Trend Micro Mobile Security vulnerable to cross-site scripting

Overview Trend Micro Incorporated has released a security update for Trend Micro Mobile Security. Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of the solution through JVN. Impact A cross-site scripting attack may be conducted if a user who is logged in to the...

CVE-2023-31167 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Schweitzer Engineering Laboratories SEL-5036 acSELerator Bay Screen Builder Software on Windows allows Relative Path Traversal. SEL acSELerator Bay Screen Builder software is distributed by SEL-5033 SEL...

SUSE-SU-2023:3300-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.40.5 bsc1213905: - CVE-2023-38133: Fixed information disclosure. - CVE-2023-38572: Fixed Same-Origin-Policy bypass. - CVE-2023-38592: Fixed arbitrary code execution. - CVE-2023-38594: Fixed arbitrary code execution. -...

CVE-2023-39533

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

CVE-2023-39533 libp2p nodes vulnerable to attack using large RSA keys

go-libp2p is the Go implementation of the libp2p Networking Stack. Prior to versions 0.27.8, 0.28.2, and 0.29.1 malicious peer can use large RSA keys to run a resource exhaustion attack & force a node to spend time doing signature verification of the large key. This vulnerability is present in th...

Ivanti Releases Security Updates for EPMM to address CVE-2023-35081

Ivanti has identified and released patches for a directory traversal vulnerabilitylink is external CVE-2023-35081, CWE-22link is external in Ivanti Endpoint Manager Mobile EPMM. This vulnerability allows an authenticated attacker to write arbitrary files with the operating system privileges of th...

Denial of service from unlimited password lengths

TL;DR This vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities...

CVE-2023-38492 Kirby vulnerable to denial of service from unlimited password lengths

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. The real-world impact of this vulnerability is limited, however we still...

PT-2023-4412 · Foxit · Foxit Pdf Editor +1

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader affected versions not specified Foxit PDF Editor affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the...

Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities

Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state,...

Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the...

OESA-2023-1394 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. Quoting ZDI security advisory 1: "This vulnerability allows local attackers to disclose sensitive information on affected...

GHSA-JQHC-M2J3-FJRX SQLFluff users with access to config file, using `libary_path` may call arbitrary python code

Impact In environments where untrusted users have access to the config files e.g. .sqlfluff, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. Jinja macros are executed within a sandboxed...

FreeBSD : OpenEXR -- heap buffer overflow in internal_huf_decompress (06428d91-152e-11ee-8b14-dbdd62da85fb)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 06428d91-152e-11ee-8b14-dbdd62da85fb advisory. - oss-fuzz reports: heap buffer overflow in internalhufdecompress. Cary Phillips reports: v3.1.9 - Patc...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`

Summary The return value when using delegate call mechanics, either through CallBuilder::delegate or inkenv::invokecontractdelegate, is being decoded incorrectly. Description Consider this minimal example: rust // First contract, this will be performing a delegate call to the Callee. inkstorage p...

Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities KEV catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buff...

GHSA-QFC5-6R3J-JJ22 Go package github.com/cosmos/cosmos-sdk module x/crisis does NOT cause chain halt

x/crisis does NOT cause chain halt Impact If an invariant check fails on a Cosmos SDK network and a transaction is sent to the x/crisis module to halt the chain, the chain does not halt. All versions of the x/crisis module is affected on all versions of the Cosmos SDK. Details The x/crisis module...

PT-2023-24605 · Multiversx · Mx-Chain-Go

Name of the Vulnerable Software and Affected Versions: mx-chain-go versions prior to 1.4.16 Description: The metachain cannot process a cross-shard miniblock. An invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor, which is a...

CVE-2023-30845 ESPv2 vulnerable to JWT authentication bypass via `X-HTTP-Method-Override` header

ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases...