matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content

Impact MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated wa...

SUSE-SU-2025:0143-1 Security update for apache2-mod_jk

This update for apache2-modjk fixes the following issues: - Update to version 1.2.50: - CVE-2024-46544: Fixed incorrect default permissions vulnerabilitymay that could lead to information disclosure and/or denial of service. bsc1230916...

CVE-2024-45337 affecting package docker-compose for versions less than 2.27.0-2

CVE-2024-45337 affecting package docker-compose for versions less than 2.27.0-2. A patched version of the package is available...

PT-2025-3565 · Jfinaloa · Jfinaloa

Name of the Vulnerable Software and Affected Versions: JFinalOA versions prior to 2025.01.01 Description: A cross-site scripting XSS issue in the "common/getEditPage?view" interface allows attackers to execute arbitrary web scripts or HTML via a crafted payload. This could potentially lead to the...

PT-2025-4889 · Unknown · Emailshroud

Name of the Vulnerable Software and Affected Versions: EmailShroud versions prior to 2.2.1 EmailShroud version 2.2.1 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Reflected XSS. This means an attacker can trick a user into performing unintended actions on a...

Crayfish allows Remote Code Execution via Homarus Authorization header

Impact Remote code execution may be possible in web-accessible installations of Homarus in certain configurations. Patches The issue has been patched in islandora/crayfish:4.1.0 Workarounds The exploit requires making a request against the Homarus's /convert endpoint; therefore, the ability to...

SUSE-SU-2025:0130-1 Security update for dnsmasq

This update for dnsmasq fixes the following issues: - Version update to 2.90: - CVE-2023-50387: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses. bsc1219823 - CVE-2023-50868: Fixed a Denial Of Service while trying to validate specially crafted DNSSEC responses...

CVE-2024-54031

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftsethash: unaligned atomic read on struct nftsetext Access to genmask field in struct nftsetext results in unaligned atomic read: 72.130109 Unable to handle kernel paging request at virtual address ffff0000c2bb708c...

CVE-2024-53681

In the Linux kernel, the following vulnerability has been resolved: nvmet: Don't overflow subsysnqn nvmetrootdiscoverynqnstore treats the subsysnqn string like a fixed size buffer, even though it is dynamically allocated to the size of the string. Create a new string with kstrndup instead of usin...

CVE-2024-57890 RDMA/uverbs: Prevent integer overflow issue

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqesize cmd.wrcount", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to...

CVE-2024-57890 RDMA/uverbs: Prevent integer overflow issue

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqesize cmd.wrcount", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to...

CVE-2024-57890

In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression "cmd.wqesize cmd.wrcount", both variables are u32 values that come from the user so the multiplication can lead to integer wrapping. Then we pass the result to...

CVE-2024-57888

In the Linux kernel, the following vulnerability has been resolved: workqueue: Do not warn when cancelling WQMEMRECLAIM work from !WQMEMRECLAIM worker After commit 746ae46c1113 "drm/sched: Mark scheduler work queues with WQMEMRECLAIM" amdgpu started seeing the following warning: workqueue:...

PT-2025-1273

Name of the Vulnerable Software and Affected Versions SimpleHelp versions 5.5.7 and earlier Description SimpleHelp remote support software is affected by multiple path traversal vulnerabilities. These flaws allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp hos...

PT-2025-1265 · D Link · D-Link Dir-878

Name of the Vulnerable Software and Affected Versions: D-Link DIR-878 version 1.03 Description: A vulnerability has been found in the D-Link DIR-878, affecting an unknown function of the file /dllog.cgi of the component HTTP POST Request Handler. This issue leads to information disclosure and can...

CVE-2024-53263 Git LFS permits exfiltration of credentials via crafted HTTP URLs

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters, and then sends any credentials it receives back fr...

CVE-2024-50349

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...

2025-01 .NET 9.0.1 Security Update for x64 Server (KB5050526)

2025-01 .NET 9.0.1 Security Update for x64 Server KB5050526...

CVE-2025-23025

CVE-2025-23025 affects XWiki Platform due to the Realtime WYSIWYG Editor extension. A user with only edit rights can join a realtime session where other users have script or programming rights and insert script rendering macros that execute for those users, potentially enabling elevation of privi...

XWiki Realtime WYSIWYG Editor extension allows privilege escalation (PR) through realtime WYSIWYG editing

Impact NOTE: The Realtime WYSIWYG Editor extension was experimental, and thus not recommended, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only edit right can join a realtime editing session where...