The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.
Behzad Najjarpour Jabbari discovered that HarfBuzz incorrectly handled
certain inputs. A remote attacker could possibly use this issue to cause
a denial of service.
moodle-3.11.11-1.fc35
Fixes for multiple CVEs
moodle-3.11.11-1.fc36
Fixes for multiple CVEs
moodle-4.1-1.fc37
Fixes for multiple CVEs
USN-5689-1 fixed a vulnerability in Perl.
This update provides the corresponding update for Ubuntu 22.10.
Original advisory details:
It was discovered that Perl incorrectly handled certain signature verification.
An remote attacker could possibly use this issue to bypass signature verification.
Velneo vClient on its 28.1.3 version, could allow an attacker with knowledge of the victims’s username and hashed password to spoof the victim’s id against the server.
Florian Weimer discovered that shadow was not properly copying and removing
user directory trees, which could lead to a race condition. A local attacker
could possibly use this issue to setup a symlink attack and alter or remove
directories without authorization.
The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.
