JVN#54451757: Multiple vulnerabilities in SKYSEA Client View
SKYSEA Client View provided by Sky Co.,LTD. is an Enterprise IT Asset Management Tool. SKYSEA Client View contains multiple vulnerabilities listed below. Improper access control in the specific folder (CWE-284) - CVE-2024-21805 Version| Vector| Score ---|---|--- CVSS v3|...
7.8AI Score
0.0004EPSS
Malicious input can provoke XSS when preserving comments
Impact There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in....
6.1CVSS
6AI Score
0.0004EPSS
How to make a fake ID online, with Joseph Cox: Lock and Code S05E05
This week on the Lock and Code podcast… For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents. In 2024, that's changed, as the...
7.2AI Score
In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't...
7.2AI Score
0.0004EPSS
Impact There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file and also allow for certain tags at the same time. As a...
6.1CVSS
6AI Score
0.0004EPSS
OWASP.AntiSamy mXSS when preserving comments
Impact There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file and also allow for certain tags at the same time. As a...
6.1CVSS
6.2AI Score
0.001EPSS
Command Execution Vulnerability in Agile Controller of Huawei Technologies Co.
Agile Controller is an automation controller for a variety of industrial application scenarios. A command execution vulnerability exists in Agile Controller from Huawei Technologies, which can be exploited by an attacker to gain server...
7.5AI Score
Unbreakable Enterprise kernel security update
[5.15.0-204.147.6.2] - smb3: Replace smb2pdu 1-element arrays with flex-arrays (Kees Cook) [Orabug: 36353543] - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed (Shradha Gupta) [Orabug: 36358874] - hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove...
7.8CVSS
7.4AI Score
0.0004EPSS
Out-of-bounds Write vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel.....
7.8CVSS
7.7AI Score
0.001EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Hills Pty Ltd Wonder Slider Lite allows Reflected XSS.This issue affects Wonder Slider Lite: from n/a through...
6.1CVSS
6.9AI Score
0.0005EPSS
Out-of-bounds Write vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel.....
7.8CVSS
7.6AI Score
0.001EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Hills Pty Ltd Wonder Slider Lite allows Reflected XSS.This issue affects Wonder Slider Lite: from n/a through...
7.1CVSS
6.9AI Score
0.0005EPSS
Beijing Shenzhou Green Alliance Technology Co., Ltd. is an enterprise mainly engaged in science and technology promotion and application services. Ltd. Green Alliance WAF has a command execution vulnerability that can be exploited by attackers to execute arbitrary...
7.9AI Score
Huawei UTPS earlier than UTPS-V200R003B015D16SPC00C983 has an unquoted service path vulnerability which can lead to the truncation of UTPS service query paths. An attacker may put an executable file in the search path of the affected service and obtain elevated privileges after the executable file....
6.7CVSS
6.6AI Score
0.001EPSS
Administration Console authentication bypass in openfire xmppserver
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community. Impact Openfire's administrative console (the Admin Console), a web-based application, was found to...
8.6CVSS
7AI Score
0.973EPSS
Apache Log4j allows insecure JNDI lookups
Overview Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j. CISA has published Apache Log4j Vulnerability Guidance and provides a Software List. Description The....
10CVSS
10AI Score
EPSS
Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. Improper Authentication (CWE-287) - CVE-2024-21824 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N|...
7.6AI Score
0.0004EPSS
kernel security, bug fix, and enhancement update
[5.14.0-427.13.1_4.OL9] - Disable UKI signing [Orabug: 36571828] - Update Oracle Linux certificates (Kevin Lyons) - Disable signing for aarch64 (Ilya Okomin) - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237] - Update...
9.8CVSS
7.5AI Score
0.011EPSS
Data Leakage Protection (DLP) system is aimed at serving enterprises and institutions for data asset grooming and data security protection. Data Leakage Protection (DLP) system of Beijing Yisetong Technology Development Co., Ltd. has a SQL injection vulnerability, which can be exploited by...
7.8AI Score
7.4AI Score
0.0004EPSS
An issue in Q co ltd mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access...
5.4CVSS
7.1AI Score
0.0004EPSS
Generative AI Security - Secure Your Business in a World Powered by LLMs
Did you know that 79% of organizations are already leveraging Generative AI technologies? Much like the internet defined the 90s and the cloud revolutionized the 2010s, we are now in the era of Large Language Models (LLMs) and Generative AI. The potential of Generative AI is immense, yet it brings....
6.9AI Score
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper memory processing operations to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn...
7CVSS
6.8AI Score
0.001EPSS
Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper memory processing operations to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn...
7CVSS
6.7AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in WebHost Automation Ltd Helm before 3.2.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors involving the default...
5.9AI Score
0.003EPSS
Cross-site scripting (XSS) vulnerability in WebHost Automation Ltd Helm before 3.2.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors involving the default...
5.6AI Score
0.003EPSS
The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data...
7.5CVSS
7.4AI Score
0.001EPSS
Ltd. ("HZD"), founded in 2003, is a high-tech company specializing in R&D, production and sales in the field of data security and big data. A command execution vulnerability exists in the Hopscotch Video Security Exchange Access System of Hangzhou Hopscotch Data Technology Co., Ltd, which can be...
7.5AI Score
The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data...
7.5CVSS
5.8AI Score
0.001EPSS
Airbnb scam sends you to a fake Tripadvisor site, takes your money
One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers. Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the.....
7.1AI Score
JVN#35928117: Protection mechanism failure in RevoWorks
RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. enable users to execute web browsers in the sandboxed environment isolated from the client's local environment. In the products, file exchange between the sandboxed environment and local environment is prohibited in...
6.9AI Score
0.0004EPSS
CloudMirror Network Asset Vulnerability Scanning System is a new generation of vulnerability risk management products independently developed by DeepSense, combining years of practical experience in vulnerability mining and security services, to help users check the vulnerability risks of assets...
7AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 6, 2024 to May 12, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 184 vulnerabilities disclosed in 146...
10CVSS
9.5AI Score
EPSS
Logic flaw vulnerability in vastbase of Beijing Massive Data Technology Co.
vastbase is a massive database. A logic flaw vulnerability exists in vastbase, which can be exploited by an attacker to bypass all dynamic desensitization policies by constructing special SQL statements to view the original data before...
7.5AI Score
Language Accessory Pack for Microsoft 365
Language Accessory Pack for Microsoft 365 Language packs add additional display, help, and proofing tools to Microsoft 365. You can install additional language accessory packs after installing Microsoft 365. If a language accessory pack is described as having partial localization, some parts of...
7AI Score
Siltronic Ltd. is an information service provider for disaster reduction and profitability in China. A logic flaw vulnerability exists in the integrated river management system of Sicron Technology Limited, which can be exploited by an attacker to bypass system authentication and...
7.1AI Score
Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ProMIS Process Co. InSCADA allows Account Footprinting.This issue affects inSCADA: before...
9.8CVSS
9.4AI Score
0.002EPSS
An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure...
6.7CVSS
6.7AI Score
0.0004EPSS
Graylog vulnerable to instantiation of arbitrary classes triggered by API request
Summary Arbitrary classes can be loaded and instantiated using a HTTP PUT request to the /api/system/cluster_config/ endpoint. Details Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads.....
8.8CVSS
7.6AI Score
0.001EPSS
Ransomware Double-Dip: Re-Victimization in Cyber Extortion
**Between crossovers - Do threat actors play dirty or desperate? ** In our dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack, we noticed that some victims re-occur. Consequently, the question arises why we observe a re-victimization and whether....
6.8AI Score
Ripple Co-Founder’s Personal XRP Wallet Breached in $112 Million Hack
By Deeba Ahmed Ripple’s co-founder Chris Larsen has acknowledged that his personal XRP wallet was hacked. This is a post from HackRead.com Read the original post: Ripple Co-Founder's Personal XRP Wallet Breached in $112 Million...
7.3AI Score
Franklin Fueling System EVO 550/5000
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Franklin Fueling System Equipment: EVO 550, EVO 5000 Vulnerability: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read arbitrary...
7.5CVSS
7.6AI Score
0.0004EPSS
An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure...
6.7CVSS
6.4AI Score
0.0004EPSS
A GRE dataset file within Systems Manager can be tampered with and distributed to...
6.7CVSS
6.5AI Score
0.0004EPSS
About the security content of macOS Sonoma 14.4
About the security content of macOS Sonoma 14.4 This document describes the security content of macOS Sonoma 14.4. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are....
8.6CVSS
8.9AI Score
0.962EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Hills Pty Ltd Wonder Slider Lite allows Reflected XSS.This issue affects Wonder Slider Lite: from n/a through...
7.1CVSS
7.1AI Score
0.0005EPSS
China-Linked Group Breaches Networks via Connectwise, F5 Software Flaws
A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an "aggressive" campaign. Google-owned Mandiant is tracking the activity under its...
10CVSS
9.3AI Score
0.972EPSS
Join Our Webinar on Protecting Human and Non-Human Identities in SaaS Platforms
Identities are the latest sweet spot for cybercriminals, now heavily targeting SaaS applications that are especially vulnerable in this attack vector. The use of SaaS applications involves a wide range of identities, including human and non-human, such as service accounts, API keys, and OAuth...
7.4AI Score
The State of Stalkerware in 2023–2024
The State of Stalkerware in 2023 (PDF) The annual Kaspersky State of Stalkerware report aims to contribute to awareness and a better understanding of how people around the world are impacted by digital stalking. Stalkerware is commercially available software that can be discreetly installed on...
6.8AI Score
New "GoFetch" Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys
A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations. Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent...
6.2AI Score