It was discovered that pngcheck incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service.
Hiroshi Tokumaru discovered that Ruby did not properly handle certain
user input for applications the generate HTTP responses using cgi gem.
An attacker could possibly use this issue to maliciously modify the
response a user would receive from a vulnerable application. This issue
only affected Ubuntu 22.10. (CVE-2021-33621)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-28755, CVE-2023-28756)
Awareness programs should use psychology to change security culture, experts argue
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.
USN-6143-1 fixed vulnerabilities and USN-6143-2 fixed minor regressions in
Firefox. The update introduced several minor regressions. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-34414,
CVE-2023-34416, CVE-2023-34417)
Jun Kokatsu discovered that Firefox did not properly validate site-isolated
process for a document loaded from a data: URL that was the result of a
redirect, leading to an open redirect attack. An attacker could possibly
use this issue to perform phishing attacks. (CVE-2023-34415)
Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server, which could result in information
disclosure or denial of service.
Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a SCRIPT keyword which is normally
used to record the commands input by the database admin to output such a
script. In combination with LibreOffice, an attacker could craft an odb
containing a “database/script” file which itself contained a SCRIPT command
where the contents of the file could be written to a new file whose location
was determined by the attacker.
Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a SCRIPT keyword which is normally
used to record the commands input by the database admin to output such a
script. In combination with LibreOffice, an attacker could craft an odb
containing a “database/script” file which itself contained a SCRIPT command
where the contents of the file could be written to a new file whose location
was determined by the attacker.
Gregory James Duck reported that missing input validation in various
functions provided by libx11, the X11 client-side library, may result in
denial of service.
