30456 matches found
CVE-2024-50335
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting XSS, allowing an attacker to inject malicious JavaScript code. This can be exploited to...
PYSEC-2024-201
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on...
CVE-2024-50335
The CVE-2024-50335 issue affects SuiteCRM where the Publish Key field in the Edit Profile page is vulnerable to Reflected XSS, enabling an attacker to inject JavaScript and steal CSRF tokens to forge requests that create new administrative users without authentication. Root cause is insufficient ...
CVE-2024-51493 API key access in settings without reauthentication in OctoPrint
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...
GHSA-V2QH-F584-6HJ8 @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled
Impact Refresh tokens are logged to the console when the disabled by default debug flag, is enabled. Patches Patched in https://github.com/workos/authkit-remix/releases/tag/v0.4.1...
CVE-2024-50118
CVE-2024-50118 relates to the Linux kernel Btrfs remount/RW reconfiguration path. The issue arises during mounting different subvolumes with conflicting RO/RW flags: an initial read-only mount (ro) followed by an attempt to remount a subvolume as read/write, with options/feature checks being skip...
CVE-2024-50106
The CVE-2024-50106 entry concerns the Linux kernel (nfsd) and describes a race between laundromat handling revoked delegations and a client issuing free_stateid, which can lead to a use-after-free of a delegation stateid if a new open finds a non-empty lease list and dereferences a freed stateid....
kernel security update
4.18.0-553.27.110.OL8 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...
ALSA-2024:8793 Moderate: thunderbird security update
Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser CVE-2024-10464 firefox: thunderbird: XSS due to Content-Disposition being ignored in...
MGASA-2024-0343 Updated buildah, podman, skopeo packages fix security vulnerabilities
A flaw was found in Buildah and subsequently Podman Build which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation ...
CVE-2024-28180 affecting package dcos-cli for versions less than 1.2.0-19
CVE-2024-28180 affecting package dcos-cli for versions less than 1.2.0-19. A patched version of the package is available...
CVE-2024-8006 affecting package libpcap for versions less than 1.10.1-3
CVE-2024-8006 affecting package libpcap for versions less than 1.10.1-3. A patched version of the package is available...
Security update for rubygem-actionmailer-5_1
This update for rubygem-actionmailer-51 fixes the following issues: CVE-2024-47889: Fixed Possible ReDoS vulnerability in blockformat in Action Mailer bsc1231723. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...
PT-2024-34620 · Unknown · Open Floodlight Sdn Controller
Name of the Vulnerable Software and Affected Versions: Floodlight SDN Open Flow Controller version 1.2 Description: The issue allows local hosts to build fake LLDP packets, which can cause Floodlight to miss specific clusters. This, in turn, leads to missed hosts inside and outside the cluster. T...
Important: qt5-qttools
Issue Overview: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted signal has not ye...
CVE-2024-50356 Press has a potential 2FA bypass
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn't be able to login by bypassing the 2FA. Onl...
PT-2024-33089 · Qualitor · Qualitor
Name of the Vulnerable Software and Affected Versions: Qualitor version 8.24 Description: The issue is a remote code execution RCE vulnerability. It can be exploited via the gridValoresPopHidden parameter. Recommendations: For Qualitor version 8.24, avoid using the gridValoresPopHidden parameter...
CLSA-2024-1730227233 Fix CVE(s): CVE-2024-8925
SECURITY UPDATE: prevent erroneous parsing - debian/patches/CVE-2024-8925.patch: limit boundary size to prevent erroneous parsing in multipart/form-data POST data - CVE-2024-8925...
CVE-2024-50334 Semicolon Path Injection on API /api;/config
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT...
PT-2024-10604 · Unknown · Lunad3V Areaload
Name of the Vulnerable Software and Affected Versions: LUNAD3v AreaLoad up to 1a1103182ed63a06dde63d1712f3262eda19c3ec Description: A critical issue affects the processing of the file request.php, where the manipulation of the phone argument leads to sql injection. The estimated number of...