GHSA-C2XF-9V2R-R2RX Hugo does not escape some attributes in internal templates

Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. default/markup/render-link.html from v0.123.0 default/markup/render-image.html from...

Hugo 跨站脚本漏洞

Hugo is a Go-based framework for rapid static site generation from the Gohugoio community. A cross-site scripting vulnerability exists in Hugo versions prior to 0.123.0 through 0.139.4, which stems from improperly escaping HTML attributes in certain Markdown in internal rendering hooks...

[SECURITY] [DLA 3988-1] jinja2 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3988-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk December 09, 2024 https://wiki.debian.org/LTS -...

Vulnerability of JetBrains YouTrack’s data merging functions, which allows attackers to execute a “ prototype contamination ” attack.

The vulnerability of the data merging functions in the JetBrains YouTrack project and task management software is related to the uncontrolled modification of prototype object attributes. Exploiting this vulnerability could allow a malicious actor to execute an “infection of the prototype” attack...

Security update for python

This update for python fixes the following issues: CVE-2024-11168: Fixed improper validation of IPv6 and IPvFuture addresses bsc1233307 Other fixes: - Add ipaddress module from https://github.com/phihag/ipaddress - Remove -IVendor/ from python-config bsc1231795 - Stop using %%defattr, it seems...

CVE-2018-9449

In processservicesearchattrrsp of sdpdiscovery.cc, there is a possible out of bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2024-17004 · WordPress · Wordpress Pinterest Plugin

Name of the Vulnerable Software and Affected Versions: WordPress Pinterest Plugin versions up to, and including, 1.8.8 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'gs pin widget' shortcode due to insufficient input sanitization and output escaping on...

PT-2024-10698 · Google · Android

Name of the Vulnerable Software and Affected Versions: No specific software name or version is mentioned in the provided descriptions. Description: The issue is related to a possible out of bound read in the process service search attr rsp function of sdp discovery.cc due to a missing bounds chec...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that originates in the mlx5tcctentryaddrule function in the net/mlx5e component, where the zonerule-attr is used...

CVE-2023-0163

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a...

apache-avro: Schema parsing may trigger Remote Code Execution (RCE)

A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special "java-class" attribute...

CXF: SSRF Vulnerability

A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type...

apache-avro: Schema parsing may trigger Remote Code Execution (RCE)

A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special "java-class" attribute...

The vulnerabilities of x86/mm/pat components in the Linux operating system’s kernel allow a hacker to cause a service failure.

The vulnerability of the x86/mm/pat components of the Linux operating system’s kernel is related to a memory leak. Exploiting this vulnerability can allow an attacker to cause a system failure...

CVE-2024-50243

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix general protection fault in runismappedfull Fixed deleating of a non-resident attribute in ntfscreateinode rollback...

CVE-2018-9478

In processserviceattrreq and processservicesearchattrreq of sdpserver.cc, there is an out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

AZL-53915 CVE-2024-53066 affecting package kernel for versions less than 5.15.173.1-1

In the Linux kernel, the following vulnerability has been resolved: nfs: Fix KMSAN warning in decodegetfattrattrs Fix the following KMSAN warning: CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B Tainted: B=BADPAGE Hardware name: QEMU Standard PC Q35 + ICH9, 2009...

UBUNTU-CVE-2024-53066

In the Linux kernel, the following vulnerability has been resolved: nfs: Fix KMSAN warning in decodegetfattrattrs Fix the following KMSAN warning: CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G B Tainted: B=BADPAGE Hardware name: QEMU Standard PC Q35 + ICH9, 2009...

CVE-2024-53045 ASoC: dapm: fix bounds checker error in dapm_widget_list_create

In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: fix bounds checker error in dapmwidgetlistcreate The widgets array in the sndsocdapmwidgetlist has a countedby attribute attached to it, which points to the numwidgets variable. This attribute is used in bounds...

GHSA-HFF8-HJWV-J9Q7 Remote Code Execution on click of <a> Link in markdown preview

Summary There is a vulnerability in Joplin-desktop that leads to remote code execution RCE when a user clicks on an link within untrusted notes. The issue arises due to insufficient sanitization of tag attributes introduced by the Mermaid. This vulnerability allows the execution of untrusted HTML...