Tag
#vulnerability
Since joining the Common Vulnerabilities and Exposures (CVE) Program in 2002, Red Hat has been committed to excellence, growth and innovation in product security. Today, we’re pleased to announce that Red Hat is now a CVE Numbering Authority of Last Resort (CNA-LR), a prestigious recognition of our leadership, expertise and continued commitment to industry advancement. This achievement is a testament to Red Hat’s dedication and a significant success for the entire open source software (OSS) community of which we are proud to be a part.Red Hat’s role as a CNA remains, with the company bei
Cloud “container” defenses have inconsistencies that can give attackers too much access. A new company, Edera, is taking on that challenge and the problem of the male-dominated startup world.
### Impact The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. ### Patches The vulnerability has been patched in matrix-appservice-irc version 3.0.4. ### For more information If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).
Cybersecurity threats in crypto are rising, from the Bybit hack to fake wallets stealing funds. Learn how to…
> [!NOTE] > This advisory was originally emailed to community@solidjs.com by @nsysean. To sum it up, the use of javascript's `.replace()` opens up to potential XSS vulnerabilities with the special replacement patterns beginning with `$`. Particularly, when the attributes of `Meta` tag from solid-meta are user-defined, attackers can utilise the special replacement patterns, either `$'` or `$\`` to achieve XSS. The solid-meta package has this issue since it uses `useAffect` and context providers, which injects the used assets in the html header. "dom-expressions" uses `.replace()` to insert the assets, which is vulnerable to the special replacement patterns listed above. This effectively means that if the attributes of an asset tag contained user-controlled data, it would be vulnerable to XSS. For instance, there might be meta tags for the open graph protocol in a user profile page, but if attackers set the user query to some payload abusing `.replace()`, then they could execute a...
### Impact Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are influenced. LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities. ### Patches None. ### Workarounds None. ### References - [This code segment](https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164) didn't validate a JWT signature.
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Rockwell Automation Equipment: PowerFlex 755 Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could result in exposure of sensitive data. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of PowerFlex 755, a motor application control drive software, is affected: PowerFlex 755: Versions 16.002.279 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 The affected version of the product is vulnerable to credential exposure due to using HTTP, resulting in credentials being sent in clear text. This can allow sensitive data to be sniffed and captured by an attacker. CVE-2025-0631 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v...
An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED.
February Linux Patch Wednesday. There are 561 vulnerabilities in total. 338 in Linux Kernel. Formally, there is one vulnerability with a sign of exploitation in the wild: RCE – 7-Zip (CVE-2025-0411). But it is about Windows MoTW and, naturally, is not exploitable on Linux. There are public exploits for 21 vulnerabilities. Among them there are […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2017-3066 (CVSS score: 9.8) - A deserialization vulnerability impacting