Debian dla-4043 : openjdk-17-dbg - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4043 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4043-1 [email protected] https://www.debian.org/lts/security/...

[SECURITY] [DSA 5857-1] openjdk-17 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5857-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 03, 2025 https://www.debian.org/security/faq -...

CVE-2023-6384 WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar...

USN-6492-1 mosquitto vulnerabilities

Kathrin Kleinhammer discovered that Mosquitto incorrectly handled certain inputs. If a user or an automated system were provided with a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. CVE-2021-34431...

CMS Commander < 2.288 - Unauthenticated Authorisation Bypass

The plugin does not use a sufficient unique cryptographic signature in its cmscaddsite feature, which could allow unauthenticated users to update the cmscpublickey settings when the plugin has not been configured yet, and get access to the plugin's remote control features such as creating an...

CVE-2023-2179 WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making...

CVE-2022-4103 Royal Elementor Addons < 1.3.56 - Subscriber+ Arbitrary Post Creation

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post as well as any post type with an...

Authorisation bypass in the ViewUpgrades resource - CVE-2019-8443

The ViewUpgrades resource in Jira before version 7.13.4, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers who have obtained access to administrator's session to access the ViewUpgrades administrative resource without needing to...

Shibboleth 2 XML Injection

Advisory: Truncation of SAML Attributes in Shibboleth 2 RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the...