The Advanced Page Visit Counter WordPress plugin through 5.0.8 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it
Category Archives: Advisories
CVE-2021-25102
The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk
CVE-2021-25002
The Tipsacarrier WordPress plugin through 1.4.4.2 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
CVE-2021-32500
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
freetype-2.12.1-1.fc36
FEDORA-2022-2dd60f1f00
Packages in this update:
freetype-2.12.1-1.fc36
Update description:
Update to freetype 2.12.1 which fixes CVE-2022-27404, CVE-2022-27405, CVE-2022-27406 and adds support for OT-SVG fonts.
USN-5382-2: libinput vulnerability
USN-5382-1 fixed a vulnerability in libinput. This update provides the
corresponding updates for Ubuntu 22.04 LTS.
Original advisory details:
Albin Eldstål-Ahrens and Lukas Lamster discovered libinput did not properly
handle input devices with specially crafted names. A local attacker with
physical access could use this to cause libinput to crash or expose
sensitive information.
CVE-2021-31674
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant.
CVE-2021-31673
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter.
DSA-5127 linux – security update
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
mariadb-10.7-3420220501001308.058368ca
FEDORA-MODULAR-2022-3903b475a9
Packages in this update:
mariadb-10.7-3420220501001308.058368ca
Update description:
MariaDB 10.7.3 & Galera 26.4.11
Release notes: