php: cgi.force_redirect configuration is bypassable due to the environment variable collision

A flaw was found in PHP. The configuration directive cgi.forceredirect prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access...

php: cgi.force_redirect configuration is bypassable due to the environment variable collision

A flaw was found in PHP. The configuration directive cgi.forceredirect prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access...

GStreamer 安全漏洞

GStreamer is an open source set of frameworks for processing streaming media from GStreamer. A security vulnerability exists in GStreamer that stems from an uninitialized stack variable vulnerability found in the gstmatroskademuxaddwvpkheader function in matroska-demux.c. The vulnerability is...

PT-2025-3047 · Apple · Apple Macos

Name of the Vulnerable Software and Affected Versions: macOS versions prior to 13.7.2 macOS versions prior to 14.7.2 macOS versions prior to 15.2 Description: The issue is related to insufficient authorization mechanisms in the NVRAM Variable Handler component of MacOS operating systems. This can...

PT-2024-10221 · Document Foundation +5 · Libreoffice +5

Name of the Vulnerable Software and Affected Versions: LibreOffice versions 24.8 through 24.8.3 Description: The issue is related to the exposure of environmental variables and arbitrary INI file values to an unauthorized actor. URLs could be constructed to expand these variables, potentially...

PT-2024-9462 · Microsoft · Windows Remote Desktop Services +1

Name of the Vulnerable Software and Affected Versions: Windows Remote Desktop Services affected versions not specified Description: The issue is related to a remote code execution problem in Windows Remote Desktop Services. It involves the initialization of an insecure variable by default...

Rockwell Automation Arena Simulation DOE File Parsing Use of Uninitialized Variable Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists with...

Important: Red Hat Security Advisory: postgresql security update

An update for postgresql is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

CVE-2024-55564

The POSIX::2008 package before 0.24 for Perl has a potential execve50c env buffer overflow...

The vulnerability of the atob method in the universal monitoring system Zabbix allows attackers to compromise the integrity of the protected information.

The vulnerability of the atob method in the Zabbix universal monitoring system is related to access to a critical private variable through a publicly accessible method. Exploiting this vulnerability allows an attacker to compromise the integrity of the protected information...

CLSA-2024-1733429722 Fix CVE(s): CVE-2024-48992

SECURITY UPDATE: Arbitrary code execution via manipulated RUBYLIB environment variable - debian/patches/CVE-2024-48992.patch: Prevent script from setting RUBYLIB environment variable to avoid LPE - CVE-2024-48992...

Build corruption when using `PYO3_CONFIG_FILE` environment variable

In PyO3 0.23.0 the PYO3CONFIGFILE environment variable used to configure builds regressed such that changing the environment variable would no longer trigger PyO3 to reconfigure and recompile. In combination with workflows using tools such as maturin to build for multiple versions in a single...

CVE-2024-11158

An “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute...

CVE-2024-11158

An “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute...

CVE-2024-11158 Rockwell Automation Arena® Uninitialized Vulnerability

An “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute...

CVE-2024-11158

Rockwell Automation Arena (including Arena Simulation) is reported to have an uninitialized variable vulnerability in DOE file parsing that can lead to remote arbitrary code execution when a user runs malicious DOE content. The flaw, described across CVE-2024-11158 entries, requires that the atta...

postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code

A flaw was found in PostgreSQL PL/Perl. This vulnerability allows an unprivileged database user to change sensitive process environment variables e.g., PATH via incorrect control of environment variables...

PT-2025-3603 · Linux +2 · Linux Kernel +2

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: The issue is related to the Linux kernel's ptrace system call, specifically the arm64 architecture. The problem arises from the fpmr set function not initializing the temporary fpmr...

PT-2024-40490 · Pypi · Pyo3

Name of the Vulnerable Software and Affected Versions: PyO3 versions 0.23.0 through 0.23.2 Description: The issue arises from a regression in the PYO3 CONFIG FILE environment variable, which is used to configure builds. This regression causes PyO3 to fail to reconfigure and recompile when the...

Rockwell Automation Arena 安全漏洞

Rockwell Automation Arena is a discrete event simulation and automation software from Rockwell Automation USA. A security vulnerability exists in Rockwell Automation Arena version 16.20.00 and prior versions that stems from the presence of an uninitialized variable code execution vulnerability th...