Deserialization of untrusted data

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling tag that references an tag, it merges the attributes from the tag to the tag. The problem pops up especially when the href attribute from the tag has not been sanitized. This can lead to an unsafe file...

Design/Logic Flaw

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a use tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern this could exhaust the...

Code injection

Laf is a cloud development platform. Prior to version 1.0.0-beta.13, the control of LAF app enV is not strict enough, and in certain scenarios of privatization environment, it may lead to sensitive information leakage in secret and configmap. In ES6 syntax, if an obj directly references another...

Privilege escalation

Workspace ONE Launcher contains a Privilege Escalation Vulnerability. A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information...

Design/Logic Flaw

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the...

Memory corruption

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The QUIC stack quicly, as used by H2O up to commit 43f86e5 in version 2.3.0-beta and prior, is susceptible to a state exhaustion attack. When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressivel...

Default credentials

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a user enumeration attack is possible when SMTP is not set up correctly, but reset password is enabled. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this...

Input validation

Umbraco is an ASP.NET content management system CMS. Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a...

Information disclosure

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue...

Information disclosure

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, users with low privileges Editor, etc. are able to access some unintended endpoints. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue...

Path traversal

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0...

Default credentials

An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ingest,...

Default credentials

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent...

Privilege escalation

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability...

Privilege escalation

Win32k Elevation of Privilege Vulnerability...

Spoofing

Windows DPAPI Data Protection Application Programming Interface Spoofing Vulnerability...

Remote code execution

Windows MSHTML Platform Remote Code Execution Vulnerability...

Spoofing

Microsoft Power Platform Connector Spoofing Vulnerability...

Remote code execution

Internet Connection Sharing ICS Remote Code Execution Vulnerability...

Information disclosure

Microsoft Word Information Disclosure Vulnerability...

Input validation

A vulnerability in the AnyConnect SSL VPN feature of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an authenticated, remote attacker to send packets with another VPN user's source IP address. This vulnerability is due to improper...

Remote code execution

Windows Media Remote Code Execution Vulnerability...

Spoofing

Microsoft Outlook for Mac Spoofing Vulnerability...

Denial of service

Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability...

Information disclosure

Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability...

Privilege escalation

Win32k Elevation of Privilege Vulnerability...

Privilege escalation

Windows Kernel Elevation of Privilege Vulnerability...

Denial of service

DHCP Server Service Denial of Service Vulnerability...

Privilege escalation

Azure Connected Machine Agent Elevation of Privilege Vulnerability...

Denial of service

Windows Kernel Denial of Service Vulnerability...

Information disclosure

DHCP Server Service Information Disclosure Vulnerability...

Denial of service

Internet Connection Sharing ICS Denial of Service Vulnerability...

Remote code execution

Internet Connection Sharing ICS Remote Code Execution Vulnerability...

Information disclosure

Microsoft Outlook Information Disclosure Vulnerability...

Spoofing

Windows DNS Spoofing Vulnerability...

Privilege escalation

XAML Diagnostics Elevation of Privilege Vulnerability...

Information disclosure

DHCP Server Service Information Disclosure Vulnerability...

Remote code execution

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability...

Cross site scripting

Microsoft Dynamics 365 on-premises Cross-site Scripting Vulnerability...

Denial of service

Microsoft Defender Denial of Service Vulnerability...

Remote code execution

Microsoft ODBC Driver Remote Code Execution Vulnerability...

Privilege escalation

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability...

Cross site scripting

Umbraco is an ASP.NET content management system CMS. Starting in 10.0.0 and prior to versions 10.8.1 and 12.3.4, Umbraco contains a cross-site scripting XSS vulnerability enabling attackers to bring malicious content into a website or application. Versions 10.8.1 and 12.3.4 contain a patch for th...

Default credentials

An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released...

Remote code execution

Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability...

Privilege escalation

Windows Sysmain Service Elevation of Privilege...

Remote code execution

main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution...

Remote code execution

Windows Bluetooth Driver Remote Code Execution Vulnerability...

Privilege escalation

Local Security Authority Subsystem Service Elevation of Privilege Vulnerability...

Privilege escalation

Windows Telephony Server Elevation of Privilege Vulnerability...