Moderate: resource-agents security and bug fix update
The resource-agents packages provide the Pacemaker and RGManager service managers with a set of scripts. These scripts interface with several services to allow operating in a high-availability (HA) environment. Security Fix(es): urllib3: Request body not stripped after redirect from 303 status...
5.9CVSS
6.4AI Score
0.001EPSS
WPMobile.App — Android and iOS Mobile Application < 11.42 - Reflected Cross-Site Scripting
Description The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 11.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
7.1CVSS
6.1AI Score
0.0004EPSS
Moderate: fence-agents security and bug fix update
The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es): urllib3: Request body not stripped after redirect from 303 status...
6.1CVSS
6.9AI Score
0.001EPSS
This High severity org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability was introduced in versions 7.21.0, 8.9.0, 8.13.0, 8.14.0, 8.15.0, and 8.16.0 of Bitbucket Data Center and Server. This org.apache.tomcat.embed:tomcat-embed-core Dependency vulnerability, with a CVSS Score of 7.5.....
7.5CVSS
6.7AI Score
0.005EPSS
DoS (Denial of Service) org.json:json Dependency in Bitbucket Data Center and Server
This High severity org.json:json Dependency vulnerability was introduced in versions 7.17.0, 7.21.15, 8.9.4, 8.13.0, 8.14.0, and 8.15.0 of Bitbucket Data Center and Server. This org.json:json Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
7.5CVSS
6.7AI Score
0.001EPSS
Moderate: kernel-rt security and bug fix update
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es): For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer...
9.8CVSS
7AI Score
EPSS
This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...
8.2CVSS
6.6AI Score
0.0004EPSS
Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin
Summary Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at....
5.9CVSS
6.5AI Score
0.963EPSS
Description The Image Hover Effects for Elementor with Lightbox and Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id', 'oxi_addons_f_title_tag', and 'content_description_tag' parameters in all versions up to, and including, 3.0.2 due to insufficient input...
6.4CVSS
5.8AI Score
0.0004EPSS
DoS (Denial of Service) com.google.code.gson:gson Dependency in Crucible Data Center and Server
This High severity com.google.code.gson:gson Dependency vulnerability was introduced in version 4.8.0 of Crucible Data Center and Server. This com.google.code.gson:gson Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an...
7.7CVSS
6.8AI Score
0.002EPSS
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege...
5.5CVSS
6.7AI Score
0.0004EPSS
Himer - Social Questions and Answers < 2.1.1 - Arbitrary Group Joining via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack PoC The PoC will be displayed on June 26, 2024, to give users the time to...
6.4AI Score
EPSS
SQLi (SQL Injection) org.postgresql:postgresql Dependency in Jira Software Data Center and Server
This Critical severity org.postgresql:postgresql Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, and 9.14.0 of Jira Software Data Center and Server. Jira Software Data Center is unaffected by.....
10CVSS
9.7AI Score
0.001EPSS
Exploit for Out-of-bounds Read in Adobe Bridge
Exploit for CVE-2021-44168 Purpose Exploit CVE-2021-44168...
3.3CVSS
6.2AI Score
0.001EPSS
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege...
5.5CVSS
6.7AI Score
0.0004EPSS
Gutenberg Blocks and Page Layouts – Attire Blocks < 1.9.3 - Missing Authorization
Description The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disable_fe_assets function in all versions up to, and including, 1.9.2. This makes it possible for authenticated...
4.3CVSS
6.5AI Score
0.0004EPSS
Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 that are used by Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities).....
5.9CVSS
6.1AI Score
0.0004EPSS
LNbits improperly handles potential network and payment failures when using Eclair backend
Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. Details Using blocking: true on the API call will lead to a timeout error if a payment does not get settled in the 30s....
8.1CVSS
6.7AI Score
0.0004EPSS
silverstripe/framework's URL parameters `isDev` and `isTest` unguarded
The URL parameters isDev and isTest are accessible to unauthenticated users who access a SilverStripe website or application. This allows unauthorised users to expose information that is usually hidden on production environments such as verbose errors (including backtraces) and other debugging...
6.9AI Score
Sourcecodester Hotel and Lodge Management System 2.0 - SQL Injection
Sourcecodester Hotel and Lodge Management System 2.0 contains a SQL injection vulnerability via the email parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...
9.8CVSS
9.9AI Score
0.002EPSS
WordPress Quiz and Survey Master <7.1.14 - Cross-Site Scripting
WordPress Quiz and Survey Master plugin prior to 7.1.14 contains a cross-site scripting vulnerability which allows a remote attacker to inject arbitrary script via unspecified...
6.1CVSS
5.9AI Score
0.002EPSS
Important: python39:3.9 and python39-devel:3.9 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security...
7.8CVSS
6.6AI Score
EPSS
Important: python39:3.9 and python39-devel:3.9 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security...
7.8CVSS
6.4AI Score
EPSS
Unencrypted traffic between nodes when using IPsec and L7 policies
Impact In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies: Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent...
6.1CVSS
7AI Score
0.0004EPSS
K000139898: PyYAML vulnerabilities CVE-2020-1747 and CVE-2020-14343
Security Advisory Description CVE-2020-1747 A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use...
9.8CVSS
7.5AI Score
0.006EPSS
silverstripe/framework's URL parameters `isDev` and `isTest` unguarded
The URL parameters isDev and isTest are accessible to unauthenticated users who access a SilverStripe website or application. This allows unauthorised users to expose information that is usually hidden on production environments such as verbose errors (including backtraces) and other debugging...
6.9AI Score
ConfD CLI Privilege Escalation and Arbitrary File Read and Write Vulnerabilities
Multiple vulnerabilities in the ConfD CLI could allow an authenticated, low-privileged, local attacker to read and write arbitrary files as root or elevate privileges to root on the underlying operating system. For more information about these vulnerabilities, see the Details ["#details"] section.....
6.5AI Score
0.0004EPSS
WordPress Shortcodes and Extra Features for Phlox <2.9.8 - Cross-Site Scripting
WordPress Shortcodes and extra features plugin for the Phlox theme before 2.9.8 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response. An attacker can inject arbitrary script in the browser of an unsuspecting...
6.1CVSS
6.1AI Score
0.001EPSS
Intel BIOS Guard and PPAM Firmware May 2024 Security Update
Intel has informed HP of potential security vulnerabilities in some Intel® BIOS Guard and Platform Properties Assessment Module (PPAM) firmware, which might allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities. Intel has released updates...
7.2CVSS
7.6AI Score
0.0004EPSS
Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting
Sourcecodester Online Event Booking and Reservation System 2.3.0 contains a cross-site scripting vulnerability in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user...
4.3CVSS
4.3AI Score
0.001EPSS
Unencrypted traffic between nodes when using WireGuard and L7 policies
Impact In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes. Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy...
6.1CVSS
7.2AI Score
0.0004EPSS
Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an...
8.4CVSS
6.8AI Score
0.0004EPSS
Exploit for Download of Code Without Integrity Check in Fortinet Fortios
Exploit for CVE-2021-44168 Purpose Exploit CVE-2021-44168...
7.8CVSS
7.4AI Score
0.001EPSS
In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...
5.5CVSS
6.6AI Score
0.0004EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to...
5.4CVSS
6.2AI Score
0.0004EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to...
6.1CVSS
6.2AI Score
0.0005EPSS
Description The Gallery – Image and Video Gallery with Thumbnails plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it.....
8.5CVSS
7.2AI Score
0.0004EPSS
9.8CVSS
9.5AI Score
0.002EPSS
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
Summary By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click)....
7.1CVSS
7.1AI Score
0.001EPSS
In setImpl of AlarmManagerService.java, there is a possible way to put a device into a boot loop due to an uncaught exception. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...
5.5CVSS
6.3AI Score
0.0004EPSS
Description The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social share block in all versions up to, and including, 8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes....
6.5CVSS
5.9AI Score
0.0004EPSS
Launcher puts IApplicationThread inside ActivityOptions and it may be sent to launched app
In setOptions of ActivityRecord.java, there is a possible load any arbitrary Java code into launcher process due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...
7.8CVSS
7.4AI Score
0.0004EPSS
This High severity net.sourceforge.nekohtml:nekohtml Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, and 9.9.0 of Jira Software Data Center and Server. This net.sourceforge.nekohtml:nekohtml Dependency vulnerability, with a CVSS...
7.5CVSS
7AI Score
0.002EPSS
Himer - Social Questions and Answers < 2.1.1 - Multiple CSRF on the Group Section
Description The theme does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group PoC The PoC will be displayed on June 26, 2024, to give users...
6.5AI Score
EPSS
Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR
Description The plugin allows any authenticated user to join a private group due to a missing authorization check on a function PoC The PoC will be displayed on June 26, 2024, to give users the time to...
6.3AI Score
EPSS
Himer - Social Questions and Answers < 2.1.1 - Bypass Poll Voting Restrictions via CSRF
Description The theme does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack PoC The PoC will be displayed on June 26, 2024, to give users the time to...
6.4AI Score
EPSS
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 7.21.0, 8.9.0 and 8.13.0 of Bitbucket Data Center and Server. This org.xerial.snappy:snappy-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
7.5CVSS
6.9AI Score
0.001EPSS
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
This High severity org.xerial.snappy:snappy-java Dependency vulnerability was introduced in versions 7.21.0, 8.9.0 and 8.13.0 of Bitbucket Data Center and Server. This org.xerial.snappy:snappy-java Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...
7.5CVSS
6.7AI Score
0.001EPSS
RCE (Remote Code Execution) in Bitbucket Data Center and Server - CVE-2022-1471
h2. Summary of Vulnerability Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) Atlassian Cloud sites are not affected by this vulnerability. If your site is...
9.8CVSS
6.8AI Score
0.022EPSS
Stack overflow and use-after-free in HTTP/3
Stack overflow and use-after-free in HTTP/3 Severity: medium CVE-2024-31079 Not vulnerable: 1.27.0+, 1.26.1+ Vulnerable: 1.25.0-1.25.5,...
4.8CVSS
7.5AI Score
0.0004EPSS