Directus 安全漏洞

Directus is an open-source real-time API and application dashboard developed by Directus. It is used to manage SQL database content. Versions of Directus prior to 11.17.0 contained a security vulnerability. This vulnerability stemmed from the PATCH /files/id endpoint accepting a user-controlled...

JLSEC-2026-12

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITORPROGRAM invocation using ed can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's...

MiracleLinux 4 : patch-2.6-8.AXS4 (AXSA:2018-2973:01)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2018-2973:01 advisory. patch: Malicious patch files cause ed to execute arbitrary commands CVE-2018-1000156 Tenable has extracted the preceding description block directly from the...

EUVD-2019-5066

Malware in sbrugna...

EUVD-2015-1553

Malware in sbrugna...

EUVD-2011-0438

Malware in sbrugna...

EUVD-2024-42735

Malicious code in bioql PyPI...

CVE-2024-47943

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

CVE-2024-47943 Improper signature verification of firmware upgrade files

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

CVE-2024-47943

CVE-2024-47943 affects the Rittal IoT Interface & CMC III Processing Unit. The firmware upgrade feature does not properly verify patch signatures: the signing uses an HMAC-like mechanism with a hard-coded key, which is publicly available, allowing attackers to craft malicious signed .patch files ...

CVE-2024-47943 Improper signature verification of firmware upgrade files

The firmware upgrade function in the admin web interface of the Rittal IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the...

RHEL 5 : patch (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - patch: Malicious patch files cause ed to execute arbitrary commands CVE-2018-1000156 - Directory traversa...

Amazon Linux 2 : rust (ALAS-2023-1959)

The version of rust installed on the remote host is prior to 1.66.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1959 advisory. Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code ...

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CVE-2022-36113 Extracting malicious crates can corrupt arbitrary files

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the /.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the...

CVE-2022-36114 Extracting malicious crates can fill the file system

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CVE-2022-36114

Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size also known as a...

CLSA-2022-1653506357 Fixed 5 CVEs in java-1.8.0-openjdk

Upgrade to openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09. That fixes following CVEs: - CVE-2022-21476: Defective secure validation in Apache Santuario - CVE-2022-21496: URI parsing inconsistencies - CVE-2022-21434: Improper object-to-string conversion in AnnotationInvocationHandler -...

GNU patch denial of service vulnerability

GNU patch is a set of tools used by the GNU community to generate patch files. GNU patch has a denial of service vulnerability in version 2.7, which stems from the existence of an invalid pointer to the Otherhunk function, which can be exploited to cause a denial of service...

Cross-Site Scripting in yui

Affected versions of yui are vulnerable to cross-site scripting in the uploader.swf and io.swf utilities, via script injection in the url. Recommendation YUI has published their recommendation to fix this issue. Their recommendation is to: - Delete self-hosted copies of these files if you are not...