Read Time:8 Second
FEDORA-2024-a94430d221
Packages in this update:
curl-8.9.1-3.fc41
Update description:
fix HSTS subdomain overwrites parent cache entry (CVE-2024-9681)
Category Archives: Advisories
Ivanti Cloud Services Application (CSA) Vulnerabilities (CVE-2024-11639, CVE-2024-11772, CVE-2024-11773)
Read Time:1 Minute, 8 Second
What are the Vulnerabilities?Ivanti has released security updates to address multiple critical flaws in its Cloud Services Application (CSA) that could lead to privilege escalation and code execution. More details below:CVE-2024-11639, CVSS: 10.0 (Maximum Severity), authentication bypass vulnerability in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access CVE-2024-11772, CVSS: 9.1 (Critical): Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution. CVE-2024-11773, CVSS: 9.1 (Critical): SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements. What is the recommended Mitigation?Ivanti has released updates for Ivanti Cloud Services Application which addresses the vulnerabilities. Ivanti Advisory | Learn moreCurrently, there is no known public exploitation of these vulnerabilities, as per the vendor.What FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. FortiGuard IPS protection coverage is under review, and this report will be updated as new coverage becomes available.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.
golang-x-crypto-0.31.0-2.fc40
Read Time:6 Second
FEDORA-2024-8f83d0ed92
Packages in this update:
golang-x-crypto-0.31.0-2.fc40
Update description:
Fix CVE-2024-45337
golang-x-crypto-0.31.0-2.fc41
Read Time:6 Second
FEDORA-2024-c33c95804e
Packages in this update:
golang-x-crypto-0.31.0-2.fc41
Update description:
Fix CVE-2024-45337
USN-7158-1: Smarty vulnerabilities
Read Time:28 Second
It was discovered that Smarty incorrectly handled query parameters in
requests. An attacker could possibly use this issue to inject arbitrary
Javascript code, resulting in denial of service or potential execution of
arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2018-25047, CVE-2023-28447)
It was discovered that Smarty did not properly sanitize user input when
generating templates. An attacker could, through PHP injection, possibly
use this issue to execute arbitrary code. (CVE-2024-35226)
A Vulnerability in Multiple Cleo Products Could Allow for Remote Code Execution
Read Time:28 Second
A vulnerability has been discovered in multiple Cleo products that could allow for remote code execution. Cleo’s LexiCom, VLTransfer, and Harmony is software that is commonly used to manage file transfers. Successful exploitation of this vulnerability could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
APPLE-SA-12-11-2024-9 Safari 18.2
Read Time:25 Second
Posted by Apple Product Security via Fulldisclosure on Dec 12
APPLE-SA-12-11-2024-9 Safari 18.2
Safari 18.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121846.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Safari
Available for: macOS Ventura and macOS Sonoma
Impact: On a device with Private Relay enabled, adding a website to the
Safari…
APPLE-SA-12-11-2024-8 visionOS 2.2
Read Time:24 Second
Posted by Apple Product Security via Fulldisclosure on Dec 12
APPLE-SA-12-11-2024-8 visionOS 2.2
visionOS 2.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121845.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
Crash Reporter
Available for: Apple Vision Pro
Impact: An app may be able to access sensitive user data
Description: A permissions…
APPLE-SA-12-11-2024-7 tvOS 18.2
Read Time:25 Second
Posted by Apple Product Security via Fulldisclosure on Dec 12
APPLE-SA-12-11-2024-7 tvOS 18.2
tvOS 18.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121844.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
AppleMobileFileIntegrity
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: A malicious app may be able to access private…
APPLE-SA-12-11-2024-6 watchOS 11.2
Read Time:24 Second
Posted by Apple Product Security via Fulldisclosure on Dec 12
APPLE-SA-12-11-2024-6 watchOS 11.2
watchOS 11.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/121843.
Apple maintains a Security Releases page at
https://support.apple.com/100100 which lists recent
software updates with security advisories.
AppleMobileFileIntegrity
Available for: Apple Watch Series 6 and later
Impact: A malicious app may be able to access private…