ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device.
Category Archives: Advisories
libtiff-4.4.0-2.fc36
FEDORA-2022-edf7301147
Packages in this update:
libtiff-4.4.0-2.fc36
Update description:
Fix for CVE-2022-2056, CVE-2022-2057 and CVE-2022-2058.
libtiff-4.4.0-2.fc35
FEDORA-2022-b9c2a3a2b7
Packages in this update:
libtiff-4.4.0-2.fc35
Update description:
Fix for CVE-2022-2056, CVE-2022-2057 and CVE-2022-2058.
DSA-5177 ldap-account-manager – security update
Arseniy Sharoglazov discovered multiple security issues in LDAP Account
Manager (LAM), a web frontend for managing accounts in an LDAP directory,
which could result in information disclosure or unauthenticated remote
code execution.
USN-5479-2: PHP vulnerabilities
USN-5479-1 fixed vulnerabilities in PHP. This update provides the
corresponding updates for Ubuntu 16.04 ESM.
Original advisory details:
Charles Fol discovered that PHP incorrectly handled initializing certain
arrays when handling the pg_query_params function. A remote attacker could
use this issue to cause PHP to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2022-31625)
Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A
remote attacker could use this issue to cause PHP to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2022-31626)
CVE-2021-25056
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-25066
The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2022-0250
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting
USN-5501-1: Django vulnerability
It was discovered that Django incorrectly handled certain SQL.
An attacker could possibly use this issue to expose sensitive information.
gnupg2-2.3.6-2.fc36
FEDORA-2022-aa14d396dd
Packages in this update:
gnupg2-2.3.6-2.fc36
Update description:
Fix for CVE-2022-34903 (#2103242)