Liferay Portal - Open Redirect

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' U+FFFD, which allows remote...

EUVD-2024-55549

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files...

CVE-2024-8010

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files...

GHSA-MHRG-94VW-45C5 Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests...

openSUSE 16 Security Update : tomcat (openSUSE-SU-2026:20350-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20350-1 advisory. Update to Tomcat 9.0.115: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping bsc1258371. - CVE-2026-24733:...

Bridging the Gap in Phishing Detection: a Comprehensive Phishing Dataset Collector

To combat phishing attacks -- aimed at luring web users to divulge their sensitive information -- various phishing detection approaches have been proposed. As attackers focus on devising new tactics to bypass existing detection solutions, researchers have adapted by integrating machine learning a...

Linux Distros Unpatched Vulnerability : CVE-2024-2874

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered wi...

SUSE-SU-2025:02280-1 Security update for tomcat

This update for tomcat fixes the following issues: - CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources bsc1243815. - CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part bsc1244656. ...

SUSE-SU-2025:02261-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: - Fixed refactor CGI servlet to access resources via WebResources bsc1243815. - Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part bsc1244656. - Fixed expand checks for...

SUSE-SU-2025:02214-1 Security update for tomcat

This update for tomcat fixes the following issues: - CVE-2025-46701: Refactored CGI servlet to access resources via WebResources bsc1243815. - CVE-2025-48988: Limited the total number of parts in a multi-part request and limits the size of the headers provided with each part bsc1244656. -...

CVE-2024-12779 SSRF in infiniflow/ragflow

A Server-Side Request Forgery SSRF vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the POST /v1/llm/addllm and POST /v1/conversation/tts endpoints. Attackers can specify an arbitrary URL as the apibase when adding an OPENAITTS model, and subsequently...

CVE-2024-12775 SSRF in langgenius/dify

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's...

Improved Guidance for Azure Network Service Tags

Summary Microsoft Security Response Center MSRC was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure...

BIT-GITLAB-2024-2874 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

CVE-2024-2874

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

UBUNTU-CVE-2024-2874

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

CVE-2024-2874

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

CVE-2024-2874

CVE-2024-2874 affects GitLab CE/EE: all versions before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. Root cause: a runner registered with a crafted description can disrupt loading of targeted GitLab web resources, yielding a HIGH impact on availability (CVSS 3.1 base 6.5). Exploitation ...

CVE-2024-2874 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources...

GitLab < 16.10.6 / 16.11 < 16.11.3 / 17.0 < 17.0.1 (CVE-2024-2874)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. A runner registered with a crafted description has the potenti...