Friday Squid Blogging: Sunscreen from Squid Pigments
About Bruce Schneier I am a public-interest technologist, working at the intersection of...
Crypto exchange Gemini discloses third-party data breach
Cryptocurrency exchange Gemini is warning it suffered a data breach incident caused by a...
Google fixes Chrome Password Manager bug that hides credentials
Google has fixed a bug in Chrome's Password Manager that caused user credentials to...
FBCS data breach impact now reaches 4.2 million people
Debt collection agency Financial Business and Consumer Solutions has again increased the number...
CrowdStrike meets Murphy's Law: Anything that can go wrong will
Opinion CrowdStrike's recent Windows debacle will surely earn a prominent place in the...
Acronis warns of Cyber Infrastructure default password abused in attacks
Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets...
Vulnerabilities by Risk level (Last 12 months)
Vulnerabilities by Vendor (Last 12 months)
| Vendor | Last 12 months | # |
| 1049 | ||
| Microsoft | 826 | |
| Adobe | 619 | |
| Linux | 509 | |
| Fedoraproject | 449 |
Latest Vulnerabilities
-
-
CVE-2024-6589
8.8The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function....
networklow complexity -
CVE-2024-22444
6.1A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user...
-
CVE-2024-31970
8.8AdTran SRG 834-5 HDC17600021F1 devices (with SmartOS 11.1.1.1 and fixed in Version 12.1.3.1) have SSH enabled by default, accessible both over the LAN and the Internet. During a window of time...
networklow complexity -
CVE-2024-36541 - Incorrect Default Permissions vulnerability in Kube-Logging Logging-Operator 4.6.0
8.8Insecure permissions in logging-operator v4.6.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
Latest Critical Vulnerabilities
-
CVE-2024-40422 - Path Traversal vulnerability in Stitionai Devika 1.0
9.1The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to...
-
CVE-2024-41914
9.0A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against...
-
CVE-2024-38164
9.6An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.
-
CVE-2024-41319 - Command Injection vulnerability in Totolink A6000R Firmware 1.0.1B20201211.2000
9.8TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.
-
CVE-2024-26020
9.6An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary code execution. An attacker can send...
-
CVE-2024-37391 - Unspecified vulnerability in Proton Protonvpn
9.8ProtonVPN before 3.2.10 on Windows mishandles the drive installer path, which should use this: '"' + ExpandConstant('{autopf}\Proton\Drive') + '"' in Setup/setup.iss.
-
CVE-2024-41703 - Unspecified vulnerability in Librechat 0.7.4
9.8LibreChat through 0.7.4-rc1 has incorrect access control for message updates. (Work on a fixed version release has started in PR 3363.)
-
CVE-2024-41704 - Path Traversal vulnerability in Librechat 0.7.4
9.8LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. (Work on a fixed version release has started in PR 3363.)