ManageEngine OpManager XSS (CVE-2024-36038)

A cross-side scripting vulnerability exists in the configured proxy server for ManageEngine OpManager 12.8.234. A attacker can use this vulnerability to alter the intended functionality of the proxy server, potentially leading to credentials disclosure within a trusted session. Note that Nessus h...

MGASA-2024-0235 Updated python-aiohttp packages fix security vulnerability

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server e.g. nginx for serving static files. Users following th...

CVE-2024-36038

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option...

CVE-2024-36038 Stored XSS

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option...

CVE-2024-36038 Stored XSS

Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option...

Vulnerability of the web interface for operating system management software FortiOS and the proxy server FortiProxy, which allows for the execution of arbitrary code.

The vulnerability in the web management interface of FortiOS operating systems and the FortiProxy proxy server for protecting against Internet attacks is related to the lack of measures taken to protect the web page structure. Exploiting this vulnerability allows a malicious actor to execute...

Request Smuggling

tornado is vulnerable to Request Smuggling. This vulnerability is due to mishandling multiple Transfer-Encoding: chunked headers, which allows for request smuggling attacks when deployed behind a proxy server that emits such requests...

Fedora: Security Advisory (FEDORA-2024-06e6dcbb42)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-XFFP-6W68-4775 Zendframework Remote Address Spoofing Vector in `Zend\Http\PhpEnvironment\RemoteAddress`

The Zend\Http\PhpEnvironment\RemoteAddress class provides features around detecting the internet protocol IP address for an incoming proxied request via the X-Forwarded-For header, taking into account a provided list of trusted proxy server IPs. Prior to 2.2.5, the class was not taking into accou...

Zendframework Remote Address Spoofing Vector in `Zend\Http\PhpEnvironment\RemoteAddress`

The Zend\Http\PhpEnvironment\RemoteAddress class provides features around detecting the internet protocol IP address for an incoming proxied request via the X-Forwarded-For header, taking into account a provided list of trusted proxy server IPs. Prior to 2.2.5, the class was not taking into accou...

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado

Summary When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this. PoC 0. Install Tornado. 1. Start a simple Tornado server that echoes...

GHSA-753J-MPMX-QQ6G Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado

Summary When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. Pound does this. PoC 0. Install Tornado. 1. Start a simple Tornado server that echoes...

CVE-2024-3095

A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This...

F5 NGINX Plus and NGINX Open Source Denial of Service Vulnerabilities

NGINX is an HTTP and reverse proxy server, email proxy server and general purpose TCP/UDP proxy server. A denial of service vulnerability exists in F5 NGINX Plus and NGINX Open Source, which can be exploited by an unauthenticated, remote attacker to cause a denial of service...

ROS-20240521-02

Vulnerability in HTTP Digest Authentication handler of Squid proxy server is related to uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service or other impact. remotely to cause a denial of service or other impact...

GHSA-7GGM-4RJG-594W litellm passes untrusted data to `eval` function without sanitization

A remote code execution RCE vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.getsecret method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function...

litellm passes untrusted data to `eval` function without sanitization

A remote code execution RCE vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.getsecret method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function...

CVE-2024-4264 Remote Code Execution in berriai/litellm

A remote code execution RCE vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the eval function unsafely in the litellm.getsecret method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the eval function...

Important: Red Hat Security Advisory: squid:4 security update

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Important: Red Hat Security Advisory: squid:4 security update

An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having ...