Most recent vulnerabilities by source

The vulnerabilities are sorted by update time (recent to old)

Vulnerability ID Description
ghsa-3j6m-m5v5-9785 (github) Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.
ghsa-jwqr-jcwp-445w (github) `/upload/catalog/controller/account/password.php` in OpenCart through 3.0.2.0 has CSRF via the `index.php?route=account/password` URI to change a user's password.
ghsa-wx3q-f5f2-4q8v (github) The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code'].
ghsa-qgrf-34hp-ghm9 (github) OpenCart through 3.0.2.0 allows directory traversal in the `editDownload` function in `admin\model\catalog\download.php` via `admin/index.php?route=catalog/download/edit`, related to the `download_id`. For example, an attacker can download `../../config.php`.
ghsa-825g-f3g2-6vxf (github) QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripting in the user's real name field resulting in denial of service and performing unauthorised actions with an administrator user's account
ghsa-62g2-8p9f-ghjp (github) CSRF in `/admin/user/manage/add` in QuickAppsCMS 2.0.0-beta2 allows an unauthorized remote attacker to create an account with admin privileges.
ghsa-3p9v-xp6w-wcmc (github) An issue was discovered in QuickAppsCMS (aka QACMS) through 2.0.0-beta2. A CSRF vulnerability can change the administrator password via the user/me URI.
ghsa-489x-ccjw-q7c4 (github) An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.
ghsa-vg4f-8v9q-5c3x (github) LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in `src/LightSaml/Model/XmlDSig/` that can result in impersonation of any user from Identity Provider. This vulnerability appears to have been fixed in 1.3.5 and later.
ghsa-297f-r9w7-w492 (github) Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
ghsa-phhm-6pgm-mxw9 (github) MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.
ghsa-h4fh-gpvh-753g (github) Yab Quarx before 2.4.5 is prone to multiple persistent cross-site scripting vulnerabilities: Blog (Title), FAQ (Question), Pages (Title), Widgets (Name), and Menus (Name).
ghsa-w7qx-vwr9-2j3r (github) When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
ghsa-9c24-g32g-35rj (github) Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.
ghsa-98w5-wqp9-w466 (github) The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.
ghsa-h377-287m-w2r9 (github) In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.
ghsa-q3p9-8728-wq7x (github) The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
ghsa-3gx6-h57h-rm27 (github) Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)
ghsa-qqxc-cppg-4xp8 (github) The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
ghsa-frqf-9qr4-6vxf (github) The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.
ghsa-rfxx-gxwc-923c (github) The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.
ghsa-jpj8-49hr-wcwv (github) The transliterate mechanism in Drupal 8.x before 8.2.3 allows remote attackers to cause a denial of service via a crafted URL.
ghsa-66gr-xrcf-8jpq (github) Confirmation forms in Drupal 7.x before 7.52 make it easier for remote authenticated users to conduct open redirect attacks via unspecified vectors.
ghsa-q6v4-xjp2-8ggv (github) HTML Injection in Securimage prior to 3.6.6 allows remote attackers to inject arbitrary HTML into an e-mail message body via the `$_SERVER['HTTP_USER_AGENT']` parameter to `example_form.ajax.php` or `example_form.php`.
ghsa-3p68-m5qw-9g9w (github) Multiple cross-site scripting (XSS) vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) background-image, (2) background, or (3) font-family Cascading Style Sheets (CSS) property, a different vulnerability than CVE-2010-2479.
ghsa-6rm6-mjmh-86jq (github) Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
ghsa-5hr6-r8h6-wh22 (github) The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.
ghsa-7vrp-3pff-c3j4 (github) OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
ghsa-87cv-57p8-j33x (github) OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
ghsa-6grv-hw8g-4gfm (github) In PrestaShop 1.7.5.2, the `shop_country` parameter in the `install/index.php` installation `script/component` is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.
Vulnerability ID CVSS Base Score Description Vendor Product Publish Date Last Update Date
cve-2024-31208 (NVD) Synapse's V2 state resolution weakness allows DoS from remote room members element-hq
synapse
2024-04-23T17:26:39.171Z 2024-04-23T17:26:39.171Z
cve-2024-28130 (NVD) An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. OFFIS
DCMTK
2024-04-23T14:46:43.296Z 2024-04-23T17:00:06.883Z
cve-2024-21979 (NVD) CVSS-v3.1: 5.3 An out of bounds write vulnerability in the AMD Radeon™ user mode driver for DirectX® 11 could allow an attacker with access to a malformed shader to potentially achieve arbitrary code execution. AMD
AMD
AMD Software: Adrenalin Edition
AMD Software: PRO Edition
2024-04-23T16:36:38.556Z 2024-04-23T16:36:38.556Z
cve-2024-21972 (NVD) CVSS-v3.1: 5.3 An out of bounds write vulnerability in the AMD Radeon™ user mode driver for DirectX® 11 could allow an attacker with access to a malformed shader to potentially achieve arbitrary code execution. AMD
AMD
AMD Software: Adrenalin Edition
AMD Software: PRO Edition
2024-04-23T16:36:03.933Z 2024-04-23T16:36:03.933Z
cve-2024-32258 (NVD) N/A The network server of fceux 2.7.0 has a path traversal vulnerability, allowing attackers to overwrite any files on the server without authentication by fake ROM. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:11:34.066420
cve-2024-31804 (NVD) N/A An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:06:21.273144
cve-2024-33211 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter in ip/goform/QuickIndex. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:06:07.506228
cve-2024-33212 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter in ip/goform/setcfm. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:04:19.079850
cve-2024-33213 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/RouteStatic. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:02:46.620150
cve-2024-33214 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter in ip/goform/RouteStatic. n/a
n/a
2024-04-23T00:00:00 2024-04-23T15:01:48.418722
cve-2024-33215 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/addressNat. n/a
n/a
2024-04-23T00:00:00 2024-04-23T14:59:29.690886
cve-2024-33217 (NVD) N/A Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter in ip/goform/addressNat. n/a
n/a
2024-04-23T00:00:00 2024-04-23T14:58:11.275742
cve-2024-29003 (NVD) CVSS-v3.1: 7.5 SolarWinds Platform Cross Site Scripting Vulnerability SolarWinds
SolarWinds Platform
2024-04-18T09:07:17.085Z 2024-04-23T14:52:57.901Z
cve-2024-29001 (NVD) CVSS-v3.1: 7.5 SolarWinds Platform SWQL Injection Vulnerability SolarWinds
SolarWinds Platform
2024-04-18T09:06:41.437Z 2024-04-23T14:51:28.421Z
cve-2024-32513 (NVD) CVSS-v3.1: 5.3 WordPress Product Feed PRO for WooCommerce plugin <= 13.3.1 - Sensitive Data Exposure vulnerability AdTribes.io
Product Feed PRO for WooCommerce
2024-04-17T08:03:24.412Z 2024-04-23T14:34:46.711Z
cve-2024-32679 (NVD) CVSS-v3.1: 5.3 WordPress Shared Files plugin <= 1.7.16 - Broken Access Control vulnerability Shared Files PRO
Shared Files
2024-04-23T14:12:12.927Z 2024-04-23T14:12:12.927Z
cve-2024-29368 (NVD) N/A An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. n/a
n/a
2024-04-22T00:00:00 2024-04-23T14:09:41.967545
cve-2024-2477 (NVD) The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. advancedcoding
Comments – wpDiscuz
2024-04-23T13:50:40.649Z 2024-04-23T13:50:40.649Z
cve-2023-27198 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow the execution of arbitrary commands by using the exec service and including a specific word in the command to be executed. The attacker must have physical USB access to the device in order to exploit this vulnerability. n/a
n/a
2023-07-05T00:00:00 2024-04-23T13:26:12.025986
cve-2023-27197 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow an attacker to gain root access by running a crafted binary leveraging an exported function from a shared library. The attacker must have shell access to the device in order to exploit this vulnerability. n/a
n/a
2023-07-05T00:00:00 2024-04-23T13:26:12.892982
cve-2023-27199 (NVD) N/A PAX Technology A930 PayDroid_7.1.1_Virgo_V04.5.02_20220722 allows attackers to compile a malicious shared library and use LD_PRELOAD to bypass authorization checks. n/a
n/a
2023-07-05T00:00:00 2024-04-23T13:26:10.854225
cve-2022-26579 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability. n/a
n/a
2022-12-16T00:00:00 2024-04-23T13:26:10.168526
cve-2022-26580 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability. n/a
n/a
2022-12-16T00:00:00 2024-04-23T13:26:09.550450
cve-2022-26582 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability. n/a
n/a
2022-12-16T00:00:00 2024-04-23T13:26:08.225013
cve-2022-26581 (NVD) N/A PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability. n/a
n/a
2022-12-16T00:00:00 2024-04-23T13:26:08.919858
cve-2022-46966 (NVD) N/A Revenue Collection System v1.0 was discovered to contain a SQL injection vulnerability at step1.php. n/a
n/a
2023-01-26T00:00:00 2024-04-23T13:26:07.412677
cve-2024-28627 (NVD) N/A An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file. n/a
n/a
2024-04-23T00:00:00 2024-04-23T13:16:12.591081
cve-2024-26922 (NVD) N/A drm/amdgpu: validate the parameters of bo mapping operations more clearly Linux
Linux
Linux
Linux
2024-04-23T13:05:04.243Z 2024-04-23T13:05:04.243Z
cve-2024-30800 (NVD) N/A PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly zones by breaching the geofence using flaws in the function. n/a
n/a
2024-04-23T00:00:00 2024-04-23T12:29:58.024492
cve-2023-47731 (NVD) CVSS-v3.1: 5.4 IBM QRadar Suite Software cross-site scripting IBM
IBM
QRadar Suite Software
Cloud Pak for Security
2024-04-23T12:16:11.361Z 2024-04-23T12:16:11.361Z
Vulnerability ID Description
pysec-2023-243 Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.
pysec-2023-260 A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the user without adequate sanitization or escaping, leading to arbitrary JavaScript execution in the context of the victim's browser. The vulnerability is present in the mlflow/server/auth/__init__.py file, where the user-supplied Content-Type header is directly injected into a Python formatted string and returned to the user, facilitating the XSS attack.
pysec-2023-194 langchain_experimental 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.
pysec-2024-49 Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.
pysec-2024-48 Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
pysec-2024-47 In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
pysec-2024-46 Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access.  Users of Apache Airflow are recommended to upgrade to version 2.8.3 or newer to mitigate the risk associated with this vulnerability
pysec-2024-45 LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
pysec-2024-44 In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution.
pysec-2024-43 LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.
pysec-2024-42 Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, including dag names and usernames they were not permitted to view. With 2.8.2 and newer, Ops and Viewer users do not have audit log permission by default, they need to be explicitly granted permissions to see the logs. Only admin users have audit log permission by default. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability
pysec-2023-259 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-258 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-257 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-256 A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.
pysec-2023-255 Command Injection in GitHub repository gradio-app/gradio prior to main.
pysec-2024-41 diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
pysec-2024-40 orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
pysec-2024-39 Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
pysec-2023-254 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
pysec-2024-38 FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.
pysec-2024-37 nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
pysec-2022-43059 AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application
pysec-2024-36 An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
pysec-2023-253 Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.
pysec-2024-35 Versions of the package dash-core-components before 2.13.0; all versions of the package dash-core-components; versions of the package dash before 2.15.0; all versions of the package dash-html-components; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. **Note:** This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.
pysec-2024-12 LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Drop the Students table" within English language input.
pysec-2024-34 The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
pysec-2024-33 The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability.
pysec-2024-32 The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0.
Vulnerability ID Description
gsd-2024-4046 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4045 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4044 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4043 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4042 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4041 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4040 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4039 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4038 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4037 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4036 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4035 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4034 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4033 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4032 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4031 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4030 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4029 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4028 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4027 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4026 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4025 The format of the source doesn't require a description, click on the link for more details
gsd-2024-4024 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32999 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32998 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32997 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32996 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32995 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32994 The format of the source doesn't require a description, click on the link for more details
gsd-2024-32993 The format of the source doesn't require a description, click on the link for more details
Vulnerability ID Description
mal-2024-1280 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (a17b660a440d2cb884c99312341fc58bf33cac16bb05ecf3065ab4f40c073c4b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1291 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6c5e6f0820c8729977d62b9cc34c7461719fd4056fc5e8e9f44426ad3c1f60d7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1287 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (308d5a6fa5eb0973b0ff8290c321ac60685b686f42543a7a09b16a5fe56a7457) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1295 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4554cad7be69cbff28d6e2e4d3535b5d7b4158f2efa1c79eaaf705151ec686ff) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1293 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (45e4d71b34d2eb0cd66dc9d19da997d325017d19687f304f39e1138fe0a0f0fa) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1283 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (adbea70f2acb33710c8ecb7e13e55c24980ccd349854aa6c82915d2829359e15) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1286 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (63cea4fbbb1333188e78d11622c9b943608aea6770144dacf6e1184036a646b7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1285 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (86831222f9b0a818e862c2db4a2e7f56259e7bae31f417c9464d2c19cb67dadb) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1284 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (c46cf6695c1ee706d7c20760d479bc271d109c548485e896885c9f7b6d704928) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1296 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (8ed8a707955886dfaa2b55283c703e3acbc8f5db17a426587702b53e53a9c0fb) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1290 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (90d2e2f79b4c5000c976cd4c1e99d091bb46b7dbee831bff50b3c69ff36e7dbf) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1281 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (4e6853d07fc7ca8efb0ffc45302b6b677a4b83c2e2de0e773616d9009f9b0ad8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1288 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6d7bd1b87c4b816789f583c6667d202f613eab5d352c1fcbe90fe1b182a0d13c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1282 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6cdabf6ac5434305cb152ee0eaf4d9cbac6f1de324ae91052537dc8fcfa94410) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1294 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (6da5a4c9da80939fd8b4009200d8e59514e1d3a5664d9b7150b27f40250a584d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1289 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (fa5e340610d92b601dc5de1615c159ce6efea84fa66dccd8d99128054d7cf5c8) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1292 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (271bfa6075e1282de1c0d5269d79377fe6b16e9d60fa41a2a6a070cb97795905) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1279 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b3dcc117202e21ae1b180b5f80af9dc0a1c0082aee807792f2aeb5b62c8e647d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1278 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (736ee4fff51c88da50dc79bba67dcb4ee43dd8242b6d75beb08f8ca5f9bc841c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1277 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (b16145b8b3fe74af3fb0b6c48f0e4f6454bc4b9b0d79f991d6373bc094ad279a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1272 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (48accd040235db7bd6be1bcdc1f268ed9f438c3d3029090ee357139bbe870759) The OpenSSF Package Analysis project identified '@portal-packages/core' @ 15.105.105 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
mal-2024-1274 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (c0d823ab954cd19f85bb933d25f8230386023a6a1fd15430efce0298f6a25aa9) The OpenSSF Package Analysis project identified 'ui-common-components-angular' @ 1.3.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
mal-2024-1273 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (c4d7b54aa00bce85364eddf568913642023e355ba669803fa01e20a143e93a47) The OpenSSF Package Analysis project identified 'metrics-balancer' @ 0.2.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
mal-2024-1275 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (543a89535f49dbd2c40707219fba6c80040d752e90ba3347abf1d61e9ea0e477) The OpenSSF Package Analysis project identified '@portal-packages/utils' @ 3.0.99 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
mal-2024-1276 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (65b5439bd3051d2315be6f4ae90f3235c5e41c2d9afa4a3c8f6ff3271c31cb9a) The OpenSSF Package Analysis project identified 'cz-ifood-conventional-changelog' @ 1.0.101 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
mal-2024-1267 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (82ce80367972231229038d234d1114c39f459b1c4bfe4a03392a3cfa35d4454b) The OpenSSF Package Analysis project identified 'commitlint-config-ifood' @ 1.95.102 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
mal-2024-1271 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (dd6b41d316342a401f8e262adb37d1982a359946c37d5b6dbbf9903eed6c6ea0) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1269 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (05c6cf9e3c0564724471422898f07aea9b5234d6c00d38d95441a3fbe18cd004) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1270 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (cf9eff937bcee16db9ca91202bb07969de9b49b32196de1bb49ade4bcbe83d31) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
mal-2024-1268 --- _-= Per source details. Do not edit below this line.=-_ ## Source: ghsa-malware (e32870b3e9ee7f6a8468b3fea4e188d906aa415456731059a4eb93984078ab9a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Vulnerability ID Description
wid-sec-w-2024-0944 CrushFTP: Schwachstelle ermöglicht Offenlegung von Informationen
wid-sec-w-2024-0943 CODESYS: Mehrere Schwachstellen
wid-sec-w-2024-0942 innovaphone PBX: Schwachstelle ermöglicht Cross-Site Scripting
wid-sec-w-2024-0941 PyTorch: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen
wid-sec-w-2024-0940 Red Hat OpenStack: Schwachstelle ermöglicht Privilegieneskalation
wid-sec-w-2024-0939 ffmpeg: Mehrere Schwachstellen
wid-sec-w-2024-0938 Microsoft GitHub Enterprise: Mehrere Schwachstellen
wid-sec-w-2024-0937 JasPer: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0936 GStreamer: Schwachstelle ermöglicht Codeausführung
wid-sec-w-2024-0935 IBM App Connect Enterprise: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0930 Red Hat Enterprise Linux (sssd): Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
wid-sec-w-2024-0918 Broadcom Brocade SANnav: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen
wid-sec-w-2024-0912 Google Chrome: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
wid-sec-w-2024-0909 Mozilla Firefox und Thunderbird: Mehrere Schwachstellen
wid-sec-w-2024-0906 IBM WebSphere Application Server: Mehrere Schwachstellen
wid-sec-w-2024-0895 Oracle Java SE: Mehrere Schwachstellen
wid-sec-w-2024-0846 Google Chrome / Microsoft Edge: Mehrere Schwachstellen
wid-sec-w-2024-0801 Apache HTTP Server: Mehrere Schwachstellen ermöglichen Manipulation von Daten
wid-sec-w-2024-0797 IBM WebSphere Application Server: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0776 Node.js: Mehrere Schwachstellen
wid-sec-w-2024-0669 Mozilla Firefox, Firefox ESR und Thunderbird: Mehrere Schwachstellen
wid-sec-w-2024-0663 Atlassian Bamboo und Bitbucket: Schwachstelle ermöglicht Denial of Service
wid-sec-w-2024-0630 Apache Tomcat: Mehrere Schwachstellen ermöglichen Denial of Service
wid-sec-w-2024-0561 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0536 Linux Kernel: Schwachstelle ermöglicht nicht spezifizierten Angriff
wid-sec-w-2024-0534 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0500 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
wid-sec-w-2024-0488 Linux Kernel: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
wid-sec-w-2024-0478 Linux Kernel: Mehrere Schwachstellen
wid-sec-w-2024-0475 Linux-Kernel: Mehrere Schwachstellen ermöglichen Denial of Service und unspezifische Angriffe
Vulnerability ID Description
ssa-750274 SSA-750274: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW
ssa-885980 SSA-885980: Multiple Vulnerabilities in Scalance W1750D
ssa-832273 SSA-832273: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices
ssa-831302 SSA-831302: Vulnerabilities in the BIOS of the SIMATIC S7-1500 TM MFP before V1.3.0
ssa-822518 SSA-822518: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices
ssa-794697 SSA-794697: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP before V1.1
ssa-753746 SSA-753746: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products
ssa-730482 SSA-730482: Denial of Service Vulnerability in SIMATIC WinCC
ssa-716164 SSA-716164: Multiple Vulnerabilities in Scalance W1750D
ssa-712929 SSA-712929: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
ssa-711309 SSA-711309: Denial of Service Vulnerability in the OPC UA Implementations of SIMATIC Products
ssa-691715 SSA-691715: Vulnerability in OPC Foundation Local Discovery Server Affecting Siemens Products
ssa-556635 SSA-556635: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0
ssa-457702 SSA-457702: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W700 Product Family
ssa-455250 SSA-455250: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices
ssa-398330 SSA-398330: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1
ssa-265688 SSA-265688: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1
ssa-222019 SSA-222019: X_T File Parsing Vulnerabilities in Parasolid
ssa-203374 SSA-203374: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices
ssa-128433 SSA-128433: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2
ssa-968170 SSA-968170: Remote Code Execution Vulnerability in SIMATIC STEP 7 V5.x and Derived Products
ssa-943925 SSA-943925: Multiple Vulnerabilities in SINEC NMS before V2.0 SP1
ssa-918992 SSA-918992: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module
ssa-871717 SSA-871717: Multiple Vulnerabilities in Polarion ALM
ssa-792319 SSA-792319: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices
ssa-770721 SSA-770721: Multiple Vulnerabilities in SIMATIC RF160B before V2.2
ssa-699386 SSA-699386: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family before V4.5
ssa-693975 SSA-693975: Denial-of-Service Vulnerability in the Web Server of Industrial Products
ssa-653855 SSA-653855: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1
ssa-592380 SSA-592380: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products
Vulnerability ID Description
rhba-2024_1440 Red Hat Bug Fix Advisory: MTV 2.5.6 Images
rhba-2024_1136 Red Hat Bug Fix Advisory: podman bug fix update
rhba-2024_1127 Red Hat Bug Fix Advisory: libssh bug fix update
rhea-2023_6741 Red Hat Enhancement Advisory: .NET 8.0 bugfix update
rhea-2023_6562 Red Hat Enhancement Advisory: nginx:1.22 bug fix and enhancement update
rhea-2023_7235 Red Hat Enhancement Advisory: ACS 4.3 enhancement update
rhba-2023_6109 Red Hat Bug Fix Advisory: MTV 2.4.3 Images
rhba-2023_6078 Red Hat Bug Fix Advisory: MTV 2.5.2 Images
rhba-2023_5806 Red Hat Bug Fix Advisory: Red Hat Ansible Automation Platform 2.4 Container Release Update
rhba-2023_7648 Red Hat Bug Fix Advisory: MTV 2.5.3 Images
rhba-2024_0928 Red Hat Bug Fix Advisory: MTV 2.5.5 Images
rhsa-2024_1962 Red Hat Security Advisory: go-toolset:rhel8 security update
rhsa-2024_1963 Red Hat Security Advisory: golang security update
rhsa-2024_1961 Red Hat Security Advisory: kpatch-patch security update
rhsa-2024_1960 Red Hat Security Advisory: kpatch-patch security update
rhsa-2024_1959 Red Hat Security Advisory: shim security update
rhba-2023_2181 Red Hat Bug Fix Advisory: delve, golang, and go-toolset bug fix and enhancement update
rhba-2023_3611 Red Hat Bug Fix Advisory: Release of Bug Advisories for the OpenShift Jenkins and Jenkins agent base image
rhsa-2024_1570 Red Hat Security Advisory: ACS 4.4 enhancement and security update
rhba-2023_0564 Red Hat Bug Fix Advisory: OpenShift Container Platform 4.11.26 packages update
rhba-2022_5876 Red Hat Bug Fix Advisory: OpenShift Container Platform 4.10.26 extras update
rhsa-2024_1557 Red Hat Security Advisory: Errata Advisory for Red Hat OpenShift Builds 1.0.1
rhsa-2024_1555 Red Hat Security Advisory: .NET 6.0 security update
rhsa-2024_1554 Red Hat Security Advisory: .NET 6.0 security update
rhsa-2024_1553 Red Hat Security Advisory: .NET 6.0 security update
rhsa-2024_1552 Red Hat Security Advisory: .NET 6.0 security update
rhsa-2024_1464 Red Hat Security Advisory: OpenShift Container Platform 4.11.59 bug fix and security update
rhsa-2024_1549 Red Hat Security Advisory: ACS 4.3 enhancement and security update
rhba-2023_1649 Red Hat Bug Fix Advisory: OpenShift Container Platform 4.11.35 packages and security update
rhsa-2024_1536 Red Hat Security Advisory: Satellite 6.14.3 Async Security Update
Vulnerability ID Description
icsa-24-109-01 Unitronics Vision series PLCs
icsa-21-287-03 Mitsubishi Electric MELSEC iQ-R Series
icsa-24-107-04 RoboDK RoboDK
icsa-24-107-03 Rockwell Automation ControlLogix and GuardLogix
icsa-24-107-02 Electrolink FM/DAB/TV Transmitter
icsa-24-107-01 Measuresoft ScadaPro
icsa-24-102-09 Rockwell Automation 5015-AENFTXT
icsa-24-100-01 SUBNET PowerSYSTEM Server and Substation Server
icsa-24-102-08 Siemens Telecontrol Server Basic
icsa-24-102-07 Siemens SINEC NMS
icsa-24-102-06 Siemens Parasolid
icsa-24-102-05 Siemens Scalance W1750D
icsa-24-102-04 Siemens RUGGEDCOM APE1808
icsa-24-102-03 Siemens RUGGEDCOM APE1808 before V11.0.1
icsa-24-102-02 Siemens SIMATIC WinCC
icsa-24-102-01 Siemens SIMATIC S7-1500
icsa-24-095-02 Schweitzer Engineering Laboratories SEL 700 series relays
icsa-24-095-01 Hitachi Energy Asset Suite 9
icsa-24-093-01 IOSIX IO-1020 Micro ELD
icsa-24-086-04 Rockwell Automation FactoryTalk View ME
icsa-24-086-03 Rockwell Automation Arena Simulation
icsa-24-086-02 Rockwell Automation PowerFlex 527
icsa-24-086-01 AutomationDirect C-MORE EA9 HMI
icsa-24-081-01 Advantech WebAccess/SCADA
icsa-24-079-01 Franklin Fueling System EVO 550/5000
icsa-24-074-14 Mitsubishi Electric MELSEC-Q/L Series
icsa-24-074-13 Softing edgeConnector
icsa-24-074-12 Delta Electronics DIAEnergie
icsa-24-074-07 Siemens SIMATIC
icsa-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update C)
Vulnerability ID Description
cisco-sa-duo-infodisc-rlceqm6t Cisco Duo Authentication for Windows Logon and RDP Information Disclosure Vulnerability
cisco-sa-secure-privesc-syxqo6ds Cisco Secure Client for Linux with ISE Posture Module Privilege Escalation Vulnerability
cisco-sa-secure-client-crlf-w43v4g7 Cisco Secure Client Carriage Return Line Feed Injection Vulnerability
cisco-sa-sb-wap-multi-85g83crb Cisco Small Business 100, 300, and 500 Series Wireless Access Points Command Injection and Buffer Overflow Vulnerabilities
cisco-sa-duo-win-bypass-pn42kkbm Cisco Duo Authentication for Windows Logon and RDP Authentication Bypass Vulnerability
cisco-sa-appd-xss-3jwqsmnt Cisco AppDynamics Controller Cross-Site Scripting Vulnerability
cisco-sa-appd-traversal-m7n8mzpf Cisco AppDynamics Controller Path Traversal Vulnerability
cisco-sa-curl-libcurl-d9ds39cv cURL and libcurl Vulnerability Affecting Cisco Products: October 2023
cisco-sa-ucsfi-imm-syn-p6kztdqc Cisco UCS 6400 and 6500 Series Fabric Interconnects Intersight Managed Mode Denial of Service Vulnerability
cisco-sa-nxos-po-acl-tkyepgvl Cisco Nexus 3000 and 9000 Series Switches Port Channel ACL Programming Vulnerability
cisco-sa-nxos-lldp-dos-z7pnctgt Cisco FXOS and NX-OS Software Link Layer Discovery Protocol Denial of Service Vulnerability
cisco-sa-nxos-ebgp-dos-l3qcwvj Cisco NX-OS Software External Border Gateway Protocol Denial of Service Vulnerability
cisco-sa-ipv6-mpls-dos-r9ycxkwm Cisco NX-OS Software MPLS Encapsulated IPv6 Denial of Service Vulnerability
cisco-sa-cimc-xss-umytyetr Cisco Integrated Management Controller Cross-Site Scripting Vulnerability
cisco-sa-cuic-access-control-jjszqmjj Cisco Unified Intelligence Center Insufficient Access Control Vulnerability
cisco-sa-asaftd-info-disclose-9ejtycmb Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability
cisco-sa-clamav-hdffu6t ClamAV OLE2 File Format Parsing Denial of Service Vulnerability
cisco-sa-expressway-csrf-knnzdmj3 Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities
cisco-sa-ftd-snort3acp-bypass-3bdr2beh Multiple Cisco Products Snort 3 Access Control Policy Bypass Vulnerability
cisco-sa-cuc-unauth-afu-froyscsd Cisco Unity Connection Unauthenticated Arbitrary File Upload Vulnerability
cisco-sa-cucm-rce-bwnzqcum Cisco Unified Communications Products Remote Code Execution Vulnerability
cisco-sa-sb-bus-acl-bypass-5zn9hnjk Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability
cisco-sa-cuc-xss-9tfuu5ms Cisco Unity Connection Cross-Site Scripting Vulnerability
cisco-sa-sdwan-privesc-cli-xkgwmqku Cisco SD-WAN Software Arbitrary File Corruption Vulnerability
cisco-sa-sd-wan-file-access-vw36d28p Cisco SD-WAN Solution Improper Access Control Vulnerability
cisco-sa-broadworks-xss-6syj82ju Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Stored Cross-Site Scripting Vulnerability
cisco-sa-tms-portal-xss-axnevg3s Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities
cisco-sa-thouseyes-privesc-dmzhg3qv Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability
cisco-sa-sb-wap-inject-bhstwgxo Cisco WAP371 Wireless Access Point Command Injection Vulnerability
cisco-sa-pi-epnm-wkzjeyeq Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Vulnerabilities
Vulnerability ID Description
sca-2024-0001 Vulnerability in SICK Logistics Analytics Products and SICK Field Analytics
sca-2023-0011 Vulnerability in multiple SICK Flexi Soft Gateways
sca-2023-0010 Vulnerabilities in SICK Application Processing Unit
sca-2023-0008 Vulnerability in SICK SIM1012
sca-2023-0009 Vulnerability in Wibu-Systems CodeMeter Runtime affects multiple SICK products
sca-2023-0007 Vulnerabilities in SICK LMS5xx
sca-2023-0006 Vulnerabilities in SICK ICR890-4
sca-2023-0005 Vulnerabilities in SICK EventCam App
sca-2023-0004 Vulnerabilities in SICK FTMg
sca-2023-0003 Vulnerability in SICK Flexi Soft and Flexi Classic Gateways
Vulnerability ID Description
nn-2023_17-01 Information disclosure via audit records for OpenAPI requests in Guardian/CMC before 23.4.1
nn-2024_1-01 DoS on IDS parsing of malformed Radius packets in Guardian before 23.4.1
nn-2023_12-01 Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0
nn-2023_9-01 Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0
nn-2023_8-01 Session Fixation in Guardian/CMC before 22.6.2
nn-2023_7-01 DoS via SAML configuration in Guardian/CMC before 22.6.2
nn-2023_6-01 Partial DoS on Reports section due to null report name in Guardian/CMC before 22.6.2
nn-2023_5-01 Information disclosure via the debug function in assertions in Guardian/CMC before 22.6.2
nn-2023_4-01 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2
nn-2023_3-01 Authenticated Blind SQL Injection on alerts count in Guardian/CMC before 22.6.2
nn-2023_2-01 Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2
nn-2023_11-01 SQL Injection on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0
nn-2023_10-01 DoS on IDS parsing of malformed asset fields in Guardian/CMC >= 22.6.0 before 22.6.3 and 23.1.0
nn-2023_1-01 Authenticated SQL Injection on Alerts in Guardian/CMC before 22.5.2
nn-2022_2-02 Authenticated RCE on project configuration import in Guardian/CMC before 22.0.0
nn-2022_2-01 Authenticated RCE on logo report upload in Guardian/CMC before 22.0.0
nn-2021_2-01 Authenticated command path traversal on timezone settings in Guardian/CMC before 20.0.7.4
nn-2021_1-01 Authenticated command injection when changing date settings or hostname in Guardian/CMC before 20.0.7.4
nn-2020_3-01 Angular template injection on custom report name field
nn-2020_2-01 Cross-site request forgery attack on change password form
nn-2019_2-01 CSV Injection on node label
nn-2019_1-01 Stored XSS in field name data model
Vulnerability ID Description
oxas-adv-2024-0001 OX App Suite Security Advisory OXAS-ADV-2024-0001
oxas-adv-2023-0007 OX App Suite Security Advisory OXAS-ADV-2023-0007
oxas-adv-2023-0006 OX App Suite Security Advisory OXAS-ADV-2023-0006
oxas-adv-2023-0005 OX App Suite Security Advisory OXAS-ADV-2023-0005
oxas-adv-2023-0004 OX App Suite Security Advisory OXAS-ADV-2023-0004
oxas-adv-2023-0003 OX App Suite Security Advisory OXAS-ADV-2023-0003
oxas-adv-2023-0002 OX App Suite Security Advisory OXAS-ADV-2023-0002
oxas-adv-2023-0001 OX App Suite Security Advisory OXAS-ADV-2023-0001
oxas-adv-2022-0002 OX App Suite Security Advisory OXAS-ADV-2022-0002
oxas-adv-2022-0001 OX App Suite Security Advisory OXAS-ADV-2022-0001