A CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal) vulnerability exists that could cause malicious script to be deployed in an unauthorized location and may result in code execution on the engineering workstation when a malicious project file is loaded in the engineering software. Affected Product: EcoStruxure Control Expert (V15.0 SP1 and prior, including former Unity Pro), EcoStruxure Process Expert (2020 and prior, including former HDCS), SCADAPack RemoteConnect for x70 (All versions)
Category Archives: Advisories
CVE-2015-20107
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
USN-5378-4: Gzip vulnerability
USN-5378-1 fixed a vulnerability in Gzip. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.
Original advisory details:
Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.
dhcp-4.4.3-2.fc35
FEDORA-2022-a88218de5c
Packages in this update:
dhcp-4.4.3-2.fc35
Update description:
Security fix for CVE-2021-25220
New version 4.4.3
Add keama migration utility
dhcp-4.4.3-2.fc36
FEDORA-2022-3f293290c3
Packages in this update:
dhcp-4.4.3-2.fc36
Update description:
Security fix for CVE-2021-25220
New version 4.4.3
Add keama migration utility
USN-5378-3: XZ Utils vulnerability
USN-5378-2 fixed a vulnerability in XZ Utils. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.
Original advisory details:
Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.
golang-x-crypto-0-0.43.20220412git7b82a4e.fc34
FEDORA-2022-d37fb34309
Packages in this update:
golang-x-crypto-0-0.43.20220412git7b82a4e.fc34
Update description:
Update for CVE-2022-27191
golang-x-crypto-0-0.43.20220412git7b82a4e.fc36
FEDORA-2022-14712f9699
Packages in this update:
golang-x-crypto-0-0.43.20220412git7b82a4e.fc36
Update description:
Update for CVE-2022-27191
golang-x-crypto-0-0.43.20220412git7b82a4e.fc35
FEDORA-2022-a4c9009f3e
Packages in this update:
golang-x-crypto-0-0.43.20220412git7b82a4e.fc35
Update description:
Update for CVE-2022-27191
CVE-2020-29653
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.