FEDORA-2023-4dee6d0a76
Packages in this update:
python-django-filter-23.2-1.fc38
Update description:
New upstream version
python-django-filter-23.2-1.fc38
New upstream version
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Fuzzy SWMP. It has been rated as problematic. This issue affects some unknown processing of the file swmp.php of the component GET Parameter Handler. The manipulation of the argument theme leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 792bcab637cb8c3bd251d8fc8771512c5329a93e. It is recommended to apply a patch to fix this issue. The identifier VDB-230669 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
A vulnerability, which was classified as problematic, was found in Gravity Forms DPS PxPay Plugin up to 1.4.2 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.3 is able to address this issue. The name of the patch is 5966a5e6343e3d5610bdfa126a5cfbae95e629b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230664.
A vulnerability classified as problematic has been found in RealFaviconGenerator Favicon Plugin up to 1.2.12 on WordPress. This affects the function install_new_favicon of the file admin/class-favicon-by-realfavicongenerator-admin.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 1.2.13 is able to address this issue. The identifier of the patch is 949a1ae7216216350458844f50a72f100b56d4e7. It is recommended to upgrade the affected component. The identifier VDB-230661 was assigned to this vulnerability.
What is Zyxel Networks?
The Zyxel Networks is one of the leading providers of broadband networking solution for small and home offices.
What is the Attack?
The attack is to exploit an OS command injection vulnerability which can lead to execute arbitrary commands.
Why is this Significant?
There are millions of devices worldwide that potentially are vulnerable to this attack. CISA has already added the vulnerabilities on its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. Also, the PoC vulnerability has been made publicly.
What is the Vendor Solution?
The vendor has provided patches to address the vulnerabilities.
What FortiGuard Coverage is Available?
FortiGuard Labs is currently investigating coverage for CVE-2023-28771, CVE-2023-33009, CVE-2023-33010.
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
A vulnerability, which was classified as problematic, has been found in Exit Box Lite Plugin up to 1.06 on WordPress. Affected by this issue is some unknown functionality of the file wordpress-exit-box-lite.php. The manipulation leads to information disclosure. The attack may be launched remotely. Upgrading to version 1.10 is able to address this issue. The name of the patch is fad26701addb862c51baf85c6e3cc136aa79c309. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230672.
yarnpkg-1.22.19-5.el9
Add patches to fix CVE-2022-38900, CVE-2021-43138, CVE-2022-3517, and CVE-2020-7677.
A vulnerability classified as problematic was found in Exit Box Lite Plugin up to 1.06 on WordPress. Affected by this vulnerability is the function exitboxadmin of the file wordpress-exit-box-lite.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.10 is able to address this issue. The patch is named fad26701addb862c51baf85c6e3cc136aa79c309. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230671.
More information is coming to light after news last week that a critical vulnerability in a secure file transfer Web application called MOVEit Transfer was being exploited by hackers. Microsoft tied some of the attacks to a threat actor associated with the Clop ransomware gang.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer zero-day vulnerability to Lace Tempest, known for ransomware operations and running the Clop extortion site,” Microsoft’s Threat Intelligence team said on Twitter. “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”