This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-3298.
Daily Archives: May 9, 2024
ZDI-24-437: Dassault Systèmes eDrawings Viewer DXF File Parsing Type Confusion Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-3298.
ZDI-24-438: Dassault Systèmes eDrawings Viewer DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-3298.
ZDI-24-439: Microsoft Windows Bluetooth AVDTP Protocol Integer Underflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must connect a malicious Bluetooth device. The ZDI has assigned a CVSS rating of 7.6. The following CVEs are assigned: CVE-2023-24948.
glib2-2.78.6-1.fc39 gnome-shell-45.6-2.fc39
FEDORA-2024-fd2569c4e9
Packages in this update:
glib2-2.78.6-1.fc39
gnome-shell-45.6-2.fc39
Update description:
Resolve CVE-2024-34397 (GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing), and also update gnome-shell to ensure this fix does not break the screencast feature.
glib2-2.80.2-1.fc40 gnome-shell-46.1-2.fc40
FEDORA-2024-635a54eb7e
Packages in this update:
glib2-2.80.2-1.fc40
gnome-shell-46.1-2.fc40
Update description:
Resolve CVE-2024-34397 (GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing), and also update gnome-shell to ensure this fix does not break the screencast feature.
DSA-5686-1 dav1d – security update
Nick Galloway discovered an integer overflow in dav1d, a fast and small
AV1 video stream decoder which could result in memory corruption.
DSA-5684-1 webkit2gtk – security update
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2023-42843
Kacper Kwapisz discovered that visiting a malicious website may
lead to address bar spoofing.
CVE-2023-42950
Nan Wang and Rushikesh Nandedkar discovered that processing
maliciously crafted web content may lead to arbitrary code
execution.
CVE-2023-42956
SungKwon Lee discovered that processing web content may lead to a
denial-of-service.
CVE-2024-23252
anbu1024 discovered that processing web content may lead to a
denial-of-service.
CVE-2024-23254
James Lee discovered that a malicious website may exfiltrate audio
data cross-origin.
CVE-2024-23263
Johan Carlsson discovered that processing maliciously crafted web
content may prevent Content Security Policy from being enforced.
CVE-2024-23280
An anonymous researcher discovered that a maliciously crafted
webpage may be able to fingerprint the user.
CVE-2024-23284
Georg Felber and Marco Squarcina discovered that processing
maliciously crafted web content may prevent Content Security
Policy from being enforced.
DSA-5682-2 glib2.0 – regression update
The update for glib2.0 released as DSA 5682-1 caused a regression in
ibus affecting text entry with non-trivial input methods. Updated
glib2.0 packages are available to correct this issue.