F5 Networks, Inc. Security Vulnerabilities

CVE-2023-23900

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in YIKES, Inc. Easy Forms for Mailchimp plugin <= 6.8.8...

CVE-2021-4244

A vulnerability classified as problematic has been found in yikes-inc-easy-mailchimp-extender Plugin up to 6.8.5. This affects an unknown part of the file admin/partials/ajax/add_field_to_form.php. The manipulation of the argument field_name/merge_tag/field_type/list_id leads to cross site...

CVE-2023-4925

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is...

CVE-2023-1323

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape some of its from parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite.....

CVE-2023-1324

The Easy Forms for Mailchimp WordPress plugin before 6.8.8 does not sanitise and escape some parameters before outputting them back in the response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2023-1325

The Easy Forms for Mailchimp WordPress plugin before 6.8.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2023-2518

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

VMware Aria Operations for Networks - Remote Code Execution

Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code...

Exploit for Use of a Broken or Risky Cryptographic Algorithm in Vmware Aria Operations For Networks

CVE-2023-34039 POC for CVE-2023-34039 VMWare Aria Operations...

VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability

Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information...

Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting

PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...

CVE-2024-22238

Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input...

Palo Alto Networks PAN-OS GlobalProtect <8.1.4 - Cross-Site Scripting

Palo Alto Networks PAN-OS before 8.1.4 GlobalProtect Portal Login page allows an unauthenticated attacker to inject arbitrary JavaScript or HTML, making it vulnerable to cross-site...

Extreme Networks ExtremeXOS Detection

Extreme Networks ExtremeXOS was detected on the remote...

Data exfiltration from internal networks in github.com/docker/docker

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative...

CVE-2023-38698

Ethereum Name Service (ENS) is a distributed, open, and extensible naming system based on the Ethereum blockchain. According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the...

NextScripts: Social Networks Auto-Poster < 4.4.4 - Subscriber+ Sensitive Information Exposure

Description The plugin is vulnerable to Sensitive Information Exposure via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and...

Extreme Networks ExtremeXOS Web Detection

The web interface for Extreme Networks ExtremeXOS was detected on the remote. Note that HTTP form credentials are required to retrieve version...

Arista Networks EOS DoS (SA0087)

On affected platforms running Arista EOS, a malformed DHCP packet might cause the DHCP relay agent to restart. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

Exploit for CVE-2023-38831

CVE-2023-38831 PoC (Proof Of Concept) This is an easy to use...

inc-conso.fr Cross Site Scripting vulnerability OBB-3872425

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

Arista Networks EOS Memory Exhaustion (SA0084)

On affected platforms running Arista EOS with SNMP configured and the snmpd process is running, a specially crafted SNMP packet can cause a memory leak in the snmpd process. This may result in the snmpd processing being terminated (causing SNMP requests to time out until snmpd is automatically...

CVE-2017-17688

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an...

Exploit for Use After Free in Linux Linux Kernel

CVE-2022-2586-LPE LPE N-day Exploit for...

NextScripts: Social Networks Auto-Poster < 4.4.4 - Cross-Site Request Forgery to Arbitrary Post Deletion

Description The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.3. This is due to missing or incorrect nonce validation on the nxssnap-reposter page. This makes it possible for unauthenticated...

NextScripts: Social Networks Auto-Poster < 4.4.4 - Unauthenticated Stored Cross-Site Scripting via User Agent

Description The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP_USER_AGENT header in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for...

F5 Networks BIG-IP : glibc vulnerability (K47098834)

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers.....

F5 Networks BIG-IP : Kernel vulnerability (K62442245)

The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK...

CVE-2023-28842

Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker. Swarm Mode, which.....

CVE-2023-28841

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker. Swarm Mode, which...

CVE-2024-0552 Intumit inc. SmartRobot - Remote Code Execution

Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote...

F5 Networks BIG-IP : libxml2 vulnerability (K000139592)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000139592 advisory. An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document,...

Palo Alto Networks PAN-OS CVE-2024-3400

The version of Palo Alto Networks PAN-OS running on the remote host is affected by a command injection vulnerability as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature...

Palo Alto Networks PAN-OS VPN Enabled Detection

VPN is enabled on the remote Palo Alto...

F5 Networks BIG-IP : GSON vulnerability (K00994461)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K00994461 advisory. The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the...

F5 Networks BIG-IP : VPN TunnelVision vulnerability (K000139553)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000139553 advisory. By design, the DHCP protocol does not authenticate messages, including for example the classless static route...

F5 Networks BIG-IP : libxml2 vulnerability (K000139594)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000139594 advisory. An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table...

F5 Networks BIG-IQ Configuration Utility Login Page Detection

The configuration utility login page for F5 Networks BIG-IQ was detected on the remote host. BIG-IQ is a product for managing BIG-IP...

F5 Networks BIG-IP : Oracle Java SE vulnerability (K73112451)

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX....

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 - Authentication Bypass

...

F5 Networks BIG-IP : PyYAML vulnerability (K000139901)

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000139901 advisory. In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load()...

CVE-2023-28840

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby, is commonly referred to as Docker. Swarm Mode, which.....

CVE-2024-2088 NextScripts: Social Networks Auto-Poster <= 4.4.3 - Authenticated(Subscriber+) Sensitive Information Exposure

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

Arista Networks Device Detection

Nessus was able to obtain version information for an Arista Networks device via an SSH login or by examining SNMP services running on the...

Exploit for SQL Injection in Microsoft

nate158 https://t.me/Nate158digimon gcloud compute addresses...

F5 Networks BIG-IP : XML vulnerability (K03244804)

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. (CVE-2017-9233) Impact BIG-IP Administrative interfaces, such as iControl SOAP, are...

F5 Networks BIG-IP Edge Client Component Installer Installed (Windows)

Detects F5 Networks BIG-IP Edge Client Component Installer on the remote Windows...

CVE-2024-2088

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

CVE-2024-1762 NextScripts: Social Networks Auto-Poster <= 4.4.3 - Unauthenticated Stored Cross-Site Scripting via User Agent

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP_USER_AGENT header in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers....

Exploit for Command Injection in Vmware Vrealize Network Insight

CVE-2023-20887 POC for CVE-2023-20887 VMWare Aria Operations...