mediawiki/core is vulnerable to Improper Access Control. The vulnerability is due to the absence of a .htaccess file which is required to protect some directories from web access, potentially allowing attackers to access sensitive files and directories that shouldn't be web...
5.3CVSS
6.5AI Score
0.002EPSS
design-reuse.com Cross Site Scripting vulnerability OBB-3860946
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
7.4AI Score
Missing Access Check in TYPO3 CMS
Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to...
7.9AI Score
6.5AI Score
Magento Server Mass Importer - Cross-Site Scripting
Magento Server Mass Importer plugin contains multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to...
6AI Score
0.001EPSS
RHEL 7 / 8 : Red Hat JBoss Web Server 5.5.1 Security Update (Important) (RHSA-2021:3741)
The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:3741 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...
7.5CVSS
7.7AI Score
0.005EPSS
RHEL 7 / 8 : Red Hat JBoss Web Server 5.4.1 Security Update (Moderate) (RHSA-2021:0494)
The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0494 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of...
7.5CVSS
6.9AI Score
0.004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt van Andel Adventure Journal allows Stored XSS.This issue affects Adventure Journal: from n/a through...
6.5CVSS
6.7AI Score
0.0004EPSS
D-Link DNS-320 - Remote Code Execution
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command...
9.8CVSS
9.7AI Score
0.976EPSS
RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.4 security (Moderate) (RHSA-2020:5170)
The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:5170 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...
7.5CVSS
7.8AI Score
0.002EPSS
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin...
8.8CVSS
0.0004EPSS
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin...
8.8CVSS
6.8AI Score
0.0004EPSS
Important: webkit2gtk3 security update
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fix(es): webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-40414) webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852) webkitgtk:...
9.8CVSS
8.2AI Score
0.017EPSS
CVE-2024-35187 Stalwart Mail Server has privilege escalation by design
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system. Usually, system services are run as a separate user (not as root) to...
9.1CVSS
7.4AI Score
0.0004EPSS
RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.2 security (Important) (RHSA-2019:3929)
The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3929 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised...
5.9CVSS
8.1AI Score
0.974EPSS
7.4AI Score
Insecure wildcard CORS policy in github.com/rs/cors
The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security...
5.9CVSS
5.8AI Score
0.001EPSS
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin...
8.8CVSS
0.0004EPSS
Cargo downloads a Rust project’s dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrary....
6.1CVSS
7.4AI Score
0.001EPSS
PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and AppInfo.ini (on...
9.6CVSS
9.4AI Score
0.0004EPSS
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing....
8.7CVSS
8.5AI Score
0.0004EPSS
An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf.....
8.7CVSS
8.4AI Score
0.0004EPSS
K000139553: VPN TunnelVision vulnerability CVE-2024-3661
Security Advisory Description By design, the DHCP protocol does not authenticate messages, including for example the classless static route option (121). An attacker with the ability to send DHCP messages can manipulate routes to redirect VPN traffic, allowing the attacker to read, disrupt, or...
7.6CVSS
7.5AI Score
0.0005EPSS
The version of Remote Desktop Web Access running on the remote host has a reflected cross-site scripting vulnerability. Input to the 'ReturnUrl' parameter of login.aspx is not properly sanitized. A remote attacker could exploit this by tricking a user into requesting a maliciously crafted URL,...
6.4AI Score
0.817EPSS
Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting
Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web...
6.1CVSS
6.2AI Score
0.301EPSS
CVE-2024-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface
A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface on Panorama appliances. This enables the impersonation of another authenticated...
6.8CVSS
6.2AI Score
0.0004EPSS
Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain...
6.8CVSS
6.7AI Score
0.001EPSS
CVE-2024-35187 Stalwart Mail Server has privilege escalation by design
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, attackers who achieved Arbitrary Code Execution as the stalwart-mail user (including web interface admins) can gain complete root access to the system. Usually, system services are run as a separate user (not as root) to...
9.1CVSS
9.7AI Score
0.0004EPSS
The Campbell Scientific CSI Web Server stores web authentication credentials in a file with a specific file name. Passwords within that file are stored in a weakly encoded format. There is no known way to remotely access the file unless it has been manually renamed. However, if an attacker were to....
6.7AI Score
0.0004EPSS
The Campbell Scientific CSI Web Server stores web authentication credentials in a file with a specific file name. Passwords within that file are stored in a weakly encoded format. There is no known way to remotely access the file unless it has been manually renamed. However, if an attacker were to....
7.1AI Score
0.0004EPSS
Schneider Electric InduSoft Web Studio / InTouch Machine Edition < 8.1 RCE
The Schneider Electric InduSoft Web Studio (IWS) or InTouch Machine Edition (ITME) running on the remote host is affected by a remote code execution vulnerability due to a stack overflow condition when handling tag subscription. An unauthenticated, remote attacker can exploit this issue, via a...
9.8CVSS
2AI Score
0.012EPSS
Joomla! Component PicSell 1.0 - Arbitrary File Retrieval
A directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to...
6.6AI Score
0.021EPSS
An update is available for webkit2gtk3. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list WebKitGTK is the port of the portable web rendering engine WebKit to the....
9.8CVSS
8.3AI Score
0.017EPSS
DCP-Portal <= 5.3.2 Multiple Vulnerabilities - Active Check
DCP-Portal is prone to multiple...
6.4AI Score
0.078EPSS
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via....
4.2CVSS
1.5AI Score
0.97EPSS
Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic...
6.1CVSS
0.0004EPSS
Breach Forums Plans Dark Web Return This Week Despite FBI Crackdown
By Waqas The strange and tricky world of cybercrime and the dark web is getting stranger and trickier! This is a post from HackRead.com Read the original post: Breach Forums Plans Dark Web Return This Week Despite FBI...
7.3AI Score
AChecker 1.5 allows remote attackers to read the contents of arbitrary files via the download.php path parameter by using Unauthenticated Path Traversal. This occurs through readfile in PHP. NOTE: This vulnerability only affects products that are no longer supported by the...
6.7AI Score
0.0004EPSS
Alert Before Your Post <= 0.1.1 - Cross-Site Scripting
A cross-site scripting vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name...
6AI Score
0.002EPSS
Improper Input Validation in Apache Spark
Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...
7.5CVSS
1.2AI Score
0.003EPSS
Eventum <3.4.0 - Open Redirect
Eventum before 3.4.0 contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized...
6.1CVSS
6.4AI Score
0.001EPSS
7.5CVSS
8.2AI Score
0.958EPSS
Django vulnerable to Denial of Service via i18n middleware component
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large.....
6.7AI Score
0.11EPSS
BEA WebLogic Management Servlet Multiple Vulnerabilities (BEA03-28)
BEA WebLogic is prone to multiple vulnerabilities in a management...
6.9AI Score
0.083EPSS
23-Year-Old Arrested for Running 100M Incognito Dark Web Market
By Waqas DOJ announces arrest of Rui-Siang Lin, accused of running Incognito Market, a dark web hub facilitating $100M+ in… This is a post from HackRead.com Read the original post: 23-Year-Old Arrested for Running 100M Incognito Dark Web...
7.4AI Score
[SECURITY] Fedora 39 Update: chromium-126.0.6478.126-1.fc39
Chromium is an open-source web browser, powered by WebKit...
6.6AI Score
0.0004EPSS
7.4AI Score
EPSS
According to its self-reported version, the remote Cisco Firepower Threat Defense Software is affected by a denial of service (DoS) vulnerability, due to incomplete error checking when parsing HTTP headers. An unauthenticated, remote attacker can exploit this issue, via specially crafted HTTP...
8.6CVSS
8.7AI Score
0.002EPSS
According to its self-reported version, the remote Cisco ASA Software is affected by a denial of service (DoS) vulnerability, due to incomplete error checking when parsing HTTP headers. An unauthenticated, remote attacker can exploit this issue, via specially crafted HTTP request, to cause the...
8.6CVSS
8.7AI Score
0.002EPSS