RHEL 9 : firefox (RHSA-2025:15423)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:15423 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

RHEL 8 : thunderbird (RHSA-2025:15496)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:15496 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Denial-of-service due to out-of-memory...

RHEL 9 : firefox (RHSA-2025:15420)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:15420 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox:...

When a ServiceWorker intercepted a request with <code>FetchEvent</code>, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.

...

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)

...

This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using this feature remains vulnerable.

...

CVE-2025-58351 Outline's Local File Storage Feature can Cause CSP Bypass

Outline is a service that allows for collaborative documentation. In versions 0.72.0 through 0.83.0, Outline introduced a feature which facilitates local file system storage capabilities as an optional file storage strategy. This feature allowed a CSP bypass as well as a ContentType bypass that...

Linux Distros Unpatched Vulnerability : CVE-2016-9639

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. CVE-2016-9639 Note that Nessus relies on the...

Linux Distros Unpatched Vulnerability : CVE-2018-16072

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a...

CVE-2025-55202

Opencast is a free, open-source platform to support the management of educational audio and video content. In version 18.0 and versions before 17.7, the protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases...

RHEL 10 : thunderbird (RHSA-2025:14844)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:14844 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Denial-of-service due to out-of-memor...

Linux Distros Unpatched Vulnerability : CVE-2025-9180

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR...

RHEL 8 : thunderbird (RHSA-2025:14743)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2025:14743 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Denial-of-service due to out-of-memory...

SUSE CVE-2025-47909

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

CVE-2025-57821

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a...

GHSA-5JCH-XHW4-R43V Google Sign-In for Rails allowed redirect to protocol-relative URI

Summary It is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly...

Google Sign-In for Rails allowed redirect to protocol-relative URI

Summary It is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly...

CVE-2025-47909

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2025:03008-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03008-1 advisory. - Firefox Extended Support Release 140.2.0 ESR MFSA 2025-67 bsc1248162 CVE-2025-9179 bmo1979527...

Google Sign-In for Rails allowed redirect to protocol-relative URI

Summary It is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly...