CVE-2024-23332

CVE-2024-23332 affects the Notary Project: client configurations using permissive trust policies can enable rollback attacks if a compromised registry serves outdated artifacts. The connected sources describe that artifact publishers can set signature expiry and revoke certificates to keep artifa...

CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project

The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...

Monero: Transactions in invalid blocks are kept in tx-pool without undergoing certain checks.

The transactions in invalid blocks were kept in the tx-pool without undergoing certain checks. When adding blocks to the blockchain, monerod first added the transactions to the tx pool with relaymethod::block, which allowed the tx-pool to skip certain checks like fee and extra field size. However...

Mozilla: S/MIME signature accepted despite mismatching message date

The Mozilla Foundation Security Advisory: The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despi...

PT-2023-11470 · Beyondtrust · Beyondtrust Privilege Management For Windows

Name of the Vulnerable Software and Affected Versions: BeyondTrust Privilege Management for Windows versions through 5.6 Description: An issue was discovered where the publisher criteria can be leveraged by a malicious actor to achieve Elevation of Privileges from standard user to administrator...

Autodesk Customer Portal Security Vulnerability

Autodesk Customer Portal is a customer portal component of Autodesk USA. A security vulnerability exists in Autodesk Customer Portal that stems from cases where Autodesk users who no longer have a valid license for an account can still access that account...

kernel: md/raid10: fix leak of 'r10bio->remaining' for recovery

In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix leak of 'r10bio-remaining' for recovery raid10syncrequest will add 'r10bio-remaining' for both rdev and replacement rdev. However, if the read io fails, recoveryrequestwrite returns without issuing the write io, in...

ALSA-2023:6738 Moderate: java-21-openjdk security and bug fix update

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. Security Fixes: OpenJDK: memory corruption issue on x8664 with AVX-512 8317121 CVE-2023-22025 OpenJDK: certificate path validation issue during client authentication...

c-ares: buffer overflow in config_sortlist() due to missing string length check

A flaw was found in the c-ares package. The aressetsortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity...

PT-2023-22109 · Ox Software Gmbh +1 · Ox App Suite +2

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: Documents operations, specifically "drawing", could be manipulated to contain invalid data types, possibly script code. This script code could be inject...

CVE-2023-46663

Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests...

CVE-2023-46663 Improper Access Control in Sielco PolyEco1000

Sielco PolyEco1000 is vulnerable to an attacker bypassing authorization and accessing resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests...

CVE-2023-45317

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site...

Code injection

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site...

CVE-2023-45317

CVE-2023-45317 concerns Sielco Radio Link and Analog FM Transmitters. The issue is a Cross-Site Request Forgery where HTTP requests may be accepted without proper validation, potentially allowing an authenticated user to perform administrative actions by visiting a malicious site. The affected pr...

The _validateExecutionRequest() function does not include a check for expiration signatures.

Lines of code Vulnerability details Impact To maintain validity, user signatures must have an expiration or timestamp deadline. Otherwise, the signature grants the message a "lifetime license." The validateExecutionRequest function needs to include a check for expiration signatures. Otherwise,...

Siemens Mendix 安全漏洞

The Mendix Forgot Password module allows your users to register your application or reset their own passwords without administrator involvement. A vulnerability exists in the Siemens Mendix Forgot Password module that can be exploited by an attacker to determine if a user is valid, allowing a bru...

PHPJabbers Appointment Scheduler Security Vulnerability

PHPJabbers Appointment Scheduler is a Php-based appointment scheduler plugin for planning time and booking meeting schedules from PHPJabbers Serbia. A security vulnerability exists in PHPJabbers Appointment Scheduler version v3.0, which stems from a discrepancy in messages that could allow an...

GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services AWS, Microsoft, Google, and Slack. Validity checks, introduced by the Microsoft subsidiary earlier this year, alert users whether exposed tokens found by...

Code injection

The commit 3730880 April 2023 and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or...