The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.
Category Archives: Advisories
CVE-2021-25059
The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
USN-5744-1: libICE vulnerability
It was discovered that libICE was using a weak mechanism to generate the
session cookies. A local attacker could possibly use this issue to perform
a privilege escalation attack.
slurm-22.05.6-1.fc38
FEDORA-2022-6a9dc1d46b
Packages in this update:
slurm-22.05.6-1.fc38
Update description:
Automatic update for slurm-22.05.6-1.fc38.
Changelog
* Sun Nov 27 2022 Philip Kovacs <pkfed@fedoraproject.org> – 22.05.6-1
– Update to 22.05.6 (#2131112)
– Update deprecated vars in slurm.conf (#2133159)
* Tue Sep 6 2022 Philip Kovacs <pkfed@fedoraproject.org> – 22.05.3-2
– Add slurm to epel9 (#2072632); update spec for epel 7/8/9
– Use * Mon Nov 28 2022 Fedora Project – 22.05.6-1.fc38
– local build macro; add changelog file
* Mon Sep 5 2022 Philip Kovacs <pkfed@fedoraproject.org> – 22.05.3-1
– Update to 22.05.3
– Thanks Cristian Le (fedora@lecris.me) for his contributions
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> – 21.08.8-4
– Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> – 21.08.8-3
– Perl 5.36 rebuild
* Mon May 9 2022 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.8-2
– Update to 21.08.8-2 (upstream re-release)
* Thu May 5 2022 Carl George <carl@george.computer> – 21.08.8-1
– Update to 21.08.8, resolves: rhbz#2082276
– Fix CVE-2022-29500, resolves: rhbz#2082286
– Fix CVE-2022-29501, resolves: rhbz#2082289
– Fix CVE-2022-29502, resolves: rhbz#2082293
* Sat Apr 2 2022 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.6-1
– Update to 21.08.6
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> – 21.08.5-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jan 14 2022 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.5-1
– Update to 21.08.5
* Sun Nov 21 2021 Orion Poplawski <orion@nwra.com> – 21.08.4-2
– Rebuild for hdf5 1.12.1
* Wed Nov 17 2021 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.4-1
– Update to 21.08.4
– Closes security issue CVE-2021-43337
* Sun Oct 31 2021 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.2-2
– Correct log rotation problems (#2016683, #2018508)
* Fri Oct 8 2021 Philip Kovacs <pkfed@fedoraproject.org> – 21.08.2-1
– Update to 21.08.2
– Added Fedora patches to support pmix v4
– Remove slurm-pmi(-devel) subpackages
* Tue Aug 10 2021 Orion Poplawski <orion@nwra.com> – 20.11.8-4
– Rebuild for hdf5 1.10.7
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> – 20.11.8-3
– Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jul 10 2021 Björn Esser <besser82@fedoraproject.org> – 20.11.8-2
– Rebuild for versioned symbols in json-c
* Sat Jul 3 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.8-1
– Update to 20.11.8
* Tue May 25 2021 Jitka Plesnikova <jplesnik@redhat.com> – 20.11.7-4
– Perl 5.34 re-rebuild updated packages
* Mon May 24 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.7-3
– Move auth_jwt.so plugin to base package (#1947878)
* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> – 20.11.7-2
– Perl 5.34 rebuild
* Sat May 15 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.7-1
– Update to 20.11.7
– Closes security issue CVE-2021-31215
* Tue May 4 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.6-1
– Release of 20.11.6
* Mon Apr 12 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.5-2
– Add subpackage slurm-slurmrestd (Slurm REST API daemon)
* Fri Mar 26 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.5-1
– Release of 20.11.5
* Tue Mar 2 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> – 20.11.3-3
– Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> – 20.11.3-2
– Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 19 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.3-1
– Release of 20.11.3
* Wed Jan 6 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.2-2
– Minor spec adjustments
* Tue Jan 5 2021 Philip Kovacs <pkfed@fedoraproject.org> – 20.11.2-1
– Release of 20.11.2
DSA-5290 commons-configuration2 – security update
Apache Commons Configuration, a Java library providing a generic configuration
interface, performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. Starting with version 2.4 and continuing
through 2.7, the set of default Lookup instances included interpolators that
could result in arbitrary code execution or contact with remote servers. These
lookups are: – script – execute expressions using the JVM script execution
engine (javax.script) – dns – resolve dns records – url – load values from
urls, including from remote server applications using the interpolation
defaults in the affected versions may be vulnerable to remote code execution or
unintentional contact with remote servers if untrusted configuration values are
used.
DSA-5291 mujs – security update
Multiple security issues were discovered in MuJS, a lightweight
JavaScript interpreter, which could result in denial of service
and potentially the execution of arbitrary code.
DSA-5289 chromium – security update
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code.
CVE-2022-24999 (express, qs)
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has “deps: qs@6.9.7” in its release description, is not vulnerable).
A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution
A Vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
CVE-2022-0698
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the ‘select-file’ parameter.