EUVD-2024-2571

Malicious code in bioql PyPI...

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox < 110.

...

CVE-2024-42347

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the...

Information Disclosure

matrix-react-sdk is vulnerable to Information Disclosure. The vulnerability is due to a malicious homeserver manipulating a user's account data to enable URL previews in encrypted rooms, causing any URLs in encrypted messages to be sent to the server. Attackers can use this to intercept URLs in...

CVE-2024-42347

Affects matrix-react-sdk (Matrix web client component). A malicious homeserver could manipulate a user’s account data to enable URL previews in end-to-end encrypted rooms, causing URLs from encrypted messages to be sent to the server. This is mitigated by upgrading to matrix-react-sdk version 3.1...

CVE-2024-42347 URL preview setting for a room is controllable by the homeserver in matrix-react-sdk

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the...

Important: firefox

Issue Overview: firefox-esr , thunderbird and nss only are affected by this package. CVE-2023-0767 The Mozilla Foundation Security Advisory describes this flaw as: The Content-Security-Policy-Report-Only header could allow an attacker to leak a child iframe's unredacted URI when interaction with...

CVE-2023-32683

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the urlpreviewurlblacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the...

CVE-2023-32683 URL deny list bypass via oEmbed and image URLs when generating previews in Synapse

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the urlpreviewurlblacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the...

CVE-2023-25731

CVE-2023-25731 affects Mozilla Firefox prior to 110, where URL previews in the network panel’s developer tools could allow query parameters to overwrite global objects in privileged code. The issue is confirmed by multiple sources stating Firefox

CVE-2023-25731

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...

GLSA-202305-35 : Mozilla Firefox: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202305-35 Mozilla Firefox: Multiple Vulnerabilities - An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. CVE-2023-0767 -...

SUSE CVE-2023-25731

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...

Important: thunderbird

Issue Overview: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted messa...

Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerabilities (USN-5880-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5880-1 advisory. Christian Holler discovered that Firefox did not properly manage memory when using PKCS 12 Safe Bag attributes. An attacker could construct a...

CVE-2023-25731

The Mozilla Foundation Security Advisory: Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code...

CVE-2023-25731

Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. This vulnerability affects Firefox 110...

Matrix synapse resource management error vulnerability

synapse is an open source application developed by Matrix. Used for open federated instant messaging and VoIP. A resource management error vulnerability exists in Matrix synapse versions prior to 1.53.0, which stems from Synapse generating URL previews of media streams without limiting the...

Matrix Synapse Denial of Service Vulnerability (CNVD-2022-60674)

Matrix Synapse is a Matrix Management Server implementation from the Matrix Foundation in the U.K. A denial of service vulnerability exists in versions of Matrix Synapse prior to 1.61.1, which stems from infinite recursion, where URL previews of certain web pages may exhaust the available stack...

URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths

Impact URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether. It is possible to...