GDPR (DSGVO) & EPrivacy Cookie Consent Security Vulnerabilities

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below. Vulnerability Details...

ReCrystallize Server - Authentication Bypass

This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been...

Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker

Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake Meta Pixel tracker script in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom...

Cross-Site Request Forgery (CSRF)

aim is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is due to the lack of CSRF and CORS protection in the aim dashboard, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's...

PHP 8.1.x < 8.1.28 Multiple Vulnerabilities

The version of PHP installed on the remote host is prior to 8.1.28. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.1.28 advisory. In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a...

PopojiCMS Version 2.0.1 - Remote Command Execution

...

WordPress Playlist For Youtube 1.32 Cross Site Scripting

...

PopojiCMS Version 2.0.1 - Remote Command Execution Vulnerability

...

Wordpress Playlist for Youtube 1.32 Plugin - Stored Cross-Site Scripting Vulnerability

...

Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)

...

Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - (sort) parameter Exploit

...

Slackware Linux 15.0 / current php81 Multiple Vulnerabilities (SSA:2024-103-01)

The version of php81 installed on the remote host is prior to 8.1.28 / 8.3.6. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-103-01 advisory. In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to...

Wordpress WP Video Playlist 1.1.1 Plugin - Stored Cross-Site Scripting Vulnerability

...

GUnet OpenEclass E-learning platform 3.15 - &#039;certbadge.php&#039; Unrestricted File Upload

...

Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)

...

WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)

...

Apache Superset < 2.1.0 Hardcoded Secret Key

Apache Superset versions prior to 2.1.0 uses a default secret to sign cookies. An unauthenticated attacker can use this default value to forge a cookie and authenticate himself as...

Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - &quot;sort&quot; parameter

...

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Summary IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that could be identified and exploited with automated tools. These have been addressed in the update. Vulnerability Details ** CVEID: CVE-2023-34967 DESCRIPTION: **Samba is vulnerable to a denial of service, caused.....

dsgvo-paket.de Cross Site Scripting vulnerability OBB-3916930

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

CVE-2024-27967

Cross-Site Request Forgery (CSRF) vulnerability in Michael Leithold DSGVO All in one for WP.This issue affects DSGVO All in one for WP: from n/a through...

CVE-2024-27967

Cross-Site Request Forgery (CSRF) vulnerability in Michael Leithold DSGVO All in one for WP.This issue affects DSGVO All in one for WP: from n/a through...

Medium: flatpak

Issue Overview: Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case....

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution Exploit

GUnet OpenEclass E-learning platform version 3.15 suffers from an unrestricted file upload vulnerability in certbadge.php that allows for remote command...

Juniper Junos OS Multiple Vulnerabilities (JSA79108)

The version of Junos OS installed on the remote host is affected by multiple vulnerabilities as referenced in the JSA79108 advisory. This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow...

CHAOS RAT 5.0.1 Remote Command Execution Exploit

CHAOS RAT web panel version 5.0.1 is vulnerable to command injection, which can be triggered from a cross site scripting attack, allowing an attacker to takeover the RAT...

PHP 8.3.x < 8.3.6 Multiple Vulnerabilities

The version of PHP installed on the remote host is prior to 8.3.6. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.3.6 advisory. In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard...

PHP 8.2.x < 8.2.18 Multiple Vulnerabilities

The version of PHP installed on the remote host is prior to 8.2.18. It is, therefore, affected by multiple vulnerabilities as referenced in the Version 8.2.18 advisory. In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a...

php -- Multiple vulnerabilities

This update includes 3 security fixes: High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows High CVE-2024-1874: Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on...

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution

...

CVE-2024-31999

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...

CVE-2024-31999

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...

CVE-2024-31999

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...

CVE-2024-31999 @fastify/secure-session: Reuse of destroyed secure session cookie

@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is...

Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim...

Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim...

CVE-2024-2196

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim...

CVE-2024-2196

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim...

@fastify/secure-session: Reuse of destroyed secure session cookie

Impact At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided...

@fastify/secure-session: Reuse of destroyed secure session cookie

Impact At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroyed. When an encrypted cookie with matching session name is provided...

CVE-2024-2196 CSRF Vulnerability in aimhubio/aim

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim...

Security Bulletin: Jinja2-2.11.3-py2.py3-none-any.whl and Jinja2-3.1.2-py3-none-any.whl is vulnerable to CVE-2024-22195 used in IBM Maximo Application Suite - Edge Data Collector

Summary IBM Maximo Application Suite - Edge Data Collector uses Jinja2-2.11.3-py2.py3-none-any.whl and Jinja2-3.1.2-py3-none-any.whl which is vulnerable to CVE-2024-22195 Vulnerability Details ** CVEID: CVE-2024-22195 DESCRIPTION: **Pallets Jinja is vulnerable to cross-site scripting, caused by...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details **...

Cookie Header Leakage

contao/core-bundle is vulnerable to Cookie Header Leakage. The vulnerability is due to a flaw in the implementation of the HTTP client options being applied to all requests, including those to external URLs. It allows attackers to potentially access sensitive cookie data from protected...

CHAOS RAT 5.0.1 Remote Command Execution

...

Security Bulletin: IBM QRadar App SDK for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components (e.g., framework libraries) that might be identified and exploited with automated tools. IBM has addressed the vulnerabilities. This product is only used by IBM QRadar SIEM app developers and external business partners and is not relevant for...

Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Deployment Intelligence app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details ** CVEID: CVE-2023-46234 DESCRIPTION:...

Security Bulletin: IBM Operational Decision Manager for March 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details ** CVEID:...

gin-vue-admin background arbitrary code coverage vulnerability

Impact "gin-vue-admin&lt;=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -&gt; Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model',....

gin-vue-admin background arbitrary code coverage vulnerability

Impact "gin-vue-admin&lt;=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -&gt; Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model',....