Use of Insufficiently Random Values in yiisoft/yii2-dev

yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator...

Ubuntu 18.04 LTS / 20.04 LTS : c-ares vulnerability (USN-5034-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5034-1 advisory. Philipp Jeitner and Haya Shulman discovered that c-ares incorrectly validated certain hostnames returned by DNS servers. A remote attacker could...

Ubuntu 21.04 : Perl vulnerability (USN-5033-1)

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-5033-1 advisory. It was discovered that the Perl Encode library incorrectly handled paths. A local attacker could possibly use this issue to trick the library into executing arbitrary...

Cross site request forgery (csrf)

A cross site request forgery CSRF in Wage-CMS 1.5.x-dev allows attackers to arbitrarily add users...

Ubuntu 21.04 : openCryptoki vulnerability (USN-5031-1)

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-5031-1 advisory. It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack. Tenable has...

Homebrew: Bypass of the installation sandbox by injecting keystrokes with TIOCSTI

While doing some internal testing recently, we ran into installation sandboxing and found a way to bypass it so that a formula's install script can execute commands outside of the sandbox. I understand from https://github.com/Homebrew/brew/issues/2986 that the sandbox is intended to prevent...

Chinese Hackers Exploited Latest SolarWinds 0-Day in Targeted Attacks

Microsoft on Tuesday disclosed that the latest string of attacks targeting SolarWinds Serv-U managed file transfer service with a now-patched remote code execution RCE exploit is the handiwork of a Chinese threat actor dubbed "DEV-0322." The revelation comes days after the Texas-based IT monitori...

Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on...

Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit

Microsoft has detected a 0-day remote code execution exploit being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. The Microsoft Threat Intelligence Center MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on...

db-systray (>=0.1.0 <=0.1.2), dbm-systray (>=0.1.3 <=0.2.0) +6 more potentially affected by CVE-2021-23404 via sqlite-web (>=0.6.8 <=0.7.2)

sqlite-web PYPI version =0.6.8, =0.1.0, =0.1.3, =0.0.2, =0.0.2, =0.0.1, =0.2.1, =0.1.8, =0.2.6 Source cves: CVE-2021-23404 Source advisory: SNYK:PYTHON-SQLITEWEB-1316324...

An admin can downgrade or remove a group with sys admin privilege

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

An admin can downgrade or remove a group with sys admin privilege

This vulnerability affects certain versions of Atlassian Dev Tools. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent...

Ubuntu 20.04 LTS : libuv vulnerability (USN-5007-1)

The remote Ubuntu 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5007-1 advisory. Eric Sesterhenn discovered that libuv incorrectly handled certain strings. An attacker could possibly use this issue to access sensitive information or cause a...

TextPattern CMS 4.9.0-dev Remote Command Execution

Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution RCE Authenticated Date: 07/04/2021 Exploit Author: Mevlüt Akçam Software Link: https://github.com/textpattern/textpattern Vendor Homepage: https://textpattern.com/ Version: 4.9.0-dev Tested on: 20.04.1-Ubuntu !/usr/bin/python3...

PT-2024-11246 · Linux +2 · Linux Kernel +2

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A memory leak vulnerability has been resolved in the Linux kernel. The issue is related to the ip mc add1 src function, where an unreferenced object is created, leading to a memory lea...

Debian DSA-4931-1 : xen - security update

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service or information leaks. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Debian Security Advisory DSA-4931. The...

Ubuntu 16.04 ESM : LZ4 vulnerability (USN-4968-2)

The remote Ubuntu 16.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-4968-2 advisory. USN-4968-1 fixed a vulnerability in LZ4. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Tenable has extracted the...

Elastic: Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access

Summary: Dear Team, Since 1168528 was resolved. I have checking again for other roles. At Dev Role with Limited Engine Access, an user still can access API endpoint /api/as/v1/credentials/ to get all API keys private-key, search-key ... Steps To Reproduce: 1 - Log in Kibana with the admin elastic...

GSD-2021-1000599 net/mlx5e: Fix null deref accessing lag dev

net/mlx5e: Fix null deref accessing lag dev This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.42 by commit...

GSD-2021-1000554 net/mlx5e: Fix null deref accessing lag dev

net/mlx5e: Fix null deref accessing lag dev This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.12.9 by commit...