Malicious Package

Overview msfpath is a malicious package. It launches a reverse shell that connects back to a malicious host. Remediation Avoid using all malicious instances of the msfpath package. Credit: Raul Onitza-Klugman from Snyk Research Team...

PT-2022-26150 · Lancet +1 · Lancet +1

Name of the Vulnerable Software and Affected Versions: Lancet versions prior to 2.1.10 Lancet versions prior to 1.3.4 Description: The issue is a ZipSlip problem that occurs when using the fileutil package to unzip files. This can be exploited when using the fileutil package. No information is...

PT-2022-26780 · Unknown · Online Diagnostic Lab Management System

Name of the Vulnerable Software and Affected Versions: Online Diagnostic Lab Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the id parameter at the "/clients/view client.php" API endpoint. Recommendations:...

PT-2022-26268 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.3.7 Liferay DXP versions 7.3 fix pack 2 through update 4 Description: A SQL injection issue in the Friendly Url module allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title...

PT-2022-5612 · Freerdp +9 · Freerdp +9

Name of the Vulnerable Software and Affected Versions: FreeRDP versions prior to 2.9.0 Description: The issue is related to the missing path canonicalization and base path check for the drive channel in FreeRDP, allowing a malicious server to trick a FreeRDP-based client into reading files outsid...

PT-2022-27424 · Unknown · Cbrn-Analysis

Name of the Vulnerable Software and Affected Versions: CBRN-Analysis versions prior to 22 Description: The issue allows XXE attacks via an XML document, leading to NTLMv2-SSP hash disclosure. This occurs when processing a malicious XML document. Recommendations: For versions prior to 22, update t...

PT-2022-6233 · Netcomm · Netcomm Nf20Mesh +2

Name of the Vulnerable Software and Affected Versions: Netcomm NF20MESH versions Netcomm NF20 versions Netcomm NL1902 versions Description: A stack-based buffer overflow issue affects the sessionKey parameter, allowing a remote attacker to potentially execute arbitrary code by providing a specifi...

PT-2022-24250 · F Secure · F-Secure Safe Browser

Name of the Vulnerable Software and Affected Versions: F-Secure SAFE Browser versions prior to 19.0 Description: A Drag and Drop spoof vulnerability was discovered, allowing a spoofing of the address bar when a user performs a drag and drop operation on the address bar. Recommendations: For...

PT-2022-22908 · WordPress · Export/Import Users/Customers

Name of the Vulnerable Software and Affected Versions: Import and export users and customers WordPress plugin versions prior to 1.20.5 Description: The issue concerns the improper escaping of data when exporting it via CSV files. This could potentially lead to security issues, although specific...

PT-2022-7658 · Linux +3 · Linux Kernel +3

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.1.1 Description: The vulnerability is related to a buffer overflow issue in the vivid component of the Linux kernel. It occurs due to a failure to check boundaries after adjusting the compose height in the V4L...

AZL-11396 CVE-2022-39379 affecting package rubygem-fluentd for versions less than 1.14.6-2

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution RCE vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads...

PT-2022-26743 · Unknown · Fast Food Ordering System

Name of the Vulnerable Software and Affected Versions: Fast Food Ordering System version 1.0 Description: The issue is related to a SQL injection vulnerability. It affects the /fastfood/purchase.php component. Recommendations: For Fast Food Ordering System version 1.0, consider restricting access...

PT-2022-10669 · Unknown · Employee Record Management System

Name of the Vulnerable Software and Affected Versions: Employee Record Management System version 1.2 Description: The issue is related to SQL Injection via the editempprofile.php file. Recommendations: For Employee Record Management System version 1.2, consider restricting access to the...

Primary operator can unbond to avoid slashing and DOS job execution

Lines of code Vulnerability details If a primary operator fails to call HolographOperator.executeJob on time, a secondary operator can make the call, which will result in slashing the primary operator, as described in the documentation. The primary operator that failed to do the job, is slashed t...

Upgraded Q -> M from 873 [1666362235337]

Judge has assessed an item in Issue 873 as Medium risk. The relevant finding follows: Avoid payableaddress.transfer GolomTraderpayEther uses payableaddress.transfer to send native ETH. It's considered a best practice to avoid this pattern for ETH transfers, since it forwards a fixed gas stipend...

CVE-2022-39253

Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone where the source and target of the clone...

PT-2022-6964 · Mozilla +3 · Firefox +3

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 106 Description: A potential use-after-free vulnerability existed in SVG Images if the Refresh Driver was destroyed at an inopportune time. This could have led to memory corruption or a potentially exploitable crash...

Malicious Package

Overview truelayer-component-library is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if th...

PT-2022-5111 · Freerdp +9 · Freerdp +9

Name of the Vulnerable Software and Affected Versions: FreeRDP versions prior to 2.8.1 Description: The issue is related to the use of uninitialized data when processing the /parallel command line switch in FreeRDP based clients on Unix systems. This could allow a remote attacker to read, modify,...

PT-2022-25831 · D8S-Yaml +1 · D8S-Yaml +1

Name of the Vulnerable Software and Affected Versions: d8s-yaml version 0.1.0 Description: The d8s-yaml package for Python contains a potential code-execution backdoor. This backdoor is attributed to the democritus-file-system package, which was inserted by a third party. Recommendations: For...