This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-30302.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-30306.
What is the vulnerability?A use-after-free vulnerability tagged as CVE-2023-49606 exists in Tinyproxy, a lightweight open-source HTTP proxy daemon. The threat actor may trigger this memory corruption and execute arbitrary code by sending a specially crafted HTTP header that triggers the reuse of previously freed memory. That can lead to remote code execution. As of May 3, 2024, Censys observed over 90,000 hosts running Tinyproxy service exposed in the Internet where 57% of which are potentially vulnerable to this CVE-2023-49606.What is the recommended Mitigation?FortiGuard Labs is not aware of any patches released by the vendor as of this report. To mitigate the risk, users are advised to make sure that Tinyproxy service is not exposed to the internet.What FortiGuard Coverage is available?FortiGuard Labs is currently investigating relevant protections and will update the threat signal as they are released. FortiGuard Incident Response team can be engaged to help with any suspected compromise.
US Secretary of State Antony Blinken said that the US and its allies must work together to ensure foundational technologies are used for the betterment of humanity
Alicia Boya Garcia reported that the GDBus signal subscriptions in the
GLib library are prone to a spoofing vulnerability. A local attacker can
take advantage of this flaw to cause a GDBus-based client to behave
incorrectly, with an application-dependent impact.
gnome-shell is updated along with this update to avoid a screencast
regression after fixing CVE-2024-34397.
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for privilege escalation. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation. Depending on the privileges associated with the exploited component, an attacker could then install programs; view, change, or delete data; or create new accounts with full rights.
Posted by Simon Bieber via Fulldisclosure on May 06
secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping (XSS) flaws in Drupal-Wiki
Affected Products
Drupal Wiki 8.31
Drupal Wiki 8.30 (older releases have not been tested)
References
https://www.secuvera.de/advisories/secuvera-SA-2024-02.txt (used for updates)
CVE-2024-34481
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS-B: 6.4 (…
