GDPR Compliance & Cookie Consent Security Vulnerabilities

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.6.0 Vulnerability Details ** CVEID: CVE-2022-25857 DESCRIPTION: **Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a...

Multiple vulnerabilities in TP-Link Omada system could lead to root access

The TP-Link Omada system is a software-defined networking solution for small to medium-sized businesses. It touts cloud-managed devices and local management for all Omada devices. The supported devices in this ecosystem vary greatly but include wireless access points, routers, switches, VPN...

XAES-256-GCM

About a year ago I wrote that "I want to use XAES-256-GCM/11, which has a number of nice properties and only the annoying defect of not existing." Well, there is now an XAES-256-GCM specification. (Had to give up on the /11 part, but that was just a performance optimization.) XAES-256-GCM is an...

Federal Reserve “breached” data may actually belong to Evolve Bank

A shockwave went through the financial world when ransomware group LockBit claimed to have breached the US Federal Reserve, the central banking system of the United States. On LockBit's dark web leak site, the group threatened to release over 30 TB of banking information containing Americans'...

Practical Guidance For Securing Your Software Supply Chain

The heightened regulatory and legal pressure on software-producing organizations to secure their supply chains and ensure the integrity of their software should come as no surprise. In the last several years, the software supply chain has become an increasingly attractive target for attackers who.....

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Summary IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities listed herein. Vulnerability Details ** CVEID: CVE-2023-49569 DESCRIPTION: **go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the...

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through...

CVE-2024-4869

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-4869

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

Automad 2.0.0-alpha.4 Cross Site Scripting

...

Progress Software Corporation WhatsUp Gold AppProfileImport path traversal vulnerability

Talos Vulnerability Report TALOS-2024-1932 Progress Software Corporation WhatsUp Gold AppProfileImport path traversal vulnerability June 26, 2024 CVE Number CVE-2024-5017 SUMMARY A path traversal vulnerability exists in the AppProfileImport functionality of Progress Software Corporation WhatsUp...

Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)

...

SolarWinds Platform 2024.1 SR1 Race Condition

...

SolarWinds Platform 2024.1 SR1 - Race Condition

...

Progress Software Corporation WhatsUp Gold TestController multiple information disclosure vulnerabilities

Talos Vulnerability Report TALOS-2024-1933 Progress Software Corporation WhatsUp Gold TestController multiple information disclosure vulnerabilities June 26, 2024 CVE Number CVE-2024-5010 SUMMARY An information disclosure vulnerability exists in the TestController functionality of Progress...

CVE-2024-4869 WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-4869 WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-30112

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...

CVE-2024-30112

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...

CVE-2024-30112 HCL Connections is vulnerable to a cross-site scripting (XSS) vulnerability

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...

CVE-2024-30112 HCL Connections is vulnerable to a cross-site scripting (XSS) vulnerability

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...

Security Bulletin: This Power System update is being released to address CVE-2023-45857

Summary This affects the BMC's ASMi web application. Vulnerability Details ** CVEID: CVE-2023-45857 DESCRIPTION: **Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value.....

From Top Dogs to Unified Pack

Embracing a consolidated security ecosystem Authored by Ralph Wascow Cybersecurity is as unpredictable as it is rewarding. Each day often presents a new set of challenges and responsibilities, particularly as organizations accelerate digital transformation efforts. This means you and your cyber...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 275. Vulnerability Details ** CVEID: CVE-2023-3978 DESCRIPTION: **Golang html package is vulnerable to cross-site scripting, caused by improper validation of...

Security Bulletin: IBM Observability with Instana (OnPrem) is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana (OnPrem) build 275. Vulnerability Details ** CVEID: CVE-2023-43804 DESCRIPTION: **urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not.....

Security Bulletin: IBM Event Streams is vulnerable to a cross-site request forgery due to the Axios component (CVE-2023-45857).

Summary IBM Event Streams is vulnerable to XSS vulnerability due to Axios component . Axios is a promise-based HTTP library that lets developers make requests to either their own or a third-party server to fetch data. Vulnerability Details ** CVEID: CVE-2023-45857 DESCRIPTION: **Axios is...

EulerOS 2.0 SP11 : golang (EulerOS-SA-2024-1835)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This...

EulerOS 2.0 SP11 : golang (EulerOS-SA-2024-1814)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1814)

The remote host is missing an update for the Huawei...

Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1835)

The remote host is missing an update for the Huawei...

Essential Strategies to Secure Your Web Applications and APIs in a Modern Application Development World

In today’s interconnected digital world, the role of web applications and APIs has become central to business operations, acting as gateways to vast amounts of valuable data and services. However, their widespread use and accessibility make them prime targets for cybercriminals, posing substantial....

CVE-2024-33278

Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper length validation for the cookie...

CVE-2024-33278

Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper length validation for the cookie...

CVE-2024-4839

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl...

CVE-2024-4839

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl...

CVE-2024-4839 CSRF in Servers Configurations in parisneo/lollms-webui

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl...

CVE-2024-33278

Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper length validation for the cookie...

CVE-2024-33278

Buffer Overflow vulnerability in ASUS router RT-AX88U with firmware versions v3.0.0.4.388_24198 allows a remote attacker to execute arbitrary code via the connection_state_machine due to improper length validation for the cookie...

Amazon Linux 2 : php (ALASPHP8.1-2024-005)

The version of php installed on the remote host is prior to 8.1.29-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2PHP8.1-2024-005 advisory. The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default),...

Student Attendance Management System 1.0 SQL Injection

...

Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

...

Edu-Sharing Arbitrary File Upload

...

Exploit for CVE-2024-31982

CVE-2024-31982...

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2135-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2135-1 advisory. The SUSE Linux Enterprise 15 SP6 Azure kernel was updated to receive various security bugfixes. The following...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Node.js ( CVE-2023-44487, CVE-2023-45143 )

Summary Potential vulnerabilities in Node.js related to the VM component ( CVE-2023-44487, CVE-2023-45143 ) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details.....

Exploit for CVE-2024-37759

CVE-2024-37759 PoC Description DataGear version 5.0.0...

PCI DSS 4.0.1: New Clarifications on Client-Side Security – What You Need to Know

As a leading provider of web application and API security solutions, Imperva is committed to helping merchants, payment processors, and anyone seeking to comply with the latest PCI DSS requirements. We previously discussed the changes introduced in PCI DSS 4.0. This blog will cover the...

PCI DSS v4.0: What You Need to Know and What the End of v3.2.1 Means for the Future of Digital Payments

On March 31st, 2024, The Payments Card Industry Standards Security Council (PCI SSC) officially retired version 3.2.1 of the PCI Data Security Standard (PCI DSS) with the publication of its new sets of protocols and security standards for v4.0. With the continued rise in cyber threats against...

Secure Your Containerized Environments with Qualys Containerized Scanner Appliance (QCSA)

IT has undergone a series of significant shifts over the years, from physical infrastructure to virtual, and how infrastructure was managed and maintained. This shift led IT through the digital transformation era, introducing various types of clouds and “As-a-Service” models. Although...

TikTok facing fresh lawsuit in US over children&#8217;s privacy

The Federal Trade Commission (FTC) has announced it's referred a complaint against TikTok and parent company ByteDance to the Department of Justice. The investigation originally focused on Musical.ly which was acquired by ByteDance on November 10, 2017, and merged it into TikTok. The FTC started a....