Phone Scammers Impersonating CISA Employees

Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency CISA is aware of recent impersonation scammers claiming to represent the agency. As a reminder, although CISA staff will occasionally contact...

SUSE CVE-2024-35241

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are...

PT-2024-37114

Name of the Vulnerable Software and Affected Versions: LINE client for iOS versions prior to 14.9.0 Description: The in-app browser of the LINE client contains a Universal XSS UXSS vulnerability, allowing for cross-site scripting XSS where arbitrary JavaScript can be executed in the top frame fro...

DEBIAN-CVE-2024-35241

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are...

Composer has multiple command injections via malicious git/hg branch names

Impact The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories. Patches 2.2.24 for 2.2 LTS or 2.7.7 for mainline Workarounds Avoid cloning potentially compromised...

CLSA-2024-1718028901 git: Fix of CVE-2024-32002

CVE-2024-32002: fix submodule paths to not contain symlinks...

CVE-2024-35954

In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Avoid sg device teardown race sgremovesfpusercontext must not use sgdevicedestroy after calling scsideviceput. sgdevicedestroy is accessing the parent scsidevice requestqueue which will already be set to NULL when the...

PT-2024-40171 · Propel · Propel

Name of the Vulnerable Software and Affected Versions: Propel versions 1.x through 3.x Description: The limit query method in Propel is susceptible to catastrophic SQL injection when used with MySQL. This occurs due to a lack of integer casting of the limit input in either...

PT-2024-26246 · Unknown · R-Pan-Scaffolding

Name of the Vulnerable Software and Affected Versions: r-pan-scaffolding versions 5.0 and below Description: The issue allows attackers to execute arbitrary code via uploading a crafted PDF file. This is achieved through an arbitrary file upload vulnerability. Recommendations: For versions 5.0 an...

UBUNTU-CVE-2024-32465

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but...

UBUNTU-CVE-2024-32002

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory...

PT-2024-7386

Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 3.3.3 Description: The issue arises from the use of low-level GF2^m elliptic curve APIs with untrusted explicit values for the field polynomial, leading to out-of-bounds memory reads or writes. This can cause an...

PT-2024-25809 · 1Panel · 1Panel

Name of the Vulnerable Software and Affected Versions: 1Panel versions prior to 1.10.3-lts Description: The issue is related to command injections in the project that are not well filtered, leading to arbitrary file writes and ultimately to remote code executions RCEs. The mirror configuration...

PT-2024-22376 · Unknown · Sourcecodester School Task Manager

Name of the Vulnerable Software and Affected Versions: Sourcecodester School Task Manager version 1.0 Description: A vulnerability was identified within the subject name= parameter, enabling Stored Cross-Site Scripting XSS attacks. This issue allows attackers to manipulate the subject's name,...

PT-2024-25136 · J2Eefast · J2Eefast

Name of the Vulnerable Software and Affected Versions: J2EEFAST version 2.7.0 Description: The issue is related to a SQL injection vulnerability. It occurs via the sql filter parameter in the getDeptList function. This allows for potential exploitation. Recommendations: For J2EEFAST version 2.7.0...

PT-2024-20969 · Ruvaroa · Ruvaroa

Name of the Vulnerable Software and Affected Versions: RuvarOA versions 6.01 through 12.01 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the email attach id parameter at the "/LHMail/AttachDown.aspx" API endpoint. Recommendations: For...

CVE-2024-27033 f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to remove unnecessary f2fsbugon to avoid panic verifyblkaddr will trigger panic once we inject fault into f2fsisvalidblkaddr, fix to remove this unnecessary f2fsbugon...

PT-2024-6645 · Adobe · Illustrator

Name of the Vulnerable Software and Affected Versions: Adobe Illustrator versions 28.5, 27.9.4 and earlier Description: The issue is related to an improper input validation that could lead to an application denial-of-service condition. An attacker could exploit this to render the application...

karinbordewijk.nl Improper Access Control vulnerability OBB-3922496

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

PT-2024-25173 · Unknown · Jerryscript

Name of the Vulnerable Software and Affected Versions: Jerryscript version cefd391 Description: A segmentation violation was discovered in Jerryscript via the component scanner seek at jerry-core/parser/js/js-scanner-util.c. Recommendations: For Jerryscript version cefd391, consider avoiding the...