Updated perl-CPAN & perl-HTTP-Tiny packages fix security vulnerabilities

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. CVE-2023-31484 HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates...

EUVD-2021-14525

Malware in sbrugna...

CVE-2024-54147 Altair GraphQL Client's desktop app does not validate HTTPS certificates

Altair is a GraphQL client for all platforms. Prior to version 8.0.5, Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests. Any Altair users on untrusted networks eg. public wifi, malicious DNS servers may have all GraphQL...

CVE-2024-1873 Path Traversal and Denial of Service in parisneo/lollms-webui

parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed /selectdatabase endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the DiscussionsDB instance. This flaw...

Security Bulletin: This Power System update is being released to address CVE-2022-4450

Summary This affects the BMC administrator function to upload HTTPS certificates. Vulnerability Details CVEID:CVE-2022-4450 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEMreadbioex function. ...

Debian: Security Advisory (DSA-2199)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-27784

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

Design/Logic Flaw

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

CVE-2021-27784 HCL Launch container images may contain non-unique https certificates and database encryption key

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

CVE-2021-27784

CVE-2021-27784 affects HCL Launch Container images, where non-unique HTTPS certificates and a database encryption key are included. The documented vulnerability is limited to the container images and does not affect standard installer packages. The available remediation is a fix that provides dir...

CVE-2021-27784 HCL Launch container images may contain non-unique https certificates and database encryption key

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages...

Node.js: Undici does not use CONNECT or otherwise validate upstream HTTPS certificates when using a proxy

Summary: When using Undici with its ProxyAgent, it does not use CONNECT or correctly verify the upstream server's HTTPS certificate. Description: This affects both Undici itself and global fetch in Node 18 when used with Undici's ProxyAgent. I've submitted this here for Node as it affects global...

CVE-2021-20110

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as we...

CVE-2021-20109

Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the...

Integer overflow

Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as we...

Memory corruption

Manage Engine Asset Explorer Agent 1.0.34 listens on port 9000 for incoming commands over HTTPS from Manage Engine Server. The HTTPS certificates are not verified which allows any arbitrary user on the network to send commands over port 9000. While these commands may not be executed due to...

CVE-2021-20108

CVE-2021-20108 affects Manage Engine Asset Explorer Agent 1.0.34. The agent listens on TCP port 9000 for HTTPS commands from the Manage Engine Server, but uses unverified HTTPS certificates, allowing arbitrary users on the network to send commands. Although authtoken validation may prevent comman...

TI Code Composer Studio IDE Trust Management Issue Vulnerability

TI Code Composer Studio IDE is a Texas Instruments TI integrated development environment that supports TI's microcontroller and embedded processor products. The software includes a complete set of tools for developing and debugging embedded applications. It includes a C/C++ compiler for...

CVE-2016-9154

Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D All firmware versions V6.00.046 and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U All...

Google Debuts New Untrusted CA Log Submariner

Google wants the internet to know that it’s keeping track of deployed certificates, whether they’re trusted or not. While the search behemoth has long maintained a list of trusted Certificate Authorities, it announced on Monday that it has created a new list of CAs that were once, or are not yet...