GHSA-25FP-8W8P-MX36 OpenSTAManager has an OS Command Injection in P7M File Processing

Summary A critical OS Command Injection vulnerability exists in the P7M signed XML file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. Vulnerable Code File:...

MiracleLinux 8 : go-toolset:rhel8 (AXSA:2022-3736:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3736:01 advisory. golang: compress/gzip: stack exhaustion in Reader.Read CVE-2022-30631 golang: net/http: improper sanitization of Transfer-Encoding header...

RockyLinux 8 : container-tools:rhel8 (RLSA-2023:2758)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:2758 advisory. golang: net/http: improper sanitization of Transfer-Encoding header CVE-2022-1705 golang: go/parser: stack exhaustion in all Parse functions CVE-2022-196...

TencentOS Server 3: container-tools (TSSA-2023:0111)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2023:0111 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

Linux Distros Unpatched Vulnerability : CVE-2013-4221

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which...

Symfony XML decoding attack vector through external entities

The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system...

AZL-10531 CVE-2022-28131 affecting package golang for versions less than 1.18.5-1

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document...

UBUNTU-CVE-2021-27918

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method...

CVE-2018-19531

HTTL (Hyper-Text Template Language) 1.0.11 and earlier is vulnerable to remote command execution due to unsafe use of java.beans.XMLEncoder in decodeXml when xml.codec is not configured. This is documented across multiple sources (NVD entry CVE-2018-19531, Veracode note, and OSV/CVE references). ...

XML decoding attack vector through external entities

More info at https://symfony.com/blog/security-release-symfony-2-0-11-released...

XML decoding attack vector through external entities

More info at https://symfony.com/blog/security-release-symfony-2-0-11-released...

phpRPC Library 0.7 - XML Data Decoding Remote Code Execution (1)

phpRPC Library 0.7 - XML Data Decoding Remote Code Execution 1 !/usr/bin/perl root@host perl rpc.pl phprpc.sourceforge.net /modules/phpRPC/server.php --== IHS IRAN HOMELAND SECURITY ==-- phpRPC new Proto = "tcp", PeerAddr = "$host", PeerPort = "80" || die "connecterror\n"; while 1 print 'IRAN...