CLSA-2025-1765208529 vim: Fix of 2 CVEs

CVE-2025-53906: drop leading ../ on write of zipfiles, don't forcefully overwrite existing files - CVE-2025-29768: use glob '-' to protect filenames starting with '-'...

PT-2024-40162 · Drupal · Drupal

Name of the Vulnerable Software and Affected Versions: Drupal 8 core affected versions not specified Description: The issue concerns the file save upload function, which does not remove leading and trailing dots from filenames. This could allow users with file upload permissions, especially when...

Open Redirect

Overview rails is an opensource MVC web framework. Affected versions of this package are vulnerable to Open Redirect. Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a...

UBUNTU-CVE-2020-7668

In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide...

DRUPAL-CORE-2019-010

Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to...