Monthly
Remote attackers can spoof client-mode Remote Connector Servers in PingIDM to intercept and modify identity security properties including passwords and account recovery information, due to insufficient access control granularity that prevents administrators from properly restricting RCS communications. This vulnerability affects PingIDM deployments using Remote Connector Servers in client mode and requires specific RCS configuration to be exploitable; no public exploit code has been identified at the time of analysis.
Device reload in Cisco APIC's Object Model CLI component allows authenticated local users to trigger a denial of service through insufficient input validation on crafted commands. An attacker with valid credentials and CLI access can exploit this vulnerability to crash the affected device, though no patch is currently available. This vulnerability affects systems where attackers can obtain legitimate user credentials with appropriate role permissions.
Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.
Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.
Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. [CVSS 5.4 MEDIUM]
Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A privilege escalation flaw from host to domain administrator was found in FreeIPA. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level. Rated high severity (CVSS 7.5). No vendor patch available.
Remote attackers can spoof client-mode Remote Connector Servers in PingIDM to intercept and modify identity security properties including passwords and account recovery information, due to insufficient access control granularity that prevents administrators from properly restricting RCS communications. This vulnerability affects PingIDM deployments using Remote Connector Servers in client mode and requires specific RCS configuration to be exploitable; no public exploit code has been identified at the time of analysis.
Device reload in Cisco APIC's Object Model CLI component allows authenticated local users to trigger a denial of service through insufficient input validation on crafted commands. An attacker with valid credentials and CLI access can exploit this vulnerability to crash the affected device, though no patch is currently available. This vulnerability affects systems where attackers can obtain legitimate user credentials with appropriate role permissions.
Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.
Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.
Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. [CVSS 5.4 MEDIUM]
Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control.
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A privilege escalation flaw from host to domain administrator was found in FreeIPA. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation in the system management mode (SMM) could allow a privileged attacker to overwrite arbitrary memory potentially resulting in arbitrary code execution at the SMM level. Rated high severity (CVSS 7.5). No vendor patch available.