mpg123:1.32.9 security update

1.32.9-1 - Rebase to 1.32.9, includes patch for CVE-2024-10573 Resolves: RHEL-65445 1.26.2-6 - Add patch for CVE-2024-10573 Resolves: RHEL-65445...

CVE-2024-49363

Misskey is an open source, federated social media platform. In affected versions FileServerService media proxy in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed...

SUSE-SU-2024:4376-1 Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP5 Azure kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2021-47594: mptcp: never allow the PM to close a listener subflow bsc1226560. - CVE-2022-48983: iouring: Fix a null-ptr-deref in iotctxexitcb bsc1231959. -...

CVE-2024-53144 Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcievent: Align BR/EDR JUSTWORKS paring with LE This aligned BR/EDR JUSTWORKS method with LE which since 92516cd97fd4 "Bluetooth: Always request for user confirmation for Just Works" always request user confirmation wi...

SUSE: Security Advisory (SUSE-SU-2024:4327-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MinIO vulnerable to privilege escalation in IAM import API

Impact Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f Patches commit f246c9053f9603e610d98439799bdd2a6b293427 Author: Aditya Manthramurthy Date: Wed Dec 11 18:09:40 2024 -0800 fix: Privilege escalation in IAM import API...

BIT-NODE-MIN-2023-23936 CRLF Injection in Nodejs ‘undici’ via host

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to...

gstreamer1-plugins-good security update

1.22.1-3 - CVE-2024-47537, CVE-2024-47539, CVE-2024-47540, CVE-2024-47606, CVE-2024-47613 Resolves: RHEL-70954, RHEL-70967, RHEL-70941, RHEL-71027, Resolves: RHEL-71003...

PT-2024-35723

Name of the Vulnerable Software and Affected Versions The Events Calendar WordPress plugin versions prior to 6.8.2.1 Description The issue is related to missing access checks in the REST API, allowing unauthenticated users to access information about password-protected events. Recommendations For...

PT-2024-16023 · Telerik · Telerik Ui For Wpf

Name of the Vulnerable Software and Affected Versions: Telerik UI for WPF versions prior to 2024 Q4 2024.4.1213 Description: A code execution attack is possible through an insecure deserialization vulnerability. This issue affects Telerik UI for WPF and can be exploited, allowing for code...

PT-2024-17231 · WordPress · Tcbd Popover

Name of the Vulnerable Software and Affected Versions: TCBD Popover plugin for WordPress versions prior to 1.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'tcbd-popover-image' shortcode due to insufficient input sanitization and output escaping on user-suppli...

PT-2024-17324 · WordPress · My Idx Home Search

Name of the Vulnerable Software and Affected Versions: My IDX Home Search plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-search' shortcode due to insufficient input sanitization and output...

PT-2024-16756 · WordPress · Visualmodo Elements

Name of the Vulnerable Software and Affected Versions: Visualmodo Elements plugin for WordPress versions up to, and including, 1.0.2 Description: The issue is related to Stored Cross-Site Scripting via REST API SVG File uploads due to insufficient input sanitization and output escaping. This allo...

USN-7157-2: PHP regression

USN-7157-1 fixed vulnerabilities in PHP. The patch for CVE-2024-8932 caused a regression in php7.4. This update fixes the problem. Original advisory details: It was discovered that PHP incorrectly handled certain inputs when processed with convert.quoted-printable decode filters. An attacker coul...

CVE-2024-54139 Combodo iTop vulnerable to XSS leading to CSRF breach on _table_id parameter

Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the tableid parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the...

CVE-2024-10783

The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the registersite function in all versions up to, and including, 5.2 when a site is left in an unconfigured stat...

CVE-2024-12300

CVE-2024-12300 (AR for WordPress) is an unauthorized double extension file upload vulnerability in the AR for WordPress WordPress plugin, caused by a missing capability check in set_ar_featured_image(). The issue affects all versions up to and including 7.3, enabling unauthenticated attackers to ...

CBL Mariner 2.0 Security Update: kernel (CVE-2024-50186)

The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-50186 advisory. - In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, wh...

PT-2024-12959 · Analytify · Analytify

Name of the Vulnerable Software and Affected Versions: Analytify versions 5.1.0 and earlier Description: The issue is related to missing authorization in Analytify, allowing exploitation of incorrectly configured access control security levels. Recommendations: For versions 5.1.0 and earlier,...

PT-2024-12331 · Webcodin · Webcodin Wcp Contact Form

Name of the Vulnerable Software and Affected Versions: Webcodin WCP Contact Form versions 3.1.0 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows the exploitation of incorrectly configured access control security levels. Recommendations: For...