Oracle Linux 7 : bind, / bind-dyndb-ldap, / and / dhcp (ELSA-2024-3741)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-3741 advisory. - Prevent increased CPU consumption in DNSSEC validator CVE-2023-50387 CVE-2023-50868 - Speed up parsing of DNS messages with many different names...

bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator

Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled...

Zend-Mail remote code execution in zend-mail via Sendmail adapter

When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they c...

GHSA-CXF7-M5G2-V594 Zend-Mail remote code execution in zend-mail via Sendmail adapter

When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they c...

GHSA-PXV8-QHRH-JC7V evmos allows transferring unvested tokens after delegations

Impact This advisory has been created to address the following vulnerabilities found in the Evmos codebase and affecting vesting accounts. Wrong spendable balance computation The spendable balance is not updated properly when delegating vested tokens. The following example help in describing the...

evmos allows transferring unvested tokens after delegations

Impact This advisory has been created to address the following vulnerabilities found in the Evmos codebase and affecting vesting accounts. Wrong spendable balance computation The spendable balance is not updated properly when delegating vested tokens. The following example help in describing the...

PT-2024-24929 · Evmos · Evmos

Name of the Vulnerable Software and Affected Versions: Evmos versions prior to 18.0.0 Description: The issue is related to the spendable balance not being updated properly when delegating vested tokens, allowing a clawback vesting account to anticipate the release of unvested tokens. This problem...

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

TYPO3 Cross-Site Scripting in link validator component

Failing to sanitize content from editors, the link validator component is susceptible to Cross-Site Scripting. A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability...

GHSA-CG4M-QJJP-7497 TYPO3 Cross-Site Scripting in link validator component

Failing to sanitize content from editors, the link validator component is susceptible to Cross-Site Scripting. A valid editor account with access to content which is scanned by the link validator component is required to exploit this vulnerability...

XML Entity Expansion (XEE)

symfony/validator is vulnerable to XML Entity Expansion. The vulnerability is caused by improper XML parsing configuration, which could result in XML Entity Expansion XEE attacks that can lead to excessive memory use and potential Denial of Service DoS...

RHEL 7 : camel (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - hibernate-validator: Privilege escalation when running under the security manager CVE-2017-7536 Note that Nessus ha...

PT-2024-40273 · Unknown · Simplesamlphp

Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp versions prior to 1.14.17 Description: A signature validation bypass issue has been found in the SimpleSAML XML Validator class, which performs the verification of the XML digital signature of a SAML 1 message with a given key...

bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator

Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled...

CVE-2024-34345

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

CycloneDX JavaScript Library 代码问题漏洞

The CycloneDX JavaScript Library is a core feature of the CycloneDX SBOM Standard open source OWASP CycloneDX for JavaScript written in TypeScript. A code issue vulnerability exists in CycloneDX JavaScript Library versions prior to 6.7.1 that stems from XML external entity injection when running...

bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator

Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side. This vulnerability applies only for systems where DNSSEC validation is enabled...