Multiple security issues were discovered in MuJS, a lightweight
JavaScript interpreter, which could result in denial of service
and potentially the execution of arbitrary code.
Monthly Archives: November 2022
DSA-5290 commons-configuration2 – security update
Apache Commons Configuration, a Java library providing a generic configuration
interface, performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. Starting with version 2.4 and continuing
through 2.7, the set of default Lookup instances included interpolators that
could result in arbitrary code execution or contact with remote servers. These
lookups are: – script – execute expressions using the JVM script execution
engine (javax.script) – dns – resolve dns records – url – load values from
urls, including from remote server applications using the interpolation
defaults in the affected versions may be vulnerable to remote code execution or
unintentional contact with remote servers if untrusted configuration values are
used.
DSA-5289 chromium – security update
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code.
CVE-2022-24999 (express, qs)
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has “deps: qs@6.9.7” in its release description, is not vulnerable).
A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution
A Vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
CVE-2022-0698
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the ‘select-file’ parameter.
ConnectWise Fixes XSS Vulnerability that Could Lead to Remote Code Execution
Threat actors could exploit the flaw to take complete control of the ConnectWise platform
CVE-2022-23044
Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.
Google Releases Chrome Patch to Fix New Zero-Day Vulnerability
The high-severity vulnerability refers to a heap buffer overflow in the GPU component
wireshark-4.0.1-1.fc37
FEDORA-2022-cf9ae8e4ff
Packages in this update:
wireshark-4.0.1-1.fc37
Update description:
New version 4.0.1, Fix for bug #2148308, fix for CVE-2022-3725