vast ecosystem of third-party libraries. Security Fixes: python: TLS handshake bypass CVE-2023-40217 For mo...

CVE-2023-20259

A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for devic...

ROS-20230929-01

Vulnerability in the URI component of the Ruby programming language, related to improper handling of invalid URLs containing certain characters. Exploitation of the vulnerability could allow an attacker, acting remotely, to cause a denial of service Vulnerability in the...

CVE-2023-20223

A vulnerability in Cisco DNA Center could allow an unauthenticated, remote attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control enforcement on API requests. An attacker could exploit th...

Jumpserver Information Disclosure Vulnerability

Jumpserver is an open source bastion machine from Hangzhou Feizhiyun Information Technology Co. in China. JumpServer suffers from an information disclosure vulnerability caused by exposing random number seeds to the API, which could allow replay of randomly generated CAPTCHAs, leading to password...

Cisco DNA Center 安全漏洞

Cisco DNA Center is a network management and command center service from Cisco USA. An access control error vulnerability exists in the Cisco DNA Center API, which can be exploited by a remote attacker to submit a special request that can read and modify database data and elevate privileges...

CVE-2023-41374

Double free issue exists in Kostac PLC Programming Software Version 1.6.11.0 and earlier. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of...

CVE-2023-41374

Double free issue exists in Kostac PLC Programming Software Version 1.6.11.0 and earlier. Arbitrary code may be executed by having a user open a specially crafted project file which was saved using Kostac PLC Programming Software Version 1.6.9.0 and earlier because the issue exists in parsing of...

CVE-2023-41374

Summary: CVE-2023-41374 is a double-free vulnerability in Kostac PLC Programming Software (KPP) versions 1.6.11.0 and earlier, related to parsing of KPP project files. If a user opens a specially crafted project file saved with 1.6.9.0 or earlier, arbitrary code execution may occur. Mitigation: s...

CVE-2023-41375

CVE-2023-41375 is a use-after-free vulnerability in Kostac PLC Programming Software (KPP) 1.6.11.0 and earlier, due to parsing of KPP project files saved with 1.6.9.0 or earlier. Exploitation may allow arbitrary code execution when a user opens a specially crafted project file. The vendor notes t...