Mattermost crashes web clients via a malformed custom status
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom...
4.3CVSS
4.5AI Score
0.0004EPSS
Summary IBM i is vulnerable to a local user with command line access gaining elevated privilege due to a flaw in IBM TCP/IP Connectivity Utilities for i as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the...
7.8CVSS
6.9AI Score
0.0004EPSS
Keysight Technologies Sensor Management Server Deserialization RCE (CVE-2022-1660)
The Keysight Sensor Management Server (SMS) running on the remote host is affected by a Java object deserialization vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code in the context of the account running the Keysight SMS....
9.8CVSS
2.9AI Score
0.006EPSS
CVE-2021-45067 This bug was Out of Bounds Read caused by...
5.5CVSS
2.2AI Score
0.004EPSS
WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
Impact A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript...
5.4CVSS
6AI Score
0.0004EPSS
Grafana XSS via adding a link in General feature in github.com/grafana/grafana
Grafana XSS via adding a link in General feature in...
6.1CVSS
5.6AI Score
0.001EPSS
October System module has a Reflected XSS via X-October-Request-Handler Header
Impact The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy...
3.1CVSS
6.5AI Score
0.0004EPSS
@fastly/js-compute has a use-after-free in some host call implementations
Impact The implementation of the following functions were determined to include a use-after-free bug: FetchEvent.client.tlsCipherOpensslName FetchEvent.client.tlsProtocol FetchEvent.client.tlsClientCertificate FetchEvent.client.tlsJA3MD5 FetchEvent.client.tlsClientHello...
5.3CVSS
6.9AI Score
0.0004EPSS
Malicious code in @juiggitea/nulla-a-quam-voluptatem (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (f2e455a6cd6eea3b9f878efc8dc7755308d33c89e81a74063fba9c463f2cf6f8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
Summary IBM® Db2® is vulnerable to a denial of service with a specially crafted query under certain conditions. Vulnerability Details ** CVEID: CVE-2024-28762 DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to denial of service with a specially...
5.3CVSS
6.5AI Score
0.0004EPSS
WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
Impact A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript...
5.4CVSS
6AI Score
0.0004EPSS
Jupyter Server Proxy has a reflected XSS issue in host parameter
Impact There is a reflected cross-site scripting (XSS) issue in jupyter-server-proxy[1]. The /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value o...
9.6CVSS
6AI Score
0.0004EPSS
Jupyter Server Proxy has a reflected XSS issue in host parameter
Impact There is a reflected cross-site scripting (XSS) issue in jupyter-server-proxy[1]. The /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value o...
9.6CVSS
5.8AI Score
0.0004EPSS
@fastly/js-compute has a use-after-free in some host call implementations
Impact The implementation of the following functions were determined to include a use-after-free bug: FetchEvent.client.tlsCipherOpensslName FetchEvent.client.tlsProtocol FetchEvent.client.tlsClientCertificate FetchEvent.client.tlsJA3MD5 FetchEvent.client.tlsClientHello...
5.3CVSS
6.9AI Score
0.0004EPSS
October System module has a Reflected XSS via X-October-Request-Handler Header
Impact The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy...
3.1CVSS
6.4AI Score
0.0004EPSS
Malicious code in @juiggitea/a-laboriosam-omnis-praesentium (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (73b7f742e51b1f9267457dee789b8075b86508058e76c06bb532d89c9c8d5808) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
7-Technologies AQUIS Unspecified Path Subversion Arbitrary DLL Injection Code Execution
The installed version of 7-Technologies AQUIS on the remote Windows host is 1.5 dated October 13, 2011 or earlier. As such, it insecurely looks in its current working directory when resolving DLL dependencies. Attackers may exploit this issue by placing a specially crafted DLL file and another...
4.7AI Score
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval:...
6.8AI Score
0.0004EPSS
Keysight Technologies Sensor Management Server addLicenseFile Path Traversal (CVE-2022-38129)
The Keysight Sensor Management Server (SMS) running on the remote host is affected by a path traversal vulnerability. An unauthenticated, remote attacker can exploit this, via specially crafted messages, to upload and run arbitrary executable files in the context of the account running the...
9.8CVSS
4.5AI Score
0.007EPSS
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval:...
7.1CVSS
7AI Score
0.0004EPSS
How to restore vCenter Server without a vCenter Server
The vCenter Server is not available and the vCenter Server VM needs to be...
1.8AI Score
Summary IBM i is vulnerable to a privilege escalation due to a user without privilege being able to configure a physical file trigger in Db2 for IBM i as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the...
7.4CVSS
6.6AI Score
0.0004EPSS
Summary IBM® Db2® is vulnerable to a denial of service when a specially crafted request is used via CLI. Vulnerability Details ** CVEID: CVE-2023-45178 DESCRIPTION: **IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) CLI is vulnerable to a denial of service when a specially...
7.5CVSS
6.9AI Score
0.001EPSS
citrix-logchecker Parse citrix netscaler logs to check for...
7.9AI Score
Mattermost fails to limit the size of a request path
Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request...
3.1CVSS
3.9AI Score
0.0004EPSS
karmada vulnerable to arbitrary code execution via a crafted command
An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token...
7.6AI Score
0.0004EPSS
7-Technologies TERMIS Unspecified Path Subversion Arbitrary DLL Injection Code Execution
The installed version of 7-Technologies TERMIS on the remote Windows host is 2.10 dated November 30, 2011 or earlier. As such, it insecurely looks in its current working directory when resolving DLL dependencies. Attackers may exploit this issue by placing a specially crafted DLL file and another.....
4.7AI Score
IBM Robotic Process Automation 21.0.1 and 21.0.2 could disclose sensitive version information that could aid in further attacks against the system. IBM X-Force ID:...
5.3CVSS
4.9AI Score
0.001EPSS
Mattermost allows attackers access to posts in channels they are not a member of
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member...
4.3CVSS
6.5AI Score
0.0004EPSS
7.4AI Score
Security Bulletin: A vulnerability in setuptools affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the setuptools package has been addressed. Vulnerability Details ** CVEID: CVE-2022-40897 DESCRIPTION: **Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regular expression, an remote...
5.9CVSS
6.8AI Score
0.005EPSS
Security Bulletin: A vulnerability in Go affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the package Go has been addressed. Vulnerability Details ** CVEID: CVE-2022-41725 DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw when perform multipart form parsing with mime/multipart.Reader.ReadForm. By sending a specially-crafted...
7.5CVSS
6.7AI Score
0.001EPSS
Security Bulletin: A vulnerability in Go affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the Go package has been addressed. Vulnerability Details ** CVEID: CVE-2022-41724 DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote...
7.5CVSS
6.6AI Score
0.001EPSS
Security Bulletin: A vulnerability in urllib3 affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the urllib3 package has been addressed. Vulnerability Details ** CVEID: CVE-2019-11236 DESCRIPTION: **Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP...
6.1CVSS
6.6AI Score
0.004EPSS
Security Bulletin: A vulnerability in containerd affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the containerd package has been addressed. Vulnerability Details ** CVEID: CVE-2022-31030 DESCRIPTION: **containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request using the ExecSync API, a local...
5.5CVSS
6.2AI Score
0.0004EPSS
CVE-2023-4966 Citrix Memory Leak Exploit 🔒 Leak session...
9.4CVSS
7.8AI Score
0.971EPSS
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
Summary ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine. Details Target The vulnerable endpoint...
6.5CVSS
6.7AI Score
0.001EPSS
Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components
Impact We have identified a Cross-Site Scripting (XSS) vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...
5.8AI Score
@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling
Summary A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development and production environments. Details Usually, errors in the application cause it to log the error and keep it running for other clients. This behavior, in.....
5.3CVSS
6.8AI Score
0.0004EPSS
Security Bulletin: IBM MQ is affected by a password disclosure vulnerability (CVE-2024-35156)
Summary IBM MQ has addressed a password disclosure vulnerability in the IBM MQ REST API. Vulnerability Details CVEID: CVE-2024-35156 DESCRIPTION: IBM MQ could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This...
6.5CVSS
6.1AI Score
0.0004EPSS
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
Summary ZIP files uploaded to the server-side endpoint handling a CodeChecker store are not properly sanitized. An attacker can exercise a path traversal to make the CodeChecker server load and display files from an arbitrary location on the server machine. Details Target The vulnerable endpoint...
6.5CVSS
6.7AI Score
0.001EPSS
Summary IBM App Connect for Manufacturing is vulnerable to a denial of service and a remote authenticated attacker accessing sensitive information. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-30171 DESCRIPTION: **The Bouncy...
7.6AI Score
EPSS
Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana
Grafana XSS via a query alias for the ElasticSearch datasource in...
6.1CVSS
5.6AI Score
0.001EPSS
Security Bulletin: A vulnerability in urllib3 affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the urllib3 package has been addressed. Vulnerability Details ** CVEID: CVE-2021-33503 DESCRIPTION: **urllib3 is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw due to catastrophic backtracking. By sending a...
7.5CVSS
6.8AI Score
0.003EPSS
Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf...
6.1CVSS
7.2AI Score
0.0005EPSS
Security Bulletin: A vulnerability in Go affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the Go package has been addressed. Vulnerability Details ** CVEID: CVE-2023-24532 DESCRIPTION: **An unspecified error with return an incorrect result in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go has an unknown impact and attack vector....
5.3CVSS
6.3AI Score
0.001EPSS
Security Bulletin: A vulnerability in containerd affects Data Replication on Cloud Pak for Data
Summary A vulnerability in the containerd package has been addressed. Vulnerability Details ** CVEID: CVE-2022-23471 DESCRIPTION: **containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request, a remote authenticated attacker...
6.5CVSS
6.4AI Score
0.001EPSS
Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components
Impact We have identified a Cross-Site Scripting (XSS) vulnerability within certain React components related to community members in the Invenio-Communities module. This vulnerability enables a user to inject a script tag into the Affiliations field during the account registration process. The...
5.8AI Score
Security Bulletin: IBM MQ is vulnerable to a privilege escalation attack (CVE-2024-31912)
Summary IBM MQ has addressed a privilege escalation vulnerability. Vulnerability Details CVEID: CVE-2024-31912 DESCRIPTION: IBM MQ could allow an authenticated user to escalate their privileges under certain configurations due to incorrect privilege assignment. CVSS Base score: 7.5 CVSS Temporal...
7.5CVSS
6.5AI Score
0.0004EPSS
AIX is affected by a denial of service due to Python (CVE-2024-0450)
IBM SECURITY ADVISORY First Issued: Mon Jun 24 15:07:51 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/python_advisory10.asc Security Bulletin: AIX is affected by a denial of service due to Python (CVE-2024-0450)...
6.2CVSS
6.8AI Score
0.0005EPSS