GHSA-JP4G-R8C9-3534 Moodle Blind SSRF Risk in /badges/mybackpack.php

A flaw was found in Moodle versions 3.1 to 3.1.15 and earlier unsupported versions. The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page...

GHSA-236H-R3W7-C85C Cross-site Scripting in Apache Atlas

Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found vulnerable to Stored Cross-Site Scripting in the edit-tag functionality...

Moodle vulnerable to Cross-site Scripting

Multiple cross-site scripting XSS vulnerabilities in the course-tags functionality in tag/coursetagsmore.php in Moodle 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via the 1 sort or 2 show parameter...

GHSA-3RQJ-JCHW-9CC7 Moodle Authentication Bypass in Question-Bank

The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass intended capability requirements and save questions via a savequestion action...

Moodle Users Can Bypass Deleted Status

The webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token...

GHSA-CR78-RPHW-W73P Moodle Arbitrary File Read via Backup Functionality

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration...

Moodle Arbitrary File Read via Backup Functionality

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration...

CVE-2022-26782

Multiple improper input validation vulnerabilities exists in the libnvram.so nvramimport functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted file can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.An improper input...

CVE-2022-26085

InRouter302 (InHand Networks) V3.5.4 contains an OS command injection in the httpd wlscan_ASP function. TALOS-2022-1473 documents that an authenticated HTTP request can trigger arbitrary command execution via the wlscan_ASP path, using nvram-derived values and popen to execute system commands. CV...

CVE-2022-25172

An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the sessi...

CVE-2022-29855

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 5.1.0.8016 and earlier, and 6.0 6.0.0.368 through 6.1 HF4 6.1.0.165, could allow a unauthenticated...

RUSTSEC-2022-0024 double-checked-cell is unmaintained

The author recommends switching to oncecell, which offers a superset of the functionality...

double-checked-cell is unmaintained

The author recommends switching to oncecell, which offers a superset of the functionality...

CVE-2022-24044

The CVE-2022-24044 entry affects Siemens Desigo DXR2, PXC3, PXC4 and PXC5 controllers. Root cause: the login functionality lacks protection against Password Spraying/Credential Stuffing, enabling an attacker to enumerate valid usernames and then perform targeted login attempts to gain access to a...

SUSE: Security Advisory (SUSE-SU-2022:1582-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2022:1577-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: This update contains the Firefox Extended Support Release 91.1.0 ESR. Fixed: Various stability, functionality, and security fixes MFSA 2021-40 bsc1190269, bsc1190274: CVE-2021-38492: Navigating to mk: URL scheme could load Internet Explor...

The Gravity.sol should have pause/unpause functionality

Lines of code Vulnerability details Impact In case a hack is occuring or an exploit is discovered, the team or validators in this case should be able to pause functionality until the necessary changes are made to the system. Additionally, the gravity.sol contract should be manged by proxy so that...

NewStart CGSL MAIN 6.02 : webkit2gtk3 Multiple Vulnerabilities (NS-SA-2022-0048)

The remote NewStart CGSL host, running version MAIN 6.02, has webkit2gtk3 packages installed that are affected by multiple vulnerabilities: - A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free...

[SECURITY] Fedora 36 Update: wavpack-5.4.0-5.fc36

WavPack is a completely open audio compression format providing lossless, high-quality lossy, and a unique hybrid compression mode. Although the technology is loosely based on previous versions of WavPack, the new version 4 format has been designed from the ground up to offer unparalleled...

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

The National Institute of Standards and Technology NIST on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. "It encourages organizations to consider the vulnerabilities not only of a finished produ...