Astra Linux - уязвимость в axis

UNSUPPORTED WHEN ASSIGNED When integrating Apache Axis 1.x in an application, it might not have been obvious that using “ServiceFactory.getService” could allow for the use of potentially dangerous lookup mechanisms, such as LDAP. Passing untrusted input to this API method could expose the...

GHSA-GX2M-MCC2-R4P3 wlc: print_html outputs API data without HTML escaping

Impact The HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. Patches https://github.com/WeblateOrg/wlc/pull/1327 Workarounds The only vulnerable code path is HTML output which is opt-in. Reference...

Weblate: Arbitrary File Read via Symlink

Impact The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository. Patches https://github.com/WeblateOrg/weblate/pull/18683 References Thanks to @DavidCarliez for reporting this vulnerability via GitHub...

GHSA-VJ45-X3PJ-F4W4 Weblate: Improper access control for pending tasks in API

Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. Patches https://github.com/WeblateOrg/weblate/pull/18515 Workarounds The attacker needs to guess the random UUID of the task, so...

aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage

Summary Insufficient restrictions in header/trailer handling could cause uncapped memory usage. Impact An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy...

Linux Distros Unpatched Vulnerability : CVE-2022-50360

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix aux-bus EP lifetime Device-managed resources allocated post component bind...

Exploit for CVE-2024-58239

CVE-2024-58239 mitigation exploit This is my first 1-day expl...

AZL-65987 CVE-2025-8194 affecting package python3 for versions less than 3.12.9-4

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives...

PT-2023-17183 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/pimcore versions prior to 10.5.20 Description: The issue is related to Cross-site Scripting XSS - Generic in the GitHub repository pimcore/pimcore. This is a type of security vulnerability that can allow an attacker to inject maliciou...

Berkeley Internet Name Domain (BIND) affected by multiple vulnerabilities

THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here The Internet Systems Consortium ISC has published security upgrades to address several vulnerabilities in the widely used Berkeley Internet Name Domain BIND server software. An attacker could take advantage of some of these...

OpenSSL exposed to Denial-of-service vulnerability causing Infinite Loop

THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here. A security flaw exists in OpenSSL software library that could lead to a denial-of-service DoS condition when parsing certificates. The vulnerability, identified as CVE-2022-0778, arises from parsing a malformed certificate...

LockBit 2.0 Ransomware affiliates targeting Renowned Organizations

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Since September 2021, LockBit 2.0 has targeted 500+ organizations in vital areas globally. The most recent attack targeted well-known tire producer Bridgestone, software behemoth Accenture, and the French Ministry of Justice...

Mozilla release Security Advisories for multiple vulnerabilities affecting Firefox and Firefox ESR

THREAT LEVEL: Green. For a detailed advisory, download the pdf file here Mozilla addressed multiple security vulnerabilities by releasing two security advisories and four of the bugs have high impact. One of the four vulnerabilities is a Time-of-Check Time-of-Use bug CVE-2022-26387, which occurs...

VMware addresses security flaws discovered during Tianfu Cup Pwn Contest

THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here VMware addressed vulnerabilities in ESXi, Workstation, Fusion, and Cloud Foundation, few months after the discovery of these bugs by participants at Tianfu Cup Pwn Contest. VMware has rated some of these vulnerabilities as...

Multiple vulnerabilities affect Mozilla Firefox and Firefox ESR

THREAT LEVEL: Green. For a detailed advisory, download the pdf file here Mozilla has issued two security advisories, which addresses 13 security issues in Firefox and Firefox ESR. Four of the thirteen have been rated as high, and some of these vulnerabilities, if successfully exploited, might all...

Microsoft Patch Tuesday addresses a zero-day vulnerability in Windows Kernel

THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here Microsoft addressed 51 vulnerabilities in the February 2022 patch Tuesday release, one of which was classified as a zero-day vulnerability. A remote attacker could exploit some of these vulnerabilities to gain control of a...

WordPress plugins affected by critical vulnerability impacting 84,000 websites

THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here. WordPress powers over 43.0% of all the websites on the Internet. A Cross-Site Request Forgery vulnerability CVE-2022-0215 was discovered in three plugins of WordPress. This flaw made it possible for an attacker to update...

ManageEngine ADSelfService Plus has been abused in the wild due to a zero-day vulnerability

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. An APT actor is attempting to exploit a zero-day vulnerability in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution that poses a high risk to critical infrastructure companies,...

Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities

Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities Date: 11-14-2020 Exploit Author: Matthew Aberegg Vendor Homepage: https://pandorafms.com/ Software Link: https://pandorafms.com/community/get-started/ Version: Pandora FMS 7.0 NG 749 Tested on: Ubuntu...

osTicket 1.14.1 - (Ticket Queue) Persistent Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting Exploit Author: Matthew Aberegg Vendor Homepage: https://osticket.com Patch Link:...