π¨ CVE-2024-52615
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
π@cveNotify
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.
π@cveNotify
π¨ CVE-2025-10412
The Product Options and Price Calculation Formulas for WooCommerce β Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
π@cveNotify
The Product Options and Price Calculation Formulas for WooCommerce β Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
π@cveNotify
π¨ CVE-2025-7106
danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, which incorrectly grants access if only one of multiple required permissions is present. This allows users with the 'USER' role to create agents despite having `CREATE: false` permission, as the check for `['USE', 'CREATE']` passes with just `USE: true`. This vulnerability affects other permission checks as well, such as `PROMPTS`. The issue is present in all versions prior to the fix.
π@cveNotify
danny-avila/librechat is affected by an authorization bypass vulnerability due to improper access control checks. The `checkAccess` function in `api/server/middleware/roles/access.js` uses `permissions.some()` to validate permissions, which incorrectly grants access if only one of multiple required permissions is present. This allows users with the 'USER' role to create agents despite having `CREATE: false` permission, as the check for `['USE', 'CREATE']` passes with just `USE: true`. This vulnerability affects other permission checks as well, such as `PROMPTS`. The issue is present in all versions prior to the fix.
π@cveNotify
GitHub
π§ refactor: Change Permissions Check from `some` to `every` for Stricβ¦ Β· danny-avila/LibreChat@91a2df4
β¦ter Access Validation (#8270)
* π§ refactor: Change Permissions Check from `some` to `every` for Stricter Access Validation
* π§ͺ ci: Add comprehensive tests for access middleware functions
* fix:...
* π§ refactor: Change Permissions Check from `some` to `every` for Stricter Access Validation
* π§ͺ ci: Add comprehensive tests for access middleware functions
* fix:...
π¨ CVE-2025-9342
Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse.This issue affects AHE Mobile: from 1.9.7 before 1.9.9.
π@cveNotify
Authorization Bypass Through User-Controlled Key vulnerability in Anadolu Hayat Emeklilik Inc. AHE Mobile allows Privilege Abuse.This issue affects AHE Mobile: from 1.9.7 before 1.9.9.
π@cveNotify
π¨ CVE-2024-4598
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.
This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
π@cveNotify
An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Authenticated users may be able to view unintended business data from other mediation contexts because the internal state is not properly isolated or cleared between executions.
This vulnerability does not impact user credentials or access tokens but may lead to leakage of sensitive business information handled during message flows.
π@cveNotify
Wso2
Security Advisory WSO2-2024-3355/CVE-2024-4598
Documentation for WSO2 Security and Compliance
π¨ CVE-2025-9962
A buffer overflow vulnerability in Novakon P series allows attackers to gain root permission without prior authentication.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
A buffer overflow vulnerability in Novakon P series allows attackers to gain root permission without prior authentication.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
CyberDanube
Multiple Vulnerabilities in Novakon HMI Series | CyberDanube
The Novakon HMI Series devices are prone to multiple vulnerabilities. These allow an attacker to gain remote code execution, retrieve and manipulate system files and abuse weakly protected services and processes.
π¨ CVE-2024-37041
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute code.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute code.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
π¨ CVE-2024-37042
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
π¨ CVE-2024-37043
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read the contents of unexpected files and expose sensitive data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read the contents of unexpected files and expose sensitive data.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
π¨ CVE-2024-37044
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute code.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute code.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
π¨ CVE-2024-37045
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to launch a denial-of-service (DoS) attack.
We have already fixed the vulnerability in the following versions:
QTS 5.2.1.2930 build 20241025 and later
QuTS hero h5.2.1.2929 build 20241025 and later
π@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS and QuTS hero - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
π¨ CVE-2024-11148
In OpenBSD 7.4 before errata 006 and OpenBSD 7.3 before errata 020, httpd(8) is vulnerable to a NULL dereference when handling a malformed fastcgi request.
π@cveNotify
In OpenBSD 7.4 before errata 006 and OpenBSD 7.3 before errata 020, httpd(8) is vulnerable to a NULL dereference when handling a malformed fastcgi request.
π@cveNotify
π¨ CVE-2024-11149
In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
π@cveNotify
In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
π@cveNotify
π¨ CVE-2025-10244
A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
π@cveNotify
A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
π@cveNotify
π¨ CVE-2025-9963
A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. This way the system can also be compromized.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
A path traversal vulnerability in Novakon P series allows to expose the root file system "/" and modify all files with root permissions. This way the system can also be compromized.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
CyberDanube
Multiple Vulnerabilities in Novakon HMI Series | CyberDanube
The Novakon HMI Series devices are prone to multiple vulnerabilities. These allow an attacker to gain remote code execution, retrieve and manipulate system files and abuse weakly protected services and processes.
π¨ CVE-2025-9964
No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily.
This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
No password for the root user is set in Novakon P series. This allows phyiscal attackers to enter the console easily.
This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
CyberDanube
Multiple Vulnerabilities in Novakon HMI Series | CyberDanube
The Novakon HMI Series devices are prone to multiple vulnerabilities. These allow an attacker to gain remote code execution, retrieve and manipulate system files and abuse weakly protected services and processes.
π¨ CVE-2025-9965
Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
Improper authentication vulnerability in Novakon P series allows unauthenticated attackers to upload and download any application from/to the device.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
CyberDanube
Multiple Vulnerabilities in Novakon HMI Series | CyberDanube
The Novakon HMI Series devices are prone to multiple vulnerabilities. These allow an attacker to gain remote code execution, retrieve and manipulate system files and abuse weakly protected services and processes.
π¨ CVE-2025-9966
Improper privilege management vulnerability in Novakon P series allows attackers to gain root privileges if one service is compromized.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
Improper privilege management vulnerability in Novakon P series allows attackers to gain root privileges if one service is compromized.This issue affects P series: P β V2001.A.C518o2.
π@cveNotify
CyberDanube
Multiple Vulnerabilities in Novakon HMI Series | CyberDanube
The Novakon HMI Series devices are prone to multiple vulnerabilities. These allow an attacker to gain remote code execution, retrieve and manipulate system files and abuse weakly protected services and processes.
π¨ CVE-2024-10933
In OpenBSD 7.5 before errata 009 and OpenBSD 7.4 before errata 022, exclude any '/' in readdir name validation to avoid unexpected directory traversal on untrusted file systems.
π@cveNotify
In OpenBSD 7.5 before errata 009 and OpenBSD 7.4 before errata 022, exclude any '/' in readdir name validation to avoid unexpected directory traversal on untrusted file systems.
π@cveNotify
π¨ CVE-2024-11145
Valor Apps Easy Folder Listing Pro has a deserialization vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Joomla! application. Fixed in versions 3.8 and 4.5.
π@cveNotify
Valor Apps Easy Folder Listing Pro has a deserialization vulnerability that allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Joomla! application. Fixed in versions 3.8 and 4.5.
π@cveNotify
GitHub
CSAF/csaf_files/IT/white/2024/va-24-331-01.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2024-53855
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
π@cveNotify
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
π@cveNotify
GitHub
fix(core): Ensure user cant view tickets in orgs they are not part of by jon-nfc Β· Pull Request #399 Β· nofusscomputing/centurion_erp
π Summary
Users can view tickets from orgs they are not apart of. This MR is for immediate release.
This MR is to include the reverted changes from #398.
π Links / References
fix(core): Ensure u...
Users can view tickets from orgs they are not apart of. This MR is for immediate release.
This MR is to include the reverted changes from #398.
π Links / References
fix(core): Ensure u...