GLSA-202003-33 : GStreamer Base Plugins: Heap-based buffer overflow

The remote host is affected by the vulnerability described in GLSA-202003-33 GStreamer Base Plugins: Heap-based buffer overflow It was discovered that GStreamer Base Plugins did not correctly handle certain malformed RTSP streams. Impact : A remote attacker could entice a user to open a specially...

Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

This bug report mostly concerns the default CNI plugins https://github.com/containernetworking/plugins but I believe affects many K8S clusters. Because the CNI team still doesn’t provide an explicit way to report security bugs, I hope the K8S security team doesn’t mind doing the coordination job...

GStreamer Base Plugins: Heap-based buffer overflow

Background A well-groomed and well-maintained collection of GStreamer plug-ins and elements, spanning the range of possible types of elements one would want to write for GStreamer. Description It was discovered that GStreamer Base Plugins did not correctly handle certain malformed RTSP streams...

Multiple WebToffee Plugins - Cross-Site Request Forgery (CSRF) Issue

From https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users/ at the bottom "Several additional WooCommerce-centric import/export plugins from WebToffee used the same import functionality. However, they were unable to be activated unless WooCommerce was...

Popular ThemeREX WordPress Plugin Opens Websites to RCE

A critical vulnerability in a WordPress plugin known as “ThemeREX Addons” could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day. The plugin, which is installed on approximately 44,000...

Popular ThemeREX WordPress Plugin Opens Websites to RCE

A critical vulnerability in a WordPress plugin known as “ThemeREX Addons” could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day. The plugin, which is installed on approximately 44,000...

ansible: secrets disclosed on logs when no_log enabled

Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process...

Fedora 31 : seamonkey (2020-bf6ca75fec)

Upgrade to 2.53.1 SeaMonkey-2.53.1, being initially based on the Firefox-56 and Thunderbird-56 code, incorporates now a lot of backported features and security fixes from the newer Firefox/Thunderbird versions up to 75. That way it tries to be a modern browser, preserving the same time the famili...

Denial Of Service (DoS)

github.com/micro/go-plugins is vulnerable to denial of service DoS attacks. The vulnerability is possible due to an invalid memory access in 'Leader' function in leader.go allowing an attacker to cause an application crash...

Debian DLA-2126-1 : gst-plugins-base0.10 security update

Some isses have been found in gst-plugins-base0.10, a package that provides GStreamer plugins from the 'base' set. All issues are related to crafted ico-files that could result in an out-of-bounds read or crafted video- and ASDF-files that could produce floating point exceptions, which could caus...

[SECURITY] [DLA 2126-1] gst-plugins-base0.10 security update

Package : gst-plugins-base0.10 Version : 0.10.36-2+deb8u2 CVE ID : CVE-2016-9811 CVE-2017-5837 CVE-2017-5844 Some isses have been found in gst-plugins-base0.10, a package that provides GStreamer plugins from the "base" set. All issues are related to crafted ico-files that could result in an...

DLA-2126-1 gst-plugins-base0.10 - security update

Bulletin has no description...

CVE-2020-9430

In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the WiMax DLMAP dissector could crash. This was addressed in plugins/epan/wimax/msgdlmap.c by validating a length field...

[SECURITY] Fedora 30 Update: caddy-1.0.3-2.fc30

Caddy is the web server with automatic HTTPS. This package was built with the following plugins: http.geoip http.realip tls.dns.azure tls.dns.cloudflare tls.dns.digitalocean tls.dns.googlecloud tls.dns.powerdns tls.dns.rackspace tls.dns.route53...

GHSA-3M93-M4Q6-MC6V Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag nolog set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data...

CVE-2014-7236

CVE-2014-7236 affects TWiki (lib/TWiki/Plugins.pm) prior to 6.0.1. The vulnerability is an eval injection in the debugenableplugins parameter used during do/view/Main/WebHome, enabling remote Perl code execution with the web server user’s privileges. Evidence across sources (CVE entry, NVD/CIRCL/...

Ubuntu 16.04 LTS / 18.04 LTS : Qt vulnerabilities (USN-4275-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4275-1 advisory. It was discovered that Qt incorrectly handled certain PPM images. If a user or automated system were tricked into opening a specially crafted...

CVE-2012-6721

Multiple cross-site request forgery CSRF vulnerabilities in the 1 Forum, 2 Event, and 3 Classifieds plugins in SocialEngine before 4.2.4...

CVE-2012-6721

Multiple cross-site request forgery CSRF vulnerabilities in the 1 Forum, 2 Event, and 3 Classifieds plugins in SocialEngine before 4.2.4...

Ubuntu: Security Advisory (USN-4275-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...