nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted...

CVE-2021-32803

The npm package "tar" aka node-tar has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted...

CVE-2021-25683

It was discovered that the getstarttime function in data/apport did not properly parse the /proc/pid/stat file from the kernel...

CVE-2020-13598

FS: Buffer Overflow when enabling Long File Names in FATFS and calling fsstat. Zephyr versions = v1.14.2, = v2.3.0 contain Stack-based Buffer Overflow CWE-121. For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7fhv-rgxr-x56h...

systemd security, bug fix, and enhancement update

239-45.0.1 - backport upstream pstore tmpfiles patch Orabug: 31420486 - udev rules: fix memory hot add and remove Orabug: 31310273 - fix to enable systemd-pstore.service Orabug: 30951066 - journal: change support URL shown in the catalog entries Orabug: 30853009 - fix to generate...

GHSA-XFXF-QW26-HR33 Arbitrary command execution in roar-pidusage

This affects all current versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without inpu...

Design/Logic Flaw

This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input...

CVE-2021-23380

This affects all versions of package roar-pidusage. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input...

CVE-2021-24167

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

CVE-2021-24167

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

Design/Logic Flaw

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

CVE-2021-24167 Web-Stat < 1.4.1 - API Key Disclosure

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...

CVE-2021-24167

CVE-2021-24167 affects WordPress Web-Stat plugins older than 1.4.1. The vulnerability stems from the wts_web_stat_load_init function, which causes the browser to request https://wts2.one/ajax.htm?action=lookup_WP_account. The request exposes the site’s wts_web_stat_uid via the pwpid parameter and...

Web-Stat 信息泄露漏洞

WordPress Web-Stat is a WordPress open source application. Takes all the content that can be detected and presents the results in clear, user-friendly charts and graphs. A security vulnerability exists in Web-Stat versions prior to 1.4.0 that stems from the wts web stat load init function using t...

Arbitrary Command Injection

Overview roar-pidusage is a Cross-platform process cpu % and memory usage of a PID — Edit Affected versions of this package are vulnerable to Arbitrary Command Injection. If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible f...

Web-Stat < 1.4.1 - API Key Disclosure

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount. This request contained sensitive information such as the site’s “wtswebstatuid” which was sent in the...

WordPress Web-Stat plugin <= 1.4 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered by Ramuel Gall in WordPress Web-Stat plugin versions = 1.4. Solution Update the WordPress Web-Stat plugin to the latest available version at least 1.4.1...

CVE-2021-26910

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation...

CVE-2021-26910

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation...

UBUNTU-CVE-2021-25683

It was discovered that the getstarttime function in data/apport did not properly parse the /proc/pid/stat file from the kernel...