Accordion & FAQ Security Vulnerabilities

April 9, 2024-KB5036620 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 22H2 and Windows 11, version 23H2

April 9, 2024-KB5036620 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 22H2 and Windows 11, version 23H2 Release Date: April 9, 2024 Version: .NET Framework 3.5 and 4.8.1 The April 9, 2024 update for Windows 11, version 22H2 and Windows 11, version 23H2 includes...

April 9, 2024—KB5036969 (Monthly Rollup)

April 9, 2024—KB5036969 (Monthly Rollup) Important The installation of this Extended Security Update (ESU) might fail when you try to install it on an Azure Arc-enabled device that is running Windows Server 2012. For a successful installation, please make sure all Subset of endpoints for ESU only.....

April 9, 2024-KB5037037 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 11, version 21H2

April 9, 2024-KB5037037 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 11, version 21H2 Release Date: April 9, 2024 Version: .NET Framework 3.5, 4.8 and 4.8.1 Summary This article describes the security and cumulative update for 3.5, 4.8 and 4.8.1 for Windows 11, version...

KB5036335 - Description of the security update for SQL Server 2019 CU25: April 9, 2024

KB5036335 - Description of the security update for SQL Server 2019 CU25: April 9, 2024 Summary How to obtain and install the update How to obtain or download the latest cumulative update package for Linux More information File information Information about protection and security Summary This...

Description of the security update for Microsoft ODBC Driver 18 for SQL Server: April 9, 2024

Description of the security update for Microsoft ODBC Driver 18 for SQL Server: April 9, 2024 Summary This security update contains a fix and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories: CVE-2024-28929 - Microsoft ODBC Driver for SQL...

April 9, 2024-KB5036609 Cumulative Update for .NET Framework 4.8 for Windows 10, version 1607 and Windows Server 2016

April 9, 2024-KB5036609 Cumulative Update for .NET Framework 4.8 for Windows 10, version 1607 and Windows Server 2016 Release Date: April 9, 2024 Version: .NET Framework 4.8 The April 9, 2024 update for Windows 10, version 1607 and Windows Server 2016 includes security and cumulative reliability...

Description of the security update for Microsoft OLE DB Driver 19 for SQL Server: April 9, 2024

Description of the security update for Microsoft OLE DB Driver 19 for SQL Server: April 9, 2024 Summary This security update contains a fix and resolves vulnerabilities. To learn more about the vulnerabilities, see the following security advisories: CVE-2024-28906 - Microsoft OLE DB Driver for...

Description of the security update for SharePoint Enterprise Server 2016: April 9, 2024 (KB5002583)

Description of the security update for SharePoint Enterprise Server 2016: April 9, 2024 (KB5002583) Summary This security update resolves a Microsoft SharePoint Server spoofing vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2024-26251......

April 9, 2024-KB5037034 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10, version 1809 and Windows Server 2019

April 9, 2024-KB5037034 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10, version 1809 and Windows Server 2019 Release Date: April 9, 2024 Version: .NET Framework 3.5, 4.7.2 and 4.8 Summary This article describes the security and cumulative update for 3.5, 4.7.2 and 4.8 for...

KB5035434 - Description of the security update for SQL Server 2019 GDR: April 9, 2024

KB5035434 - Description of the security update for SQL Server 2019 GDR: April 9, 2024 Summary How to obtain and install the update More information File information Information about protection and security Summary This security update contains a fix and resolves vulnerabilities. To learn more...

KB5036343 - Description of the security update for SQL Server 2022 CU12: April 9, 2024

KB5036343 - Description of the security update for SQL Server 2022 CU12: April 9, 2024 Summary How to obtain and install the update How to obtain or download the latest cumulative update package for Linux More information File information Information about protection and security Summary This...

April 9, 2024-KB5037033 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022

April 9, 2024-KB5037033 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022 Release Date: April 9, 2024 Version: .NET Framework 3.5, 4.8 and 4.8.1 Summary This article describes the security and cumulative update for 3.5, 4.8 and 4.8.1 for Windows Server 2022. **...

April 9, 2024-Security Only Update for .NET Framework 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2008 R2 SP1 (KB5037127)

April 9, 2024-Security Only Update for .NET Framework 3.5.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2008 R2 SP1 (KB5037127) Applies to: Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.6.2 Microsoft .NET Framework 4.7 Microsoft .NET Framework 4.7.1 Microsoft .NET Framework 4.7.2....

April 9, 2024-KB5037087 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Azure Stack HCI, version 22H2

April 9, 2024-KB5037087 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Azure Stack HCI, version 22H2 Release Date: April 9, 2024 Version: .NET Framework 3.5, 4.8 and 4.8.1 Summary This article describes the security and cumulative update for 3.5, 4.8 and 4.8.1 for Azure Stack HCI,...

April 9, 2024-KB5036617 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Microsoft server operating system, version 23H2

April 9, 2024-KB5036617 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Microsoft server operating system, version 23H2 Release Date: April 9, 2024 Version: .NET Framework 3.5 and 4.8.1 The April 9, 2024 update for Microsoft server operating system, version 23H2 includes security and...

[SECURITY] [DSA 5655-1] cockpit security update

Debian Security Advisory DSA-5655-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 04, 2024 https://www.debian.org/security/faq Package : cockpit CVE ID : CVE-2024-2947 It was discovered...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 25, 2024 to March 31, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 405 vulnerabilities disclosed in 320...

[SECURITY] [DSA 5654-1] chromium security update

Debian Security Advisory DSA-5654-1 [email protected] https://www.debian.org/security/ Andres Salomon April 03, 2024 https://www.debian.org/security/faq Package : chromium CVE ID : CVE-2024-3156 CVE-2024-3158...

[SECURITY] [DSA 5653-1] gtkwave security update

Debian Security Advisory DSA-5653-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 03, 2024 https://www.debian.org/security/faq Package : gtkwave CVE ID : CVE-2023-32650 CVE-2023-34087...

[SECURITY] [DSA 5652-1] py7zr security update

Debian Security Advisory DSA-5652-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 02, 2024 https://www.debian.org/security/faq Package : py7zr CVE ID : CVE-2022-44900 A directory...

Microsoft Windows 8 SEoL

Microsoft Windows 8 is no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security...

Tukaani Project XZ Utils Backdoor (Feb/Mar 2024)

The XZ Utils of the Tukaani Project have been backdoored by an unknown threat actor in February and March...

CVE-2024-31123

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDorado SpiderFAQ allows Reflected XSS.This issue affects SpiderFAQ: from n/a through...

[SECURITY] [DSA 5651-1] mediawiki security update

Debian Security Advisory DSA-5651-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 31, 2024 https://www.debian.org/security/faq Package : mediawiki CVE ID : not yet available Two security...

[SECURITY] [DSA 5650-1] util-linux security update

Debian Security Advisory DSA-5650-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 31, 2024 https://www.debian.org/security/faq Package : util-linux CVE ID : CVE-2024-28085 Debian Bug ...

[SECURITY] [DSA 5649-1] xz-utils security update

Debian Security Advisory DSA-5649-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2024 https://www.debian.org/security/faq Package : xz-utils CVE ID : CVE-2024-3094 Andres Freund...

[SECURITY] [DSA 5648-1] chromium security update

Debian Security Advisory DSA-5648-1 [email protected] https://www.debian.org/security/ Andres Salomon March 28, 2024 https://www.debian.org/security/faq Package : chromium CVE ID : CVE-2024-2625 CVE-2024-2626...

CVE-2024-27719

A cross site scripting (XSS) vulnerability in rems FAQ Management System v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the Frequently Asked Question field in the Add FAQ...

CVE-2024-27775

SysAid before version 23.2.14 b18 - CWE-918: Server-Side Request Forgery (SSRF) may allow exposing the local OS user's NTLMv2...

CVE-2024-27719

A cross site scripting (XSS) vulnerability in rems FAQ Management System v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the Frequently Asked Question field in the Add FAQ...

CVE-2023-42956

The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2. Processing web content may lead to a denial-of-service. Notes Author| Note ---|--- jdstrand | webkit receives limited support. For details, see...

CVE-2023-42950

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2, watchOS 10.2, macOS Sonoma 14.2. Processing maliciously crafted web content may lead to arbitrary code execution. Notes Author| Note ---|--- jdstrand |...

Important: thunderbird

Issue Overview: AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters() could have experienced integer overflows, causing underallocation of an output buffer leading to an out of bounds write. This vulnerability affects Firefox < 124, Firefox ESR < 115.9...

Important: squid

Issue Overview: A flaw was found in squid. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements...

Medium: openssh

Issue Overview: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a....

Medium: python-pillow

Issue Overview: An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw...

Medium: python-jwcrypto

Issue Overview: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a...

CVE-2024-29196

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in...

CVE-2024-29196

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in...

CVE-2024-29196 phpMyFAQ Path Traversal in Attachments

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in...

CVE-2024-42950

Notes Author| Note ---|--- jdstrand | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 mdeslaur | It is no longer possible to build new webkit2gtk versions on focal and earlier. Marking...

CVE-2024-42843

Notes Author| Note ---|--- jdstrand | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 mdeslaur | It is no longer possible to build new webkit2gtk versions on focal and earlier. Marking...

phpMyFAQ < 3.2.6 Multiple Vulnerabilities

phpMyFAQ is prone to multiple...

CVE-2024-42956

Notes Author| Note ---|--- jdstrand | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8 mdeslaur | It is no longer possible to build new webkit2gtk versions on focal and earlier. Marking...

CVE-2024-29179

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS...

CVE-2024-29179 phpMyFAQ Stored Cross-site Scripting at File Attachments

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS...

phpMyFAQ Stored Cross-site Scripting at FAQ News Content

Summary By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. PoC Edit a FAQ news, intercept the request and modify the news parameter in the POST body with the following...

phpMyFAQ Stored Cross-site Scripting at FAQ News Content

Summary By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. PoC Edit a FAQ news, intercept the request and modify the news parameter in the POST body with the following...

phpMyFAQ SQL injections at insertentry & saveentry

Summary A SQL injection vulnerability has been discovered in the insertentry & saveentry when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over...

phpMyFAQ SQL injections at insertentry & saveentry

Summary A SQL injection vulnerability has been discovered in the insertentry & saveentry when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over...