Security Updates for Microsoft Dynamics 365 (on-premises) (July 2023)

The Microsoft Dynamics 365 on-premises is missing security updates. It is, therefore, affected by multiple vulnerabilities: - A remote attacker can craft a specially-constructed URL which, when accessed by an authorised user, allows the attacker to retrieve cookies, present the user with a dialog...

Apache Tomcat - Fix for CVE-2023-24998 was incomplete

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded...

K000135262: Apache Tomcat vulnerability CVE-2023-28709

Security Advisory Description The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameter...

CVE-2023-1978

The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the query string in versions up to, and including, 4.9.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

Malicious Package

Overview query-string-cjs is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

Security Bulletin: IBM Maximo Asset Management is vulnerable to Use of Sensitive Information in the Query String (CVE-2023-32334)

Summary IBM Maximo Asset Management is vulnerable to Use of Sensitive Information in the Query String. Vulnerability Details CVEID:CVE-2023-32334 DESCRIPTION: IBM Maximo Asset Management stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized partie...

Security Bulletin: IBM Manage Application in the Maximo Application Suite is vulnerable to Use of Sensitive Information in the Query String (CVE-2023-32334)

Summary IBM Manage Application in the Maximo Application Suite is vulnerable to Use of Sensitive Information in the Query String. Vulnerability Details CVEID:CVE-2023-32334 DESCRIPTION: IBM Maximo Asset Management stores sensitive information in URL parameters. This may lead to information...

SUSE SLES12 Security Update : tomcat (SUSE-SU-2023:2319-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2023:2319-1 advisory. - The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If...

Apache Tomcat 9.0.71 < 9.0.74 Denial Of Service

The version of Apache Tomcat installed on the remote host is 8.5.85 to 8.5.87, 9.0.71 to 9.0.73, 10.1.5 to 10.1.7 or 11.0.0-M2 to 11.0.0-M4. The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query...

Apache Tomcat 11.0.0.M2 < 11.0.0.M5 DoS

The version of Tomcat installed on the remote host is prior to 11.0.0.M5. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat11.0.0-m5security-11 advisory. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using...

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...

UBUNTU-CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...

CVE-2023-28709

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...

Textpattern 4.8.8 Session Token Disclosure Vulnerability

Textpattern version 4.8.8 logs the session token in a GET request where it may end up getting disclosed in logs or via a referer. Title: textpattern-4.8.8 Session token in URL Vulnerability Author: nu11secur1ty Vendor: https://textpattern.com/ Software:...

Reflected XSS at search_query[] query string

Description Reflected XSS Cross-Site Scripting is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field. The search function allows users to look for content on the website, and the search keywords are appended to the URL query...

Fixed in Apache Tomcat 8.5.88

Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...

Fixed in Apache Tomcat 9.0.74

Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...

ShiftController Employee Shift Scheduling < 4.9.26 - Reflected Cross-Site Scripting

The plugin does not properly sanitize input and escape output in the query string, leading to a Reflected Cross-Site Scripting vulnerability...

K86285055: The BIG-IP ASM system may fail to mask sensitive parameter for an Allowed URL in the Referrer header and logs

Security Advisory Description The BIG-IP ASM system may fail to mask a sensitive parameter for an Allowed URL. This issue occurs when all of the following conditions are met: You configured an Allowed HTTP URL enabled with the following settings in a security policy: Check Flows to this URL URL i...