Security Bulletin: IBM Maximo Application suite Visual Inspection Component back ported version 8.9.x uses components that are vulnerable to CVE-2021-31684, CVE-2023-1370, CVEID: CVE-2023-52428, CVE-2024-7254,CVE-2024-27268.

Summary IBM Maximo Application suite Visual Inspection Component back ported version 8.9.x uses components that are vulnerable to CVE-2021-31684, CVE-2023-1370, CVEID: CVE-2023-52428, CVE-2024-7254,CVE-2024-27268. This Bulletine contains information of the vulerable product version and it's...

GHSA-2PGJ-5CV2-6XXW FuelVM is vulnerable to heap memory allocation re-use bug

Impact A memory safety vulnerability was present in the Fuel Virtual Machine FuelVM, where memory reads could bypass expected access controls. Specifically, when a smart contract performed a mload or other opcodes which access memory on memory that had been deallocated using ret, it was still abl...

CVE-2024-51744

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

CVE-2024-51744 Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

CVE-2024-51744 Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system

Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can be combined with GHSA-p8r3-83r8-jwj5 to overwrite files on the host system. In order to use this...

CVE-2015-20107

In Python aka CPython up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input if they lack validation of user-provided...

CVE-2021-21426

Magento-lts is a long-term support alternative to Magento Community Edition CE. In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework...

GHSA-H3GG-7WX2-CQ3H XSS in Flarum Sticky extension

Impact A change in release beta 14 of the Sticky extension caused the plain text content of the first post of a pinned discussion to be injected as HTML on the discussion list. The issue was discovered following an internal audit. Any HTML would be injected through Mithril's m.trust helper. This...

Cross site request forgery (csrf)

In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user in certain limited circumstances could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3. The fix was back-porte...