CVE-2022-29622

An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are...

CLSA-2022-1643918500 Fix of CVE: CVE-2022-23305

CVE-2022-23305: disable JDBCAppender by default. Add optional parameter for enabling it...

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

A security flaw has been unearthed in Microsoft's Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017. The vulnerability, codenamed "NotLegit," was reported to the tech...

Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability

A day after releasing Patch Tuesday updates, Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update. Tracked as CVE-2021-36958 CVSS score: 7.3, the unpatched flaw...

Point and Print Default Behavior Change

Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks. Today, we are addressing this risk by changi...

Point and Print の既定動作の変更

本記事は「Point and Print Default Behavior Change」の日本語抄訳です。 "PrintNightmare" と総称されるいくつかの脆弱性を調査した...

Point and Print Default Behavior Change

Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks. Today, we are addressing this risk by changi...

OESA-2021-1276 maven security update

Maven is a software project management and comprehension tool. Based on the concept of a project object model POM, Maven can manage a project's build, reporting and documentation from a central piece of information. Security Fixes: Apache Maven will follow repositories that are defined in a...

PT-2021-3629 · Microsoft · Windows Print Spooler +1

Name of the Vulnerable Software and Affected Versions: Windows Print Spooler versions prior to the version with the security update released by Microsoft Description: The issue is related to insufficient access restrictions in the Windows Print Spooler service, allowing a remote attacker to execu...

GHSA-2F88-5HG8-9X2X Origin Validation Error in Apache Maven

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

Origin Validation Error in Apache Maven

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

GHSA-2V6X-FRW8-7R7F Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references. Original Description A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0...

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

CVE-2021-26291

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

Nextcloud: Default Nextcloud Server and Android Client leak sharee searches to Nextcloud

On a clean Nextcloud setup the functionality "Search global and public address book for users" is enabled. Now when searching for a sharee to share with. The lookup parameter is not passed to the server. Resulting in...

CVE-2021-27549

Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings Device screen...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default

A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader...

CVE-2019-19232

In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as ...

Information Disclosure

cloudfoundry-identity-server is vulnerable to information disclosure. The vulnerability exists as it defaults to sending emails to @unknown.org if a user's email address is not provided, allowing the owner of the unknown.org domain to receive password recovery emails of other users...