openscap bug fix and enhancement update

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section...

ASB-A-172251622

In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. This could lead to remote escalation of privilege, confusing the user into accepting pairing of a malicious Bluetoo...

Exploit for Code Injection in Gitlab

GitLab-preauth-RCECVE-2021-22205 single line bash PoC for Gi...

Google Chrome under-validation vulnerability for untrusted inputs

Chrome, a simple and efficient web browsing tool developed by Google, is vulnerable to insufficient validation of untrusted input in Intents in versions prior to Google Chrome 95.0.4638.69. A remote attacker could exploit this vulnerability to arbitrarily browse malicious URLs via crafted HTML...

GSD-2021-1001853 mlxsw: thermal: Fix out-of-bounds memory accesses

mlxsw: thermal: Fix out-of-bounds memory accesses This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.75 by commit...

GSD-2021-1001811 xhci: Fix command ring pointer corruption while aborting a command

xhci: Fix command ring pointer corruption while aborting a command This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v4.19.213 by commit...

Panther Labs: Broken subdomain takeover of runpanther which was pointing towards herokuapp

An outdated link on our public blog pointed to a decommissioned Slack sign-up app hosted on Heroku for our also-decommissioned open source Slack community. The reporter was able to re-register the decommissioned subdomain with his own Heroku account...

CVE-2021-31682

creationtimestamp| type| source ---|---|--- 2021-10-22 16:39:20+00:00| seen| https://t.me/cibsecurity/31022 2023-04-27 09:58:59+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2021/CVE-2021-31682.yaml...

Cross-site Scripting (XSS) - Stored in archerysec/archerysec

Description The application is vulnerable to a Stored XSS attack. It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages. When uploading a Burp scan, the XML field "issueBackground" of a vulnerabili...

Buffer overflow

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware component: Outside In Filters. The supported version that is affected is 8.5.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In...

UVI-2021-1001637 HID: usbhid: free raw_report buffers in usbhid_stop

HID: usbhid: free rawreport buffers in usbhidstop This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.71 by commit...

HackerOne: HTML injection in email at https://www.hackerone.com/

HTML injection was possible in emails sent via the HackerOne platform by filling the first name and last name fields with HTML tags on the pentest community application form. This could allow an attacker to send malicious emails and inject HTML into them...

reward tokens could get lost due to rounding down

Handle gpersoon Vulnerability details Impact The function depositRewardTokens divides the "amount" of tokens by allocatedTokensPerEpoch to calculate the endEpoch. When "amount" isn't a multiple of allocatedTokensPerEpoch the result of the division will be rounded down, effectively losing a number...

The formula of number of prizes for a degree is wrong

Handle WatchPug Vulnerability details The formula of the number of prizes for a degree per the document: is: Number of prizes for a degree = 2^bit range^degree - 2^bit range^degree-1 - 2^bit range^degree-2 - ... Should be changed to: Number of prizes for a degree = 2^bit range^degree - 2^bit...

Exploit for Path Traversal in Apache Http_Server

CVE-2021-4177...

Zoho ManageEngine ADManager Plus code issue vulnerability

ZOHO ManageEngine ADManager Plus is a suite of Microsoft Active Directory management software from ZOHO designed for enterprise users using Windows domains. The software assists AD administrators and help desk technicians with day-to-day management tasks, such as bulk management of user accounts...

ECOA BAS controller cross-site request forgery vulnerability

ECOA BAS controller is an intelligent lighting control solution. ECOA BAS controller is vulnerable to cross-site request forgery, which can be exploited by attackers to send forged requests to malicious web pages and execute CRUD commands to perform arbitrary actions on the system...

Exploit for Path Traversal in Apache Http_Server

CVE-2021-41773 Hello guys, yesterday The new CVE-2021-41773 f...

CVE-2021-0689

In RGBtoBGR1portable of SkSwizzleropts.h, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10...

airportgoldentuliphotel.com Cross Site Scripting vulnerability OBB-2158377

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...