GHSA-2VH3-CJ9J-MCJ5 eZ Publish Legacy Cross-site Scripting (XSS) in 'disabled module' error template

This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge. Installations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuratio...

GHSA-VCVR-V426-3M3M org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter

Impact Triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. In particular in the combination with attachment moving, a feature...

CVE-2022-35990 `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannelGradient` in TensorFlow

TensorFlow is an open source platform for machine learning. When tf.quantization.fakequantwithminmaxvarsperchannelgradient receives input min or max of rank other than 1, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit...

Design/Logic Flaw

WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The impact is: Divide by zero can lead to sudden crash of a software/service that tries to parse a .wav file. The component is: ParseDsdiffHeaderConfig dsdiff.c:282. The attack vector is: Maliciously crafted .wav file. The fixed...