Important: nodejs security and bug fix update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Permissions policies can be bypassed via Module.load CVE-2023-32002 nodejs: Permissions policies can impersonate other modules in using...

Microweber cross-site scripting vulnerability (CNVD-2023-79685)

Microweber is an online store management system that provides drag and drop functionality from the Microweber community in the United States. The system includes modules for adding products, images, and more. A cross-site scripting vulnerability exists in Microweber versions prior to 2.0, which...

Metasploit Weekly Wrap Up

New module content 3 LDAP Login Scanner Author: Dean Welch Type: Auxiliary Pull request: 18197 contributed by dwelch-r7 Path: scanner/ldap/ldaplogin Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication...

The vulnerability of the web page rendering modules in WebKitGTK and WPE WebKit, related to memory access after it is freed, allows attackers to execute arbitrary code.

The vulnerability of the Web page rendering modules in WebKitGTK and WPE WebKit lies in the access to memory after it has been freed. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

[SECURITY] Fedora 37 Update: slurm-22.05.9-5.fc37

Slurm is an open source, fault-tolerant, and highly scalable cluster management and job scheduling system for Linux clusters. Components include machine status, partition management, job management, scheduling and accounting modules...

CVE-2023-43664 Employee without any access rights can list all installed modules in Prestashop

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method ajaxProcessGetPossibleHookingListForModule doesn't check access rights. This issue has been addressed in commit 15bd281c which is...

PrestaShop allows employee without any access rights to list all installed modules

Impact In BO, an employee can list all modules without any access rights: method ajaxProcessGetPossibleHookingListForModule doesn't check access rights Patches Fixed on 8.1.2 Workarounds References...

PT-2023-28908 · Unknown · Prestashop

Name of the Vulnerable Software and Affected Versions: PrestaShop versions prior to 8.1.2 Description: PrestaShop is an Open Source e-commerce web application. In affected versions, any module can be disabled or uninstalled from the back office, even with low user rights. This allows low privileg...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()

A vulnerability was found in NodeJS. This security issue occurs as the use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

nodejs: mainModule.proto bypass experimental policy mechanism

A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition...

nodejs: Permissions policies can be bypassed via process.binding

A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsync' to run arbitrary code outside of the limits defined in a...

RHEL 9 : nodejs:18 (RHSA-2023:5363)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5363 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...

Medium: ansible

Issue Overview: A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the nolog...

Rockwell Automation Select Logix Communication Modules

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION : Exploitable remotely/low attack complexity Vendor : Rockwell Automation Equipment : 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR,...

CVE-2023-39677

MyPrestaModules Prestashop Module v6.2.9 and UpdateProducts Prestashop Module v3.6.9 were discovered to contain a PHPInfo information disclosure vulnerability via send.php...

ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +1898 more potentially affected by CVE-2023-4853 via io.quarkus:quarkus-vertx-http (>=3.0.0.Alpha1 <=3.2.5.Final)

io.quarkus:quarkus-vertx-http MAVEN version =3.0.0.Alpha1, =0.1.0, =0.1.0, =0.0.2, =0.1.1, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.10 and more Source cves: CVE-2023-4853 Source advisory: OSV:GHSA-4F4R-WGV2-JJVG...

Rockwell Automation select 1756-EN* Buffer Error Vulnerability

Rockwell Automation select 1756-EN is a series of modules from Rockwell Automation. The Rockwell Automation select 1756-EN contains a security vulnerability that can be exploited by an attacker to execute remote code by sending a maliciously crafted CIP request to the device...