CVE-2023-2819

A stored cross-site scripting vulnerability in the Sources UI in Proofpoint Threat Response/ Threat Response Auto Pull PTR/TRAP could allow an authenticated administrator on an adjacent network to replace the image file with an arbitrary MIME type. This could result in arbitrary javascript code...

CVE-2023-34101

Contiki-NG is an operating system for internet of things devices. In version 4.8 and prior, when processing ICMP DAO packets in the daoinputstoring function, the Contiki-NG OS does not verify that the packet buffer is big enough to contain the bytes it needs before accessing them. Up to 16 bytes...

PT-2023-21627 · Proofpoint · Proofpoint Threat Response

Name of the Vulnerable Software and Affected Versions: Proofpoint Threat Response / Threat Response Auto-Pull PTR/TRAP versions prior to 5.10.0 Description: An information disclosure issue in the faye endpoint could allow an attacker on an adjacent network to obtain credentials to integrated...

CVE-2023-34247

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...

CVE-2023-34247 @keystone-6/auth Open Redirect vulnerability

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...

PT-2023-24683 · Unknown · Taosdata/Grafanaplugin

Name of the Vulnerable Software and Affected Versions: taosdata/grafanaplugin affected versions not specified Description: The issue concerns a command injection vulnerability in the Release PR Merged workflow. This vulnerability allows for arbitrary code execution within the GitHub action contex...

Borrower can block being defaulted or auctioned

Lines of code Vulnerability details Borrower can block being defaulted or auctioned The borrower can potentially block the liquidation and auction processed by using a contract and reverting on ETH transfers. Impact When a loan is being liquidated or auctioned, any credit still available to the...

CVE-2023-33975

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used...

Design/Logic Flaw

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used...

Null pointer dereference

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference...

Race condition

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions...

CVE-2023-33975 RIOT-OS vulnerable to Out of Bounds Write in _rbuf_add

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used...

CVE-2023-33975 RIOT-OS vulnerable to Out of Bounds Write in _rbuf_add

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In version 2023.01 and prior, an attacker can send a crafted frame to the device resulting in an out of bounds write in the packet buffer. The overflow can be used...

CVE-2023-33974 RIOT-OS vulnerable to Race Condition in SFR Timeout

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions...

CVE-2023-33974 RIOT-OS vulnerable to Race Condition in SFR Timeout

RIOT-OS, an operating system for Internet of Things IoT devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send multiple crafted frames to the device to trigger a race condition. The race condition invalidates assumptions...

PT-2023-3147 · Riot-Os · Riot-Os

Name of the Vulnerable Software and Affected Versions: RIOT-OS versions 2023.01 and prior Description: The issue is related to the processing of 6LoWPAN frames in the network stack of RIOT-OS, an operating system for Internet of Things IoT devices. An attacker can send a crafted frame that, when...

Command injection

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

PT-2023-23164 · Nextcloud · Nextcloud Cookbook

Name of the Vulnerable Software and Affected Versions: NextCloud Cookbook versions prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch Description: The issue concerns a command injection vulnerability due to the use of an untrusted github.head ref field in t...

SUSE-SU-2023:2292-1 Security update for kubernetes1.23

This update for kubernetes1.23 fixes the following issues: - add kubernetes1.18-client-common as conflicts with kubernetes-client-bash-completion - Split individual completions into separate packages Update to version 1.23.17: releng: Update images, dependencies and version to Go 1.19.6 Update...

Synapse does not apply enough checks to servers requesting auth events of events in a room

Impact Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorisation events of events in a room. This is necessary so that a homeserver receiving some events can validate that those...