SUSE-SU-2025:01551-1 Security update for go1.24

This update for go1.24 fixes the following issues: Update to go1.24.3 bsc1236217: Security fixes: - CVE-2025-22873: Fixed os.Root permits access to parent directory bsc1242715 Changelog: go73556 go73555 security: fix CVE-2025-22873 os: Root permits access to parent directory go73082 os: Root.Open...

CVE-2024-45308

HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by t...

CVE-2024-34080

MantisBT Mantis Bug Tracker is an open source issue tracker. If an issue references a note that belongs to another issue that the user doesn't have access to, then it gets hyperlinked. Clicking on the link gives an access denied error as expected, yet some information remains available via the...

CVE-2024-25221

A cross-site scripting XSS vulnerability in Task Manager App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note Section parameter at /TaskManager/Tasks.php...

CVE-2024-3138

DISPUTED A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been...

CVE-2024-41613

A Cross Site Scripting XSS vulnerability in Symphony CMS 2.7.10 allows remote attackers to inject arbitrary web script or HTML by editing note...

CVE-2024-53268

Joplin is an open source, privacy-focused note taking app with sync capabilities for Windows, macOS, Linux, Android and iOS. In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows...

CVE-2023-34962

Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes...

CVE-2023-24812

Misskey is an open source, decentralized social media platform. In versions prior to 13.3.3 SQL injection is possible due to insufficient parameter validation in the note search API by tag notes/search-by-tag. This has been fixed in version 13.3.3. Users are advised to upgrade. Users unable to...

CVE-2022-3330

It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1...

CVE-2022-44947

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in the Highlight Row feature at /index.php?module=entities/listingtypesid=24. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note fiel...

CVE-2022-40812

The d8s-pdfs for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-file-system package. The affected version is 0.1.0...

CVE-2022-28789

Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities...

CVE-2022-28101

Turtlapp Turtle Note v0.7.2.6 does not filter the tag during markdown parsing, allowing attackers to execute HTML injection...

CVE-2022-2762

The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack...

CVE-2022-1688

The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections...

CVE-2020-6307

Automated Note Search Tool update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54 does not perform sufficient authorization checks leading to the reading of sensitive information...

CVE-2013-4620

Cross-site scripting XSS vulnerability in interface/main/onotes/officecommentsfull.php in OpenEMR 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the note parameter...

CVE-2019-14761

An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application's UI e.g.,...

CVE-2019-15385

The Infinix Note 5 Android device with a build fingerprint of Infinix/H633B/Infinix-X604sprout:8.1.0/O11019/L-IN-180206V64:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app versionCode=27, versionName=8.1.0 that allows any app co-located on the device...