🚨 CVE-2024-45390
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
🎖@cveNotify
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.
🎖@cveNotify
GitHub
Remove template display name · blakeembrey/js-template@b8d9aa9
Fast and simple string templates. Contribute to blakeembrey/js-template development by creating an account on GitHub.
🚨 CVE-2024-45391
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.
🎖@cveNotify
Tina is an open-source content management system (CMS). Sites building with Tina CMS's command line interface (CLI) prior to version 1.6.2 that use a search token may be vulnerable to the search token being leaked via lock file (tina-lock.json). Administrators of Tina-enabled websites with search setup should rotate their key immediately. This issue has been patched in @tinacms/cli version 1.6.2. Upgrading and rotating the search token is required for the proper fix.
🎖@cveNotify
GitHub
fix: @tinacms/cli: prevent search config from getting written to lock… · tinacms/tinacms@110f1ce
… file (#4758)
🚨 CVE-2024-45678
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.
🎖@cveNotify
Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM 2 devices with firmware before 2.4.0 allow an ECDSA secret-key extraction attack (that requires physical access and expensive equipment) in which an electromagnetic side channel is present because of a non-constant-time modular inversion for the Extended Euclidean Algorithm, aka the EUCLEAK issue. Other uses of an Infineon cryptographic library may also be affected.
🎖@cveNotify
Ars Technica
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Sophisticated attack breaks security assurances of the most popular FIDO key.
🚨 CVE-2024-4629
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
🎖@cveNotify
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
🎖@cveNotify
🚨 CVE-2024-44383
WAYOS FBM-291W v19.09.11 is vulnerable to Command Execution via msp_info_htm.
🎖@cveNotify
WAYOS FBM-291W v19.09.11 is vulnerable to Command Execution via msp_info_htm.
🎖@cveNotify
🚨 CVE-2024-44400
D-Link DI-8400 16.07.26A1 is vulnerable to Command Injection via upgrade_filter_asp.
🎖@cveNotify
D-Link DI-8400 16.07.26A1 is vulnerable to Command Injection via upgrade_filter_asp.
🎖@cveNotify
GitHub
openfile-/D-link_DI_8400-16.07.26A1_Command_Injection.md/D-link_DI_8400-16.07.26A1_Command_Injection.md at main · lonelylonglong/openfile…
Contribute to lonelylonglong/openfile- development by creating an account on GitHub.
🚨 CVE-2024-7834
A local privilege escalation is caused by Overwolf
loading and executing certain dynamic link library files from a user-writeable
folder in SYSTEM context on launch. This allows an attacker with unprivileged
access to the system to run arbitrary code with SYSTEM privileges by placing a
malicious .dll file in the respective location.
🎖@cveNotify
A local privilege escalation is caused by Overwolf
loading and executing certain dynamic link library files from a user-writeable
folder in SYSTEM context on launch. This allows an attacker with unprivileged
access to the system to run arbitrary code with SYSTEM privileges by placing a
malicious .dll file in the respective location.
🎖@cveNotify
cirosec
Local privilege escalation in Overwolf (CVE-2024-7834) - cirosec
July 4, 2024 Overwolf is a software that is used for managing mods of games with 45 million active users every month.
👍1
🚨 CVE-2024-43941
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Propovoice Propovoice Pro allows SQL Injection.This issue affects Propovoice Pro: from n/a through 1.7.0.3.
🎖@cveNotify
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Propovoice Propovoice Pro allows SQL Injection.This issue affects Propovoice Pro: from n/a through 1.7.0.3.
🎖@cveNotify
🚨 CVE-2024-43920
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.4.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.4.
🎖@cveNotify
Patchstack
WordPress Gutenverse – Gutenberg Blocks – Page Builder for Site Editor plugin <= 1.9.4 - Cross Site Scripting (XSS) vulnerability…
Hand curated, verified and enriched vulnerability information by Patchstack security experts. Find all WordPress plugin, theme and core security issues.
🚨 CVE-2024-38858
Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and run malicious scripts in the Robotmk logs view.
🎖@cveNotify
Improper neutralization of input in Checkmk before version 2.3.0p14 allows attackers to inject and run malicious scripts in the Robotmk logs view.
🎖@cveNotify
Checkmk
Werk #17232: Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI
The user interface offers the option to display the HTML logs of monitored synthetic tests. These
logs are generated on the host where the test is executed and are theref
logs are generated on the host where the test is executed and are theref
🚨 CVE-2024-7932
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer Release on 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer Release on 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
Dassault Systèmes
Security Advisories - Dassault Systèmes
Providing information on important security vulnerabilities that have been confirmed in our products.
🚨 CVE-2024-7938
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2023x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
Dassault Systèmes
Security Advisories - Dassault Systèmes
Providing information on important security vulnerabilities that have been confirmed in our products.
🚨 CVE-2024-7939
A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer Release on 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer Release on 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
Dassault Systèmes
Security Advisories - Dassault Systèmes
Providing information on important security vulnerabilities that have been confirmed in our products.
🚨 CVE-2024-8004
A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
🎖@cveNotify
Dassault Systèmes
Security Advisories - Dassault Systèmes
Providing information on important security vulnerabilities that have been confirmed in our products.
🚨 CVE-2024-8380
A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been rated as critical. This issue affects some unknown processing of the file /endpoint/delete-account.php of the component Delete Contact Handler. The manipulation of the argument contact leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been rated as critical. This issue affects some unknown processing of the file /endpoint/delete-account.php of the component Delete Contact Handler. The manipulation of the argument contact leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
CVE/SourceCodester_Contact_Manager_delete_contact_sqli.md at main · jadu101/CVE
Contribute to jadu101/CVE development by creating an account on GitHub.
🚨 CVE-2024-37136
Dell Path to PowerProtect, versions 1.1, 1.2, contains an Exposure of Private Personal Information to an Unauthorized Actor vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information exposure.
🎖@cveNotify
Dell Path to PowerProtect, versions 1.1, 1.2, contains an Exposure of Private Personal Information to an Unauthorized Actor vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information exposure.
🎖@cveNotify
🚨 CVE-2024-44920
A cross-site scripting (XSS) vulnerability in the component admin_collect_news.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the siteurl parameter.
🎖@cveNotify
A cross-site scripting (XSS) vulnerability in the component admin_collect_news.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the siteurl parameter.
🎖@cveNotify
GitHub
nn0nkey/CVE-2024-44920.md at main · nn0nkey/nn0nkey
lll. Contribute to nn0nkey/nn0nkey development by creating an account on GitHub.
🚨 CVE-2024-44921
SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del.
🎖@cveNotify
SeaCMS v12.9 was discovered to contain a SQL injection vulnerability via the id parameter at /dmplayer/dmku/index.php?ac=del.
🎖@cveNotify
GitHub
nn0nkey/CVE-2024-44921.md at main · nn0nkey/nn0nkey
lll. Contribute to nn0nkey/nn0nkey development by creating an account on GitHub.
🚨 CVE-2024-6232
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
🎖@cveNotify
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
🎖@cveNotify
GitHub
[3.12] gh-121285: Remove backtracking when parsing tarfile headers (G… · python/cpython@4eaf489
…H-121286) (GH-123543)
gh-121285: Remove backtracking when parsing tarfile headers (GH-121286)
* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
*...
gh-121285: Remove backtracking when parsing tarfile headers (GH-121286)
* Remove backtracking when parsing tarfile headers
* Rewrite PAX header parsing to be stricter
*...
🚨 CVE-2023-46763
Vulnerability of background app permission management in the framework module. Successful exploitation of this vulnerability may cause background apps to start maliciously.
🎖@cveNotify
Vulnerability of background app permission management in the framework module. Successful exploitation of this vulnerability may cause background apps to start maliciously.
🎖@cveNotify
🚨 CVE-2023-46764
Unauthorized startup vulnerability of background apps. Successful exploitation of this vulnerability may cause background apps to start maliciously.
🎖@cveNotify
Unauthorized startup vulnerability of background apps. Successful exploitation of this vulnerability may cause background apps to start maliciously.
🎖@cveNotify