CVE-2023-25581

The CVE-2023-25581 entry concerns pac4j-core before 4.0.0, where a Java deserialization vulnerability in UserProfile attributes can be triggered by a serialized object with a {#sb64} prefix and Base64 encoding, potentially leading to RCE. Affected versions are prior to 4.0.0; 4.0.0 and later are ...

CVE-2024-45746

An issue was discovered in Trusted Firmware-M through 2.1.0. User provided and controlled mailbox messages contain a pointer to a list of input arguments invec and output arguments outvec. These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length...

GHSA-CJ55-GC7M-WVCQ req may send an unintended request when a malformed URL is provided

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in...

CVE-2024-42363 GHSL-2023-136_Samson

Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parsefile method where it is unsafely deserialized using the YAML.loadstream...

CVE-2024-22218

CVE-2024-22218/22219 describe an XXE vulnerability in Terminalfour versions 8.0.0001–8.3.18 and XML JDBC up to 1.0.4. An authenticated user can submit malicious XML via unspecified features, potentially leading to accessing the underlying server, remote code execution (RCE), or Server-Side Reques...

CVE-2024-22219

XML External Entity XXE vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code execution RCE, or...

CVE-2024-34060

CVE-2024-34060 affects IrisEVTXModule, an interface plugin used with Evtx2Splunk and Iris to ingest Microsoft EVTX logs via the iris-web pipeline. The vulnerability arises from unsafe handling of EVTX filenames during upload, enabling Arbitrary File Write and potentially remote code execution (RC...

CVE-2024-3126 Command Injection in parisneo/lollms-webui

A command injection vulnerability exists in the 'runxttsapiserver' function of the parisneo/lollms-webui application, specifically within the 'lollmsxtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utiliz...

llama-index-core Command Injection vulnerability

A command injection vulnerability exists in the run-llama/llamaindex repository, specifically within the safeeval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by...

CVE-2024-3271 Command Injection in run-llama/llama_index

A command injection vulnerability exists in the run-llama/llamaindex repository, specifically within the safeeval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by...

Sql injection

An issue was discovered in Spiceworks Help Desk Server before 1.3.3. A Blind Boolean SQL injection vulnerability within the orderbyforticket function in app/models/reporting/databasequery.rb allows an authenticated attacker to execute arbitrary SQL commands via the sort parameter. This can be...

Huawei EulerOS: Security Advisory for sysstat (EulerOS-SA-2023-2100)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for sysstat (EulerOS-SA-2023-2049)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Code injection

This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtilsdoCreateDatasource use InitialContext.lookupjndiName without filtering. An us...

[SECURITY] [DLA 3188-1] sysstat security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-3188-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta November 14, 2022 https://wiki.debian.org/LTS -...

Imperva Threat Research Shows Cyber Attacks on the Rise in Australia

Every year, cyber attacks increase. Attackers get smarter, tools get better, and incentives to target sites grow. Over the last year, Imperva Threat Research detected a large increase in attacks targeting Australian sites, more than the global rise over the same timeframe. Australian attacks rose...

AlmaLinux 8 : pandoc (5597) (ALSA-2022:5597)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:5597 advisory. - cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in...

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin

ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution RCE vulnerability exploitable by users able to provide YAML input files to ElasticBox Jenkins Kubernetes CI/CD...

Zenario CMS 9.0.54156 - Remote Code Execution (Authenticated) Exploit

Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution RCE Authenticated Exploit Author: minhnq22 Vendor Homepage: https://zenar.io/ Software Link: https://zenar.io/download-page Version: 9.0.54156 Tested on: Ubuntu 21.04 CVE : CVE-2021–42171 Python3 import os import sys import json import...

Google Android May 2021 Security Patch Vulnerabilities: Discover and Take Remote Response Action Using VMDR for Mobile Devices

The recently released Android Security Bulletin for May 2021 addresses 40 vulnerabilities, out of which 4 are rated as critical vulnerabilities. The vulnerabilities affect open-source components such as the Android Framework, Android Media Framework, Android System, and Android’s Linux Kernel for...