910463 matches found
DLA-1326-1 php5 - security update
Bulletin has no description...
DSA-4018-1 openssl - security update
Bulletin has no description...
GHSA-6MQ2-37J5-W6R6 WEBrick Improper Input Validation vulnerability
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrar...
DSA-3999-1 wpa - security update
Bulletin has no description...
DSA-3908-1 nginx - security update
Bulletin has no description...
DLA-818-1 php5 - security update
Bulletin has no description...
DLA-522-1 python2.7 - security update
Bulletin has no description...
DSA-3566-1 openssl - security update
Bulletin has no description...
DEBIAN-CVE-2022-49542
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Move cfglogverbose check before calling lpfcdmpdbg In an attempt to log message 0126 with LOGTRACEEVENT, the following hard lockup call trace hangs the system. Call Trace: rawspinlockirqsave+0x32/0x40...
MGASA-2025-0037 Updated chromium-browser-stable packages fix security vulnerability
Use after free in DevTools. CVE-2025-0762...
CGA-G8R9-VV23-F4JF
Bulletin has no description...
CGA-FW4G-9MF4-P6PC
Bulletin has no description...
RHSA-2024:1141 Red Hat Security Advisory: mysql security update
Bulletin has no description...
RHSA-2018:0279 Red Hat Security Advisory: rh-mariadb100-mariadb security update
Bulletin has no description...
CVE-2024-40898
SSRF in Apache HTTP Server on Windows with modrewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue...
GHSA-6JJ6-GM7P-FCVV Remote Code Execution (RCE) vulnerability in geoserver
Summary Multiple OGC request parameters allow Remote Code Execution RCE by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. Details The GeoTools library API that GeoServer calls evaluates...
CVE-2024-39573
Potential SSRF in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by modproxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue...
CGA-C49Q-4CQQ-XWX4
Bulletin has no description...
BIT-GITLAB-2021-39890
It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above...
BIT-TOMCAT-2023-46589 Apache Tomcat: HTTP request smuggling via malformed trailer headers
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0 through 11.0.0, from 10.1.0 through 10.1.15, from 9.0.0 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to...
BIT-PRESTASHOP-2023-39526 PrestaShopSQL manager vulnerability (potential RCE)
PrestaShop is an open source e-commerce web application. Versions prior to 1.7.8.10, 8.0.5, and 8.1.1 are vulnerable to remote code execution through SQL injection and arbitrary file write in the back office. Versions 1.7.8.10, 8.0.5, and 8.1.1 contain a patch. There are no known workarounds...
GO-2023-2394 Spoofed source IP address in github.com/shift72/caddy-geo-ip
The caddy-geo-ip aka GeoIP middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism trustedproxy directive in reverseproxy or IP address range restrictions...
GHSA-M425-MQ94-257G gRPC-Go HTTP/2 Rapid Reset vulnerability
Impact In affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit...
CVE-2023-38545
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host na...
CVE-2023-44487
The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023...
RSEC-2023-6 Denial of Service (DoS) vulnerability
The commonmark package, specifically in its dependency on GitHub Flavored Markdown before version 0.29.0.gfm.1, has a vulnerability related to time complexity. Parsing certain crafted markdown tables can take On n time, leading to potential Denial of Service attacks. This issue does not affect th...
RSEC-2023-5 Infinite loop, memory leak, and heap-based buffer over-read vulnerabilities
The haven R package is exposed to multiple vulnerabilities due to issues in its underlying ReadStat library. The specific flaws include an infinite loop condition, a memory leak associated with an iconvopen call, and a heap-based buffer over-read via an unterminated string. Exploitation of these...
PYSEC-2023-179
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke and pydash.collections.invokemap accept dotted paths Deep Path Strings to target a nested Python object, relative to the original source object. These paths can be used to target...
GHSA-V86X-5FM3-5P7J Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Impact An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. Patches Users can upgrade to Alertmanager v0.2.51. Workarounds Users can setup a reverse proxy in front of the...
GHSA-GPCV-P28P-FV2P odoh-rs's Invalid Slice Split Results in Server Panic
A vulnerability was discovered in the odoh-rs rust crate that stems from faulty logic during the parsing of encrypted queries. This issue specifically occurs when processing encrypted query data received from remote clients. Impact An attacker with knowledge of this vulnerability could craft and...
ALSA-2023:4419 Important: openssh security update
OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: openssh: Remote code execution in ssh-agent PKCS11 support CVE-2023-38408 For more details...
PYSEC-2023-113
Products.CMFCore are the key framework services for the Zope Content Management Framework CMF. The use of Python's marshal module to handle unchecked input in a public method on PortalFolder objects can lead to an unauthenticated denial of service and crash situation. The code in question is...
PYSEC-2023-90
Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in...
GHSA-WH3W-JCC7-MHMF pretalx vulnerable to path traversal in HTML export
pretalx before 2.3.2 allows path traversal in HTML export a non-default feature. Users were able to upload crafted HTML documents that trigger the reading of arbitrary files...
DSA-5372-1 rails - security update
Bulletin has no description...
GHSA-J2H2-G882-X9J2 Deserialization of Untrusted Data in thinkphp
thinkphp 6.0.06.0.13 and 6.1.06.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload...
GO-2022-1118 Improper validation of UUIDs in github.com/codenotary/immudb
A malicious server can trick a client into treating it as a different server by changing the reported UUID. immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple server...
CVE-2022-47629
Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser...
DLA-3236-1 openexr - security update
Bulletin has no description...
DSA-5272-1 xen - security update
Bulletin has no description...
PYSEC-2022-270
indy-node is the server portion of Hyperledger Indy, a distributed ledger purpose-built for decentralized identity. In vulnerable versions of indy-node, an attacker can max out the number of client connections allowed by the ledger, leaving the ledger unable to be used for its intended purpose...
DSA-5207-1 linux - security update
Bulletin has no description...
DSA-5188-1 openjdk-11 - security update
Bulletin has no description...
MAL-2022-2913 Malicious code in example-typescript (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 67077359006aa50f08c2757c83cc757f06c0b0817b3beb029ce4f6e823236c03 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
PYSEC-2022-207
An issue was discovered in Couchbase Sync Gateway 3.x before 3.0.2. Admin credentials are not verified when using X.509 client-certificate authentication from Sync Gateway to Couchbase Server. When Sync Gateway is configured to authenticate with Couchbase Server using X.509 client certificates, t...
GHSA-7PXG-6P87-8C9V Magento 2 Community Edition RCE via Unsafe File Upload
Magento versions 2.4.0 and 2.3.5p1 and earlier are affected by an unsafe file upload vulnerability that could result in arbitrary code execution. This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components...
GO-2021-0412 Incorrect authorization in github.com/containerd/imgcrypt
The imgcrypt library provides API extensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function CheckAuthorization is supposed to check whether the current used is...
GHSA-X4JG-MJRX-434G Improper Verification of Cryptographic Signature in node-forge
Impact RSA PKCS1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. Patches The issue has been...
DSA-5092-1 linux - security update
Bulletin has no description...
ASB-A-193149550
In NotificationStackScrollLayout of NotificationStackScrollLayout.java, there is a possible way to bypass Factory Reset Protections. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...