BIT-TYPO3-2020-11069

In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to...

PT-2024-22298 · Jenkins · Jenkins Bitbucket Branch Source Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Bitbucket Branch Source Plugin versions 866.vdea 7dcd3008e and earlier, except version 848.850.v6a a 2a 234a c81 Description: The issue allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket...

openSUSE: Security Advisory for webkit2gtk3 (SUSE-SU-2023:3233-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE: Security Advisory for webkit2gtk3 (SUSE-SU-2023:3419-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AnythingLLM Code Issue Vulnerability

AnythingLLM is a document chatbot that meets business requirements. A code issue vulnerability exists in AnythingLLM. An attacker could use this vulnerability to escalate privileges to brute force the IPs of other services located on the same network as AnythingLLM...

Apache Answer 竞争条件问题漏洞

Apache Answer is a community platform of the Apache USA Foundation. Apache Answer 1.2.1 and prior versions suffer from a Competing Conditions vulnerability, which arises from improper handling of concurrent access when concurrent code requires mutually exclusive access to shared resources during...

PT-2024-2167 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: The issue is related to a flaw in the re-authentication mechanism within Keycloak, specifically in the org.keycloak.authentication module. This flaw allows an attacker to hijack an active...

GLSA-202402-25 : Mozilla Thunderbird: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202402-25 Mozilla Thunderbird: Multiple Vulnerabilities - Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document file, while in fact it wa...

Hacking Microsoft and Wix with Keyboard Shortcuts

Browser vendors continuously tweak and refine browser functionalities to improve security. Implementing same-site cookies is a prime example of vendors’ efforts to mitigate Cross-Site Request Forgery CSRF attacks. However, not all security measures are foolproof. In their quest to combat Cross-Si...

CVE-2024-24300

4ipnet EAP-767 v3.42.00 is vulnerable to Incorrect Access Control. The device uses the same set of credentials, regardless of how many times a user logs in, the content of the cookie remains unchanged...

ALPINE-CVE-2023-5680

If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and...

Envoy Resource Management Error Vulnerability

Envoy is an open source distributed proxy server. A resource management error vulnerability exists in versions of Envoy prior to 1.29.1, which stems from a denial of service that occurs when certain timeouts occur within the same time interval...

AZL-34648 CVE-2024-0853 affecting package curl for versions less than 8.8.0-1

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status OCSP stapling test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check...

mailcow Security Vulnerabilities

mailcow is a mail server suite. A security vulnerability exists in previous versions of mailcow 2024-01c that stems from allowing an attacker on the same subnet to connect to a public port of a Docker container...

PT-2024-20538 · Mailcow · Mailcow

Name of the Vulnerable Software and Affected Versions: mailcow versions prior to 2024-01c Description: A security issue has been identified in mailcow, a dockerized email package. This issue potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even wh...

DEBIAN-CVE-2024-0564

A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging KSM, added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page...

hw: Intel: Gather Data Sampling (GDS) side channel vulnerability

A Gather Data Sampling GDS transient execution side-channel vulnerability was found affecting certain Intel processors. This issue may allow a local attacker using gather instruction load from memory to infer stale data from previously used vector registers on the same physical core...

hw: Intel: Gather Data Sampling (GDS) side channel vulnerability

A Gather Data Sampling GDS transient execution side-channel vulnerability was found affecting certain Intel processors. This issue may allow a local attacker using gather instruction load from memory to infer stale data from previously used vector registers on the same physical core...

kernel: Spectre v2 SMT mitigations problem

It was found that the Linux Kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The kernel failed to protect applications that attempted to protect against Spectre v2 leaving them open to attack from other processes...

CVE-2024-23633

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...