CBL Mariner 2.0 Security Update: kernel (CVE-2024-50186)

The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-50186 advisory. - In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, wh...

GHSA-J2PQ-22JJ-4PM5 XWiki allows remote code execution through the extension sheet

Impact On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type...

XWiki allows remote code execution through the extension sheet

Impact On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type...

GHSA-X6MH-RJWM-8PH7 Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx

Impact When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Patches The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.12 Workarounds Don't use direct publication via toHTMLEx This vulnerability was discovered by Aleksey Solovev...

GHSA-CWQ6-MJMX-47P6 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation e.g., Trigger on any job. If the operation is successful...

XWiki allows RCE from script right in configurable sections

Impact Any user with script rights can perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a user with script rights, ed...

CVE-2024-55876

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

CVE-2024-55663 XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in getdocument.vm; the ordering of the returned documents is defined from an unsanitized request parameter request.sort and can allow any user to inject HQL. Depending on th...

CVE-2024-55662

CVE-2024-55662 affects XWiki Platform (3.3-milestone-1 to versions before 15.10.9 and 16.3.0) when the Extension Repository Application is installed. The root cause is that a user with access to the server can execute code requiring programming rights via the Extension Repository Application, ena...

CLSA-2024-1734006823 php: Fix of CVE-2024-11234

CVE-2024-11234: Fix possibility of HTTP request smuggling in configured proxy URI by prohibiting CRLF injection...

Security update for nodejs20

This update for nodejs20 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

Exploit for CVE-2024-4956

CVE-2024-4956 CVE-2024-4956 is a serious path traversal vulne...

CVE-2024-55659

SiYuan is a personal knowledge management system. Prior to version 3.1.16, the /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting via the file write. Version 3.1.16 contains a patch for the issue...

CVE-2024-54494

A race condition was addressed with additional validation. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, visionOS 2.2, watchOS 11.2. An attacker may be able to create a read-only memory mapping that can be...

CVE-2023-38471 affecting package avahi for versions less than 0.8-4

CVE-2023-38471 affecting package avahi for versions less than 0.8-4. A patched version of the package is available...

PT-2024-9605 · Microsoft · Update Catalog

The affected software is Microsoft Update Catalog, which has a critical issue related to the deserialization of untrusted data. This allows an unauthorized attacker to elevate privileges on the website's webserver. Although no specific versions of the software are mentioned as being affected,...

PT-2024-17640 · WordPress · Arena.Im

Name of the Vulnerable Software and Affected Versions: Arena.IM – Live Blogging for real-time events plugin for WordPress versions up to, and including, 0.3.0 Description: The issue is due to missing or incorrect nonce validation on the albfre user action AJAX action. This allows unauthenticated...

GitLab 9.4 < 17.4.6 / 17.5 < 17.5.4 / 17.6 < 17.6.2 (CVE-2024-8233)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Inefficient Algorithmic Complexity in GitLab CVE-2024-8233 Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL...

CVE-2024-54485

The issue was addressed by adding additional logic. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2. An attacker with physical access to an iOS device may be able to view notification content from the lock screen...

CVE-2024-44225

A logic issue was addressed with improved checks. This issue is fixed in iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2, tvOS 18.2, watchOS 11.2. An app may be able to gain elevated privileges...