Website Optimization – Plerdy Security Vulnerabilities

CVE-2023-25706 WordPress Robots.txt optimization plugin <= 1.4.5 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Pagup WordPress Robots.Txt optimization plugin &lt;= 1.4.5...

Azure Spring Apps Enterprise – More Power, Scalability & Extended Spring Boot Support

Can you believe Spring is celebrating its 20th anniversary this year? We could not have gotten here without our millions of Spring developers across the globe, thank you! Spring has been an essential tool for Java developers, and it continues to grow and innovate at a fast pace. From the onset,...

Implementation of Well shift() function allows attackers to completely manipulate the oracles

Lines of code Vulnerability details Description The TWAP mechanism relies on measurements sent to the oracle at various points in time. Before reserve counts change, the TWAP is sent the last reserve counts, which are multiplied by the time passed and added to the accumulator. In MultiFlowPump, it....

A malicious user can steal a reserved token by using shift() function of Well.sol if the well was added liquidity unsafely with zero amount of the one of tokens.

Lines of code https://github.com/code-423n4/2023-07-basin/blob/main/src/Well.sol#L352-L377 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L49-L54 https://github.com/code-423n4/2023-07-basin/blob/main/src/functions/ConstantProduct2.sol#L58-L67 Vulnerability....

TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds

Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift() function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function (update()) with...

Pump is not updated in shift function

Lines of code Vulnerability details Impact According to comments in Well contract, _updatePumps function "Fetches the current token reserves of the Well and updates the Pumps. Typically called before an operation that modifies the Well's reserves." In functions like swap, add/remove liquidity...

Solar monitoring systems exposed: Secure your devices

Researchers who go looking for devices exposed to the Internet report "tens of thousands" of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting. No fewer than.....

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-35890)

Summary IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera,...

EulerOS 2.0 SP11 : git (EulerOS-SA-2023-2265)

According to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7,...

Huawei EulerOS: Security Advisory for git (EulerOS-SA-2023-2289)

The remote host is missing an update for the Huawei...

EulerOS 2.0 SP11 : git (EulerOS-SA-2023-2289)

According to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7,...

Huawei EulerOS: Security Advisory for git (EulerOS-SA-2023-2265)

The remote host is missing an update for the Huawei...

Who’s Behind the DomainNetworks Snail Mail Scam?

If you've ever owned a domain name, the chances are good that at some point you've received a snail mail letter which appears to be a bill for a domain or website-related services. In reality, these misleading missives try to trick people into paying for useless services they never ordered, don't.....

Security Bulletin: IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to a xml2js vulnerability (CVE-2023-0842)

Summary Xmljs is used in IBM Decision Optimization in IBM Cloud Pak for Data. IBM Decision Optimization in IBM Cloud Pak for Data has addressed the reported vulnerability. Vulnerability Details ** CVEID: CVE-2023-0842 DESCRIPTION: **xml2js could allow a remote attacker to execute arbitrary code...

Security Bulletin: IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to OpenSSL denial of service (Cryptography package)

Summary There is a potential OpenSSL denial of service vulnerability in IBM Decision Optimization in IBM Cloud Pak for Data. IBM Decision Optimization in IBM Cloud Pak for Data has addressed the vulnerability. Vulnerability Details ** CVEID: CVE-2023-0286 DESCRIPTION: **OpenSSL is vulnerable to a.....

Security Bulletin: IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to Golang Go vulnerability (PRISMA-2022-0270)

Summary Golang Go is used IBM Decision Optimization in IBM Cloud Pak for Data. IBM Decision Optimization in IBM Cloud Pak for Data has addressed the reported vulnerability. Vulnerability Details ** IBM X-Force ID: 250518 DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by a...

Security Bulletin: IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to YAML denial of service (CVE-2023-2251)

Summary YAML is used in IBM Decision Optimization in IBM Cloud Pak for Data. IBM Decision Optimization in IBM Cloud Pak for Data has addressed the reported vulnerability. Vulnerability Details ** CVEID: CVE-2023-2251 DESCRIPTION: **YAML is vulnerable to a denial of service, caused by an uncaught...

Security Bulletin: IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to a remote attacker to bypass security restrictions (CVE-2023-23931)

Summary PyPI cryptography package is used in IBM Decision Optimization in IBM Cloud Pak for Data. IBM Decision Optimization in IBM Cloud Pak for Data has addressed the reported vulnerability. Vulnerability Details ** CVEID: CVE-2023-23931 DESCRIPTION: **PyPI cryptography package could allow a...

[SECURITY] Fedora 38 Update: wabt-1.0.33-1.fc38

WABT (we pronounce it "wabbit") is a suite of tools for WebAssembly. These to ols are intended for use in (or for development of) toolchains or other systems t hat want to manipulate WebAssembly files. Unlike the WebAssembly spec interpreter (which is written to be as simple, declarative and...

Fedora: Security Advisory for wabt (FEDORA-2023-ab291ca614)

The remote host is missing an update for...

Generative-AI apps & ChatGPT: Potential risks and mitigation strategies

_Losing sleep over Generative-AI apps? You're not alone or wrong. According to the Astrix Security Research Group, mid size organizations already have, on average, 54 Generative-AI integrations to core systems like Slack, GitHub and Google Workspace and this number is only expected to grow....

Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Summary IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security.....

Fedora 37 : php (2023-2b7eeaaee5)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-2b7eeaaee5 advisory. PHP version 8.1.20 (08 Jun 2023) Core: * Fixed bug GH-9068 (Conditional jump or move depends on uninitialised value(s)). (nielsdos) * Fixed bug ...

Siemens TIA Portal

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

Fedora 38 : php (2023-2455981016)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-2455981016 advisory. PHP version 8.2.7 (08 Jun 2023) Core: * Fixed bug GH-11152 (Unable to alias namespaces containing reserved class names). (ilutov) * Fixed bug GH-9068...

Huawei EulerOS: Security Advisory for git (EulerOS-SA-2023-2145)

The remote host is missing an update for the Huawei...

EulerOS 2.0 SP5 : git (EulerOS-SA-2023-2145)

According to the versions of the git packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be...

Exploit for Allocation of Resources Without Limits or Throttling in Openssl

OpenSSL 1.1.1g 21 Apr 2020 Copyright (c) 1998-2020 The...

CVE-2023-29548

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

CVE-2023-29548

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

CVE-2023-29548

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

CVE-2023-29548

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

Design/Logic Flaw

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

CVE-2023-29548

A wrong lowering instruction in the ARM64 Ion compiler resulted in a wrong optimization result. This vulnerability affects Firefox &lt; 112, Focus for Android &lt; 112, Firefox ESR &lt; 102.10, Firefox for Android &lt; 112, and Thunderbird &lt;...

CISA issues warning to US businesses: Beware of China's state-sponsored cyber actor

The US Cybersecurity and Infrastructure Security Agency (CISA) has an urgent message for US businesses: watch out for Volt Typhoon, a threat actor sponsored by the People's Republic of China (PRC). The agency's joint Cybersecurity Advisory (CSA) published last week highlights a cluster of tactics,....

Use-After-Free

hermes-engine is vulnerable to Use-After-Free. When Hermes allows execution of untrusted JavaScript, an attacker is able to execute arbitrary code on the target system via a carefully crafted malicious payload, which is made possible due to a bytecode optimization bug, that results in...

GLSA-202305-36 : Mozilla Thunderbird: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202305-36 (Mozilla Thunderbird: Multiple Vulnerabilities) matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can...

GLSA-202305-35 : Mozilla Firefox: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202305-35 (Mozilla Firefox: Multiple Vulnerabilities) An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. ...

Ubuntu 22.04 LTS / 23.04 : SpiderMonkey vulnerabilities (USN-6120-1)

The remote Ubuntu 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6120-1 advisory. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment...

Rocky Linux 8 : git (RLSA-2023:3246)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:3246 advisory. Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7,...

CISA updates ransomware guidance

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its #StopRansomware guide to account for the fact that ransomware actors have accelerated their tactics and techniques since the original guide was released in September of 2020. The #StopRansomware guide is set up as a...

Oracle Linux 8 : git (ELSA-2023-3246)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-3246 advisory. Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7,...

Oracle Linux 8 : git (ELSA-2023-2859)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2859 advisory. Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is...

AlmaLinux 8 : git (ALSA-2023:3246)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:3246 advisory. Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7,...

Oracle Linux 9 : git (ELSA-2023-3245)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-3245 advisory. In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to...

AlmaLinux 9 : git (ALSA-2023:3245)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:3245 advisory. Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7,...

AlmaLinux 8 : git (ALSA-2023:2859)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:2859 advisory. Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where...

CVE-2023-28081

A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted...

CVE-2023-28081

A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted...

CVE-2023-28081

A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted...