PT-2026-46853

Summary plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance without...

PT-2026-22329

The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the paidy webhook permission check function that unconditionally returns true when the webhook signature header is...

go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents

Impact This vulnerability only affects users of the AWS attestor. Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS Instance Metadata Service impersonation.^1 There are multiple...

Linux Distros Unpatched Vulnerability : CVE-2022-31156

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies eith...

PT-2024-40163 · Flow3 · Flow3

Name of the Vulnerable Software and Affected Versions: FLOW3 affected versions not specified Description: The issue is related to a missing signature HMAC for a request argument, which could allow an attacker to unserialize arbitrary objects within FLOW3. It is noted that code injection through...

PT-2024-25815 · Typo3 · Typo3

Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 9.5.48 ELTS TYPO3 versions prior to 10.4.45 ELTS TYPO3 versions prior to 11.5.37 LTS TYPO3 versions prior to 12.4.15 LTS TYPO3 versions prior to 13.1.1 Description: The ShowImageController eID tx cms showpic lacks a...

Medium: systemd

Issue Overview: systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles or the upstream DNS resolver to manipulate records. CVE-2023-7008 Affected Packages: systemd Issue Correction: Run dnf update systemd --releasever 2023.3.2024020...

Misskey Data Falsification Issue Vulnerability

Misskey is a suite of micro-blogging platforms. Misskey 2023.11.0 and prior versions suffer from a Data Forgery Issue vulnerability that stems from a lack of signature validation and allows an arbitrary user to impersonate any remote user...

PYSEC-2021-790

TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tens...

keycloak: SAML broker does not check existence of signature on document allowing any user impersonation

It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to...