A vulnerability was found in backdrop-contrib Basic Cart. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.x-1.1.1 is able to address this issue. The name of the patch is a10424ccd4b3b4b433cf33b73c1ad608b11890b4. It is recommended to upgrade the affected component. VDB-217950 is the identifier assigned to this vulnerability.

Read More

Kyle Zeng discovered that the sysctl implementation in the Linux kernel
contained a stack-based buffer overflow. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.

Read More

It was discovered that missing input sanitising in the ctags functionality
of Emacs may result in the execution of arbitrary shell commands.

Read More

XStream serializes Java objects to XML and back again. Versions prior to
1.4.15-3+deb11u2 may allow a remote attacker to terminate the application with
a stack overflow error, resulting in a denial of service only via manipulation
of the processed input stream. The attack uses the hash code implementation for
collections and maps to force recursive hash calculation causing a stack
overflow. This update handles the stack overflow and raises an
InputManipulationException instead.

Read More

Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities
have been discovered in Netty, a Java NIO client/server socket framework, which
may allow attackers to cause a denial of service or bypass restrictions when
used as a proxy.

Read More

Several flaws have been discovered in libjettison-java, a collection of StAX
parsers and writers for JSON. Specially crafted user input may cause a denial
of service via out-of-memory or stack overflow errors.

Read More

It was found that those using java.sql.Statement or java.sql.PreparedStatement
in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to
a remote code execution attack. By default it is allowed to call any static
method of any Java class in the classpath resulting in code execution. The
issue can be prevented by updating to 2.5.1-1+deb11u1 or by setting the system
property hsqldb.method_class_names to classes which are allowed to be called.
For example, System.setProperty(“hsqldb.method_class_names”,”abc”) or Java
argument -Dhsqldb.method_class_names=”abc” can be used. From version
2.5.1-1+deb11u1 all classes by default are not accessible except those in
java.lang.Math and need to be manually enabled.

Read More

Post Content

Read More

Post Content

Read More

Post Content

Read More