Jenkins Libvirt Slaves Plugin vlnerable to Credential Enumeration

A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins...

Magento 2 Community Edition SSRF vulnerability

A server-side request forgery SSRF vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with admin privileges to manipulate shipment methods to execute arbitrary code...

Mozilla: Prototype pollution in Top-Level Await implementation

The Mozilla Foundation Security Advisory describes this flaw as: If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context...

USN-5434-1 firefox vulnerabilities

It was discovered that the methods of an Array object could be corrupted as a result of prototype pollution by sending a message to the parent process. If a user were tricked into opening a specially crafted website, an attacker could exploit this to execute JavaScript in a privileged context...

UBUNTU-CVE-2022-1802

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR 91.9.1, Firefox 100.0.2, Firefox for Android 100.3.0,...

MGASA-2022-0190 Updated python-django packages fix security vulnerability

Potential SQL injection in QuerySet.annotate, aggregate, and extra CVE-2022-28346 Potential SQL injection via QuerySet.explainoptions on PostgreSQL QuerySet.explain CVE-2022-28347...

CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities

CISA has issued Emergency Directive ED 22-03 and released a Cybersecurity Advisory CSA in response to active and expected exploitation of multiple vulnerabilities in the following VMware products: VMware Workspace ONE Access Access, VMware Identity Manager vIDM, VMware vRealize Automation vRA,...

GHSA-FJHW-8222-G2HG Cross-Site Request Forgery in Jolokia

Cross-site request forgery CSRF vulnerability in Jolokia before 1.2.1 allows remote attackers to hijack the authentication of users for requests that execute MBeans methods via a crafted web page...

GHSA-R6FX-55X3-F9X6 Crafter CMS Crafter Studio vulnerable to Improper Control of Dynamically-Managed Code Resources

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods...

CVE-2021-23267 Improper Control of Dynamically-Managed Code Resources in Crafter Studio

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods...

Discy < 5.2 - Settings Update via CSRF

The theme lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary plugin's settings including payment methods via a CSRF attack PoC...

Updated golang-github-prometheus-client packages fix security vulnerability

HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods...

GHSA-2C3P-9J5F-33G3 Apache OpenMeetings responds to insecure HTTP methods

Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH...

Apache OpenMeetings responds to insecure HTTP methods

Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH...

GHSA-M68X-CC2F-GR5H Unsafe methods in the default list of approved signatures in Jenkins Script Security Plugin

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAtObject, String, Object; DefaultGroovyMethods.getAtObject, String. These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild'rawBuild' rather than...

Unsafe methods in the default list of approved signatures in Jenkins Script Security Plugin

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAtObject, String, Object; DefaultGroovyMethods.getAtObject, String. These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild'rawBuild' rather than...

GHSA-5M64-9HQ5-5PF2 Statamic framework Incorrect Permission Assignment

Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc...

Statamic framework Incorrect Permission Assignment

Statamic framework before 2.6.0 does not correctly check a session's permissions when the methods from a user's class are called. Problematic methods include reset password, create new account, create new role, etc...

[SECURITY] Fedora 36 Update: curl-7.82.0-5.fc36

curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMA P, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

OESA-2022-1642 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate, aggregate, and extra methods are subject to SQL injection in column...