CVE-2024-26718

In the Linux kernel, the following vulnerability has been resolved: dm-crypt, dm-verity: disable tasklets Tasklets have an inherent problem with memory corruption. The function taskletactioncommon calls tasklettrylock, then it calls the tasklet callback and then it calls taskletunlock. If the...

CVE-2024-26765

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Disable IRQ before initfn for nonboot CPUs Disable IRQ before initfn for nonboot CPUs when hotplug, in order to silence such warnings and also avoid potential errors due to unexpected interrupts: WARNING: CPU: 1 PID: 0...

CVE-2024-26761 cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window

In the Linux kernel, the following vulnerability has been resolved: cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window The Linux CXL subsystem is built on the assumption that HPA == SPA. That is, the host physical address HPA the HDM decoder registers are programmed wi...

CVE-2024-2431

An issue in the Palo Alto Networks GlobalProtect app enables a non-privileged user to disable the GlobalProtect app in configurations that allow a user to disable GlobalProtect with a passcode...

BIT-MOODLE-2022-2986

Enabling and disabling installed H5P libraries did not include the necessary token to prevent a CSRF risk...

SUSE CVE-2021-47004

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in getvictim In CP disabling mode, there are two issues when using LFS or SSR | ATSSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no...

Spoofing

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in getvictim In CP disabling mode, there are two issues when using LFS or SSR | ATSSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no...

CVE-2021-47004 f2fs: fix to avoid touching checkpointed data in get_victim()

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid touching checkpointed data in getvictim In CP disabling mode, there are two issues when using LFS or SSR | ATSSR mode to select victim: 1. LFS is set to find source section during GC, the victim should have no...

Login form doesn't get disabled when option is disabled from authentication methods

h3. Issue Summary When we remove the option to authenticate with username and password from the login form we could still use basic authentication to login. This is reproducible on Data Center: Yes h3. Steps to Reproduce Step-1. Remove the option to authenticate with username and password from th...

Design/Logic Flaw

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.3, excessive memory use during pgsql parsing could lead to OOM-related crashes. This vulnerability is patched in 7.0.3. As workaround, users can disable the...

IBM PowerSC Session Fixation Vulnerability (CNVD-2024-09948)

IBM PowerSC is an International Business Machines IBM security and compliance solution for IBM Power Systems servers. A session fixation vulnerability exists in IBM PowerSC, which stems from a failure to disable a session after logging out, and can be exploited by an attacker to impersonate anoth...

CVE-2024-1085

A double-free flaw was found in how the Linux kernel's NetFilter system marks whether a catch-all element is enabled. A local user could use this flaw to crash the system. Mitigation 1. This flaw can be mitigated by preventing the affected netfilter nftables kernel module from being loaded. For...

Security Bulletin: IBM DataPower Gateway vulnerable to HTTP/2 "Rapid Reset" Denial of Service (CVE-2023-44487, CVE-2023-39325)

Summary IBM has addressed both CVEs. Vulnerability Details CVEID: CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a...

PT-2023-20748 · Idweb · Idweb

Name of the Vulnerable Software and Affected Versions: IDWeb application versions 3.1.052 and earlier Description: The issue concerns an unauthenticated SQL injection in the GetVisitors method, allowing unauthenticated attackers to extract or modify all data. Recommendations: For versions 3.1.052...

Rockwell Automation Stratix 5800 and Stratix 5200 (UPDATE A)

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION : Exploitable remotely/low attack complexity/known public exploitation Vendor : Rockwell Automation Equipment : Stratix 5800 and Stratix 5200 Vulnerabilities : Unprotected Alternate Channel, OS Command Injection 2. RISK EVALUATION Successful...

CVE-2023-43663

PrestaShop vulnerability CVE-2023-43663 affects PrestaShop core where, in affected versions, any module can be disabled or uninstalled from the back office—even by users with low privileges. The issue enables low-privilege users to disable portions of shop functionality, indicating an improper pr...

PT-2023-29141 · Seacms · Seacms

Name of the Vulnerable Software and Affected Versions: SeaCMS version 12.9 Description: The issue is related to an arbitrary file write vulnerability. This vulnerability is present in the admin ping.php component. Recommendations: For SeaCMS version 12.9, consider disabling access to the admin...

Impact of removing vs. disabling Chrome in Android

Understand the distinction between removing and disabling Chrome on Android devices using Citrix Endpoint Management...

CVE-2023-38688

twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result, communication, including...

PT-2023-26736 · Duke · Duke

Name of the Vulnerable Software and Affected Versions: Duke versions 1.2 and below Description: The issue is related to a code injection vulnerability via the component no.priv.garshol.duke.server.CommonJTimer.init. Recommendations: For Duke versions 1.2 and below, consider disabling the...