Deserialization of Untrusted Data

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the runpy module. An attacker can execute arbitrary code by supplying a malicious pickle file that uses runpy.runpath or...

Fickling has a bypass via runpy.run_path() and runpy.run_module()

Fickling's assessment runpy was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66. Original report Summary Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicio...

udev Persistence

This module will add a script in /lib/udev/rules.d/ in order to execute a payload written on disk. It'll be executed with root privileges everytime a network interface other than l0 comes up. Execution is triggered through at command, so it must be installed on the target. Module Options msf use...

OESA-2026-1032 erlang security update

Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson. Security Fixes: Allocation of Resources Without Limits or Throttling...

OESA-2026-1027 erlang security update

Erlang is a general-purpose programming language and runtime environment. Erlang has built-in support for concurrency, distribution and fault tolerance. Erlang is used in several large telecommunication systems from Ericsson. Security Fixes: Allocation of Resources Without Limits or Throttling...

CVE-2014-4720

Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service CPU consumption via vectors related to "backtracking into the phrase," a different vulnerability than CVE-2014-0477...

CVE-2023-29487

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service DoS via the Threat To Process Correlation threat prevention module. NOTE: Heimdal asserts this is not a valid vulnerability. Their DNS...

CVE-2023-50027

SQL Injection vulnerability in Buy Addons baproductzoommagnifier module for PrestaShop versions 1.0.16 and before, allows remote attackers to escalate privileges and gain sensitive information via BaproductzoommagnifierZoomModuleFrontController::run method...

CVE-2023-50028

In the module "Sliding cart block" blockslidingcart up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection...

CVE-2023-49328

On a Wolters Kluwer B.POINT 23.70.00 server running Linux on premises, during the authentication phase, a validated system user can achieve remote code execution via Argument Injection in the server-to-server module...

CVE-2023-49244

Permission management vulnerability in the multi-user module. Successful exploitation of this vulnerability may affect service confidentiality...

CVE-2023-49240

Unauthorized access vulnerability in the launcher module. Successful exploitation of this vulnerability may affect service confidentiality...

CVE-2023-49242

Free broadcast vulnerability in the running management module. Successful exploitation of this vulnerability may affect service confidentiality...

CVE-2023-49707

SQLi vulnerability in S5 Register module for Joomla...

CVE-2023-45379

In the module "Rotator Img" posrotatorimg in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection...

CVE-2023-45256

Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or callback.php...

CVE-2023-45386

In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via extratabspro::searchcategory, extratabspro::searchproduct and extratabspro::searchmanufacturer.'...

CVE-2023-45377

In the module "Chronopost Official" chronopost for PrestaShop, a guest can perform SQL injection. The script PHP cancelSkybill.php own a sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection...

CVE-2023-31671

PrestaShop postfinance = 17.1.13 is vulnerable to SQL Injection via PostfinanceValidationModuleFrontController::postProcess...

CVE-2023-31227

The hwPartsDFR module has a vulnerability in API calling verification. Successful exploitation of this vulnerability may affect device confidentiality...