MAL-2024-12216 Malicious code in bestcolorsever2 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fa4352627d3e53d9bea22f4b439c0749f5a88407f6dda914fe43ca7612c5b101 Packages either test the malicious behaviour, or actually download and run a simple remote script during the installation. --- Category: PROBABLYPENTEST -...

OESA-2024-2494 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: bonding: stop the device in bondsetupbyslave Commit 9eed321cde22 "net: lapbether: only support ethernet devices" has been able to keep syzbot away from net/lapb,...

CVE-2024-10704

The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-16479 · 10Web · The Photo Gallery

Name of the Vulnerable Software and Affected Versions: The Photo Gallery by 10Web versions prior to 1.8.31 Description: The issue concerns a Stored Cross-Site Scripting XSS vulnerability. It arises because the plugin does not properly sanitise and escape some of its settings, allowing...

CVE-2024-49502

A Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container...

CVE-2024-49502

CVE-2024-49502 is a cross-site scripting vulnerability in the Setup Wizard, HTTP Proxy credentials pane of spacewalk-web. It affects SUSE Manager Server 4.3 (and related Spacewalk components) prior to versions updated by SUSE-SU-2024:4007-1, specifically before 4.3.42-150400.3.52.1 for the 4.3 li...

CVE-2024-49502 Reflected XSS in Setup Wizard, HTTP Proxy credentials pane in spacewalk-web

A Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container...

CVE-2024-49502 Reflected XSS in Setup Wizard, HTTP Proxy credentials pane in spacewalk-web

A Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container...

CVE-2024-49503 Reflected XSS in Setup Wizard, Organization Credentials in spacewalk-web

A Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in SUSE manager allows attackers to execute Javascript code in the organization credentials sub page. This issue affects Container suse/manager/5.0/x8664/server:5.0.2.7.8.1: before...

CVE-2024-49503 Reflected XSS in Setup Wizard, Organization Credentials in spacewalk-web

A Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in SUSE manager allows attackers to execute Javascript code in the organization credentials sub page. This issue affects Container suse/manager/5.0/x8664/server:5.0.2.7.8.1: before...

CVE-2024-10510 adBuddy+ (AdBlocker Detection) by NetfunkDesign <= 1.1.3 - Admin+ Stored XSS

The adBuddy+ AdBlocker Detection by NetfunkDesign WordPress plugin through 1.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example...

Malicious code in dgsinstaller (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f90b0387462eccb87e3b6d3b542cfdcfe3083873083f00a7ac5120c64b800f98 Installing package downloads and install an infostealer --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

Malicious code in ccsinstaller (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3e18cda71c2919c802b866f37fc87002396540fd6d3ea3f22b7703111c247518 Installing package downloads and install an infostealer --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2024-12231 Malicious code in ccsinstaller (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3e18cda71c2919c802b866f37fc87002396540fd6d3ea3f22b7703111c247518 Installing package downloads and install an infostealer --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

CVE-2024-52008 Password Policy Bypass Vulnerability in Fides Webserver

Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API cal...

Client-Side Enforcement of Server-Side Security

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security due to improper implementation of password policy validations in the /api/v1/user/accept-invite endpoint. An attacker can...

Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws

Coinbase researchers reported 2 security issues in our implementation of the oblivious transfer OT based protocol DKLS: 1. Secret share recovery attack If the base OT setup of the protocol is reused for another execution of the OT extension, then a malicious participant can extract a bit of the...

CVE-2024-6393

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example i...

CVE-2024-10710

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7056 WPForms < 1.9.1.6 - Admin+ Stored XSS

The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...