Moderate: lua security update

The lua packages provide support for Lua, a powerful light-weight programming language designed for extending applications. Lua is also frequently used as a general-purpose, stand-alone language. Security Fixes: lua: use after free allows Sandbox Escape CVE-2021-44964 lua: stack overflow in...

PT-2023-2252 · Unknown · Nginx Proxy Manager

Name of the Vulnerable Software and Affected Versions: NginxProxyManager version 2.9.19 Description: An issue in NginxProxyManager allows an attacker to execute arbitrary code via a lua script to the configuration file. The vulnerability is related to the lack of data sanitization at the manageme...

K17157: Apache HTTP server vulnerability CVE-2015-0228

Security Advisory Description The luawebsocketread function in luarequest.c in the modlua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service child-process crash by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade...

K29735525: Apache HTTPD vulnerability CVE-2022-29404

Security Advisory Description In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody0 may cause a denial of service due to no default limit on possible input size. CVE-2022-29404 Impact There is no impact; F5 products are not affected by this...

SUSE CVE-2011-3360

Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory...

SUSE CVE-2014-5461

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service crash via a small number of arguments to a function with a large number of fixed arguments...

SUSE CVE-2015-0228

The luawebsocketread function in luarequest.c in the modlua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service child-process crash by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function...

SUSE CVE-2015-0844

The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before 1.12.2 allows remote attackers to read arbitrary files via a crafted 1 campaign or 2 map file...

SUSE CVE-2015-2939

Cross-site scripting XSS vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace...

SUSE CVE-2015-4335

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command...

SUSE CVE-2017-15631

TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-workmode variable in the pptpclient.lua file...

SUSE CVE-2018-6360

mpv through 0.28.0 allows remote attackers to execute arbitrary code via a crafted web site, because it reads HTML documents containing VIDEO elements, and accepts arbitrary URLs in a src attribute without a protocol whitelist in player/lua/ytdlhook.lua. For example, an av://lavfi:ladspa=file= UR...

SUSE CVE-2018-11219

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking...

SUSE CVE-2018-1999023

The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and play...

SUSE CVE-2019-3806

An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua...

SUSE CVE-2019-6706

Lua 5.3.5 has a use-after-free in luaupvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships...

SUSE CVE-2019-20807

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces e.g., Python, Ruby, or Lua...

SUSE CVE-2020-11722

Dungeon Crawl Stone Soup aka DCSS or crawl before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file...

SUSE CVE-2020-14147

An integer overflow in the getnum function in luastruct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service memory corruption and application crash or possibly bypass intended sandbox restrictions via a large...

SUSE CVE-2020-15889

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members...