The vulnerability of the software for working with animations in Adobe Character Animator lies in the ability to write code beyond the buffer boundaries in memory, allowing an attacker to execute arbitrary code.

The vulnerability of the Adobe Character Animator software for animating graphics is related to reading data beyond the buffer boundaries in memory. Exploiting this vulnerability allows an attacker to execute arbitrary code in the context of the current user, using a specially crafted SVG file...

CVE-2022-21500

Vulnerability in Oracle E-Business Suite component: Manage Proxies. The supported version that is affected is 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can...

new packages: perl-Bit-Vector

An update is available for perl-Bit-Vector. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rocky...

Elixir can leak information due to weak use of crypto

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this...

GHSA-VFCG-5GGC-3RXX Elixir can leak information due to weak use of crypto

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this...

GHSA-6PVW-HH48-JX7P Craft CMS XSS Vulnerability

Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file...

IBM DataPower Gateway 资源管理错误漏洞

IBM DataPower Gateway is a set of security and integration platforms from IBM USA designed specifically for mobile, cloud, application programming interface API, web, service-oriented architecture SOA, B2B and cloud workloads. The platform protects, integrates, and optimizes access across channel...

Jirafeau 跨站脚本漏洞

Jirafeau is an easy way to upload files by the individual developer Jérôme Jutteau. A security vulnerability exists in Jirafeau versions prior to 4.4.0, which stems from a file preview feature enabled by default that can be used for cross-site scripting. An attacker could use this vulnerability t...

PT-2022-20005

Name of the Vulnerable Software and Affected Versions Jirafeau versions prior to 4.4.0 Description The file preview functionality in Jirafeau, which is enabled by default, could be exploited for cross-site scripting. An attacker could upload image/svg+xml files containing JavaScript. When someone...

Elixir can leak information due to weak use of crypto

Elixir prior to and including 0.7.1 uses Blowfish in CFB mode without constructing a unique initialization vector IV, which makes it easier for context-dependent users to obtain sensitive information and decrypt the database. A patch has been attached to the initial advisory to mitigate this...

CVE-2022-29351

An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here...

MicroStrategy Web SDK Cross-Site Scripting Vulnerability (CNVD-2022-77860)

MicroStrategy Web SDK is a JavaScript library from MicroStrategy, Inc. It interacts with different CARTO APIs to build custom applications on top of deck.gl that utilize vector rendering. MicroStrategy Web SDK version 10.11 and earlier versions contain a cross-site scripting vulnerability that...

PT-2022-19557 · Unknown · Tiddlywiki5

Name of the Vulnerable Software and Affected Versions: Tiddlywiki5 version 5.2.2 Description: An arbitrary file upload vulnerability in the file upload module allows attackers to execute arbitrary code via a crafted SVG file. The vendor argues that this is not a legitimate issue and there is no...

MicroStrategy Web SDK Cross-Site Scripting Vulnerability

MicroStrategy Web SDK is a JavaScript library from MicroStrategy, Inc. Interacts with different CARTO APIs to build custom applications that utilize vector rendering on top of deck.gl. A cross-site scripting vulnerability exists in MicroStrategy Web SDK 10.11 and prior versions, which stems from ...

Moodle SSRF Vulnerability

The editblog.php script allows a registered user to add external RSS feed resources. It was identified that this feature could be abused to be used as a SSRF attack vector by adding a malicious URL/TCP PORT in order to target internal network or an internet hosted server, bypassing firewall rules...

[WP-H0] Fake balances can be created for not-yet-existing ERC20 tokens, which allows attackers to set traps to steal funds from future users

Lines of code Vulnerability details function createVault uint256 tokenIdOrAmount, address token, ... external returns uint256 vaultId ... Vault memory vault = Vault ... ; // vault index should always be odd vaultIndex += 2; vaultId = vaultIndex; vaultsvaultId = vault; // give msg.sender vault tok...

GHSA-R9Q2-3R6X-QMGP Inadequate Encryption Strength in Jenkins

Jenkins before versions 2.44 and 2.32.2 uses AES ECB block cipher mode without IV for encrypting secrets which makes Jenkins and the stored secrets vulnerable to unnecessary risks SECURITY-304...

GHSA-CHG9-3C3P-CH23 Lemur uses static IV per key

Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode...

Merchandise Online Store 安全漏洞

Merchandise Online Store is a merchandise online store system. A security vulnerability exists in Merchandise Online Store that can be exploited by an attacker to delete arbitrary files...

Improper Privilege Management API V2

Description There are some api v2 doesn't check permission allow attackers to retrieve/edit information ticket,account,group,department,team,ElasticSearch Proof of Concept Get users list 1. Login. 2. Go to /api/v2/accounts?type=all. 3. Users list return. Create user with admin role 1. Get the adm...