PT-2024-15977 · WordPress · Pjw Mime Config

Name of the Vulnerable Software and Affected Versions: PJW Mime Config plugin for WordPress version 1.0 and earlier Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input sanitization and output escaping. This allows authenticated attackers...

GLPI 跨站脚本漏洞

GLPI is an open source IT and asset management software from an individual developer. The software provides a full-featured IT resource management interface that you can use to build databases to fully manage IT computers, monitors, servers, printers, network devices, phones, and even toner and i...

chatwoot 跨站脚本漏洞

Chatwoot is a Chatwoot open source application. Customer Engagement Suite, an open source alternative to Intercom, Zendesk, Salesforce Service Cloud, and more. A cross-site scripting vulnerability exists in Chatwoot versions prior to 2.6.0, which stems from the presence of a stored cross-site...

PT-2024-10981 · Chatwoot · Chatwoot

Name of the Vulnerable Software and Affected Versions: chatwoot/chatwoot versions prior to 2.6 Description: A stored cross-site scripting XSS vulnerability was discovered, affecting the profile settings when a user uploads an SVG file containing a malicious XSS payload. When the avatar is opened ...

PT-2024-10982 · Chatwoot · Chatwoot

Name of the Vulnerable Software and Affected Versions: chatwoot/chatwoot versions prior to 2.5.0 Description: A Server-Side Request Forgery SSRF vulnerability was discovered, allowing an attacker to upload an SVG file containing a malicious SSRF payload. When the SVG file is used as an avatar and...

PT-2024-39611 · WordPress · The Exclusive Divi – Divi Preloader

Name of the Vulnerable Software and Affected Versions: The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress versions up to, and including, 1.4 Description: The issue is related to Stored Cross-Site Scripting via SVG File uploads due to insufficient input...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through the Create User process, which involves uploading a profile image. An attacker can exploit this by uploading a malicious SVG file containing a maliciously crafted script, which executes when the profile...

kernel: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next...

kernel: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next...

kernel: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next...

WordPress Aqua SVG Sprite plugin <= 3.0.14 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Francesco Carlucci in WordPress Plugin Aqua SVG Sprite versions = 3.0.14...

openssl: POLY1305 MAC implementation corrupts vector registers on PowerPC

A flaw was found in in the POLY1305 MAC message authentication code implementation in OpenSSL, affecting applications running on PowerPC CPU-based platforms that utilize vector instructions, and has the potential to corrupt the internal state of these applications. If an attacker can manipulate t...

containers/image: digest type does not guarantee valid type

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks...

kernel: s390/crypto: use vector instructions only if available for ChaCha20

In the Linux kernel, the following vulnerability has been resolved: s390/crypto: use vector instructions only if available for ChaCha20 Commit 349d03ffd5f6 "crypto: s390 - add crypto library interface for ChaCha20" added a library interface to the s390 specific ChaCha20 implementation. However no...

hw: arm64/sme: Always exit sme_alloc() early with existing storage

In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit smealloc early with existing storage When smealloc is called with existing storage and we are not flushing we will always allocate new storage, both leaking the existing storage and corrupting the state. Fi...

kernel: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

In the Linux kernel, the following vulnerability has been resolved: genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline The absence of IRQDMOVEPCNTXT prevents immediate effectiveness of interrupt affinity reconfiguration via procfs. Instead, the change is deferred until the next...

kernel: powerpc/lib: Validate size for vector operations

A potential stack corruption flaw was found in arch/powerpc/lib/sstep.c in the Linux kernel. This may lead to compromised Confidentiality, Integrity, or Availability...

Adobe Illustrator 代码问题漏洞

Adobe Illustrator is a set of vector-based image creation software from the American company Audobee Adobe. A security vulnerability exists in Adobe Illustrator, which can be exploited by attackers to cause a denial of service in the application...

WordPress plugin JetWidgets For Elementor 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms

OpenSSL contains an issue in the POLY1305 MAC message authentication code implementation that might result in a corrupted internal application state. This flaw is only exploitable on PowerPC CPU based platforms if the CPU provides vector instructions PowerISA 2.07. The impact of the corrupted...