CVE-2025-27602 Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folde...

Linux Distros Unpatched Vulnerability : CVE-2023-48795

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks...

CVE-2024-41964

Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's...

CVE-2024-6203

HaloITSM versions up to 2.146.1 are affected by a Password Reset Poisoning vulnerability. Poisoned password reset links can be sent to existing HaloITSM users given their email address is known. When these poisoned links get accessed e.g. manually by the victim or automatically by an email client...

CVE-2025-23209 Potential RCE with a compromised security key in craft/cms

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a...

CVE-2024-50349

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...

Gogs allows deletion of internal files

Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUNUSER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance. Patches Deletion of .git files has been prohibit...

CVE-2024-53260 Course Roster vulnerable to CSV Injection in Autolab

Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This...

RHSA-2012:0514 Red Hat Security Advisory: java-1.6.0-ibm security update

Bulletin has no description...

PT-2024-33912 · Ipswitch · Whatsup Gold

Name of the Vulnerable Software and Affected Versions: WhatsUp Gold versions prior to 2023.1.3 Description: The issue allows an authenticated user with certain permissions to upload an arbitrary file, which can lead to remote code execution RCE using the...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2024:0084-1 Rating: important References: 1220131 1220604 1221105 1221335 Cross-References: CVE-2024-1669 CVE-2024-1670 CVE-2024-1671 CVE-2024-1672 CVE-2024-1673 CVE-2024-1674 CVE-2024-1675 CVE-2024-1676...

#StopRansomware: Play Ransomware

Actions to take today to mitigate cyber threats from Play ransomware: 1. Prioritize remediating known exploited vulnerabilities. 2. Enable multifactor authentication MFA for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems. 3. Regularly...

PT-2023-26330 · Unknown · Superwebmailer

Name of the Vulnerable Software and Affected Versions: SuperWebMailer version 9.00.0.01710 Description: An issue was discovered that allows for XSS via a GET parameter in the keepalive.php file. Recommendations: For SuperWebMailer version 9.00.0.01710, consider restricting access to the...

#StopRansomware: AvosLocker Ransomware (Update)

Actions to take today to mitigate cyber threats from AvosLocker ransomware: 1. Securing remote access tools 2. Restricting RDP and other remote desktop services 3. Securing PowerShell and/or restrict usage 4. Update software to latest version and apply patching updates regularly...

JSA10512 - 2012-06 Security Bulletin: Pulse Connect Secure (PCS): Open redirect issue

Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. An open redirect issue has been found in the Pulse Connect Secure PCS product. The issue is caused by incorrect validation of user input sent to the PCS web server. The issue exists in...

PT-2022-26740 · Unknown · Web-Based Student Clearance System

Name of the Vulnerable Software and Affected Versions: Web-Based Student Clearance System version 1.0 Description: A cross-site scripting XSS issue exists in the /admin/edit-admin.php endpoint, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the...

CVE-2022-39238 Improper Authentication in Arvados when using PAM as identity provider

Arvados is an open source platform for managing and analyzing biomedical big data. In versions prior to 2.4.3, when using Portable Authentication Modules PAM for user authentication, if a user presented valid credentials but the account is disabled or otherwise not allowed to access the host such...

SUSE-SU-2022:0729-1 Security update for SUSE Manager Server 4.2

This update fixes the following issues: spacewalk-java: - Version 4.2.33-1 handle npe when syncing ubuntu errata bsc1196619 susemanager-sync-data: - Version 4.2.11-1 change centos 8 eol urls to vault which still work How to apply this update: 1. Log in as root user to the SUSE Manager server. 2...

The Bug Report - February 2022 Edition

The Bug Report - February 2022 By Jesse Chick · March 2, 2022 Your Cybersecurity Comic Relief Image courtesy of https://toggl.com/ Why am I here? Welcome back to the Bug Report, stubby-month edition! For those in the audience unfamiliar with our shtick, every month we compile a shortlist of the t...

GHSA-52QP-GWWH-QRG4 Missing Handler in @scandipwa/magento-scripts

Impact After changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec and logs commands, effectively making them unusable. Patches Version 1.5.3 contains patches for the problems described above. Workarounds Upgrade to patched or latest...