Denial of service from unlimited password lengths

TL;DR This vulnerability affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. The real-world impact of this vulnerability is limited, however we still recommend to update to one of the patch releases because they also fix more severe vulnerabilities...

CVE-2023-38492 Kirby vulnerable to denial of service from unlimited password lengths

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. The real-world impact of this vulnerability is limited, however we still...

PT-2023-4412 · Foxit · Foxit Pdf Editor +1

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader affected versions not specified Foxit PDF Editor affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the...

Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities

Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state,...

Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the...

OESA-2023-1394 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: An out-of-bounds read vulnerability was found in the SR-IPv6 implementation in the Linux kernel. Quoting ZDI security advisory 1: "This vulnerability allows local attackers to disclose sensitive information on affected...

GHSA-JQHC-M2J3-FJRX SQLFluff users with access to config file, using `libary_path` may call arbitrary python code

Impact In environments where untrusted users have access to the config files e.g. .sqlfluff, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. Jinja macros are executed within a sandboxed...

FreeBSD : OpenEXR -- heap buffer overflow in internal_huf_decompress (06428d91-152e-11ee-8b14-dbdd62da85fb)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 06428d91-152e-11ee-8b14-dbdd62da85fb advisory. - oss-fuzz reports: heap buffer overflow in internalhufdecompress. Cary Phillips reports: v3.1.9 - Patc...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`

Summary The return value when using delegate call mechanics, either through CallBuilder::delegate or inkenv::invokecontractdelegate, is being decoded incorrectly. Description Consider this minimal example: rust // First contract, this will be performing a delegate call to the Callee. inkstorage p...

Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities KEV catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buff...

GHSA-QFC5-6R3J-JJ22 Go package github.com/cosmos/cosmos-sdk module x/crisis does NOT cause chain halt

x/crisis does NOT cause chain halt Impact If an invariant check fails on a Cosmos SDK network and a transaction is sent to the x/crisis module to halt the chain, the chain does not halt. All versions of the x/crisis module is affected on all versions of the Cosmos SDK. Details The x/crisis module...

PT-2023-24605 · Multiversx · Mx-Chain-Go

Name of the Vulnerable Software and Affected Versions: mx-chain-go versions prior to 1.4.16 Description: The metachain cannot process a cross-shard miniblock. An invalid transaction with the wrong username on metachain is not treated correctly on the metachain transaction processor, which is a...

CVE-2023-30845 ESPv2 vulnerable to JWT authentication bypass via `X-HTTP-Method-Override` header

ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases...

CVE-2023-29523 Code injection in display method used in user profiles in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write acces...

org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. Precondition: As an admin, add the Panels.IncludedDocuments...

Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : ClamAV vulnerabilities (USN-5887-1)

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5887-1 advisory. Simon Scannell discovered that ClamAV incorrectly handled parsing HFS+ files. A remote attacker could possibly use th...

Vulnerabilities fixed in ClamAV

ClamAV has fixed two vulnerabilities in ClamAV. A unauthenticated remote malicious person could exploit them to obtain sensitive information, or to execute arbitrary code with privileges from ClamAV. ClamAV has released updates to fix the vulnerabilities in ClamAV 1.0.1, 0.105.2 and 0.103.8. For...

SUSE CVE-2021-37671

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can cause undefined behavior via binding a reference to null pointer in tf.rawops.Map and tf.rawops.OrderedMap operations. The implementation has a check in place to ensure that indices is in...

SUSE CVE-2021-37674

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation. The implementation misses some validation for the originput and origoutput tensor...