The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue.
Category Archives: Advisories
USN-5373-2: Django vulnerabilities
USN-5373-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. (CVE-2021-32052)
USN-5373-1: Django vulnerabilities
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 18.04
LTS. (CVE-2021-32052)
Denonia: First Malware Targeting AWS Lambda
FortiGuard Labs is aware of a report that a new malware is designed to run in compromised AWS Lambda environments. Started in 2014, AWS Lambda is a serverless compute service of Amazon Web Services (AWS) and runs code as a response to events, which some refer to as Function as a Service (FaaS). Written in Go, Denonia malware contains and runs a customized version of the XMRig cryptocurrency mining software in memory.Why is this Significant?This is significant as Denonia appears to be the first malware that is crafted to run in AWS Lambda environments. Since AWS Lambda is widely used, another Lambda specific malware can emerge and potentially perform other malicious activities.How was Denonia Malware Deployed in AWS Lambda?The attack vector has not been identified. What is Denonia Malware Designed to Perform in AWS Lambda?Upon infection, Denonia executes XMRig miner in memory, and communicates with the attacker’s Mining pool.What is the Status of Coverage?FortiGuard Labs provide the following coverage against Denonia malware:Adware/MinerRiskware/ApplicationAll network IOCs are blocked by the WebFiltering client.
frr-8.2.2-2.fc35
FEDORA-2022-3b86b4a6ef
Packages in this update:
frr-8.2.2-2.fc35
Update description:
Security fix for CVE-2022-26126.
frr-8.0.1-2.fc34
FEDORA-2022-c8c2e42934
Packages in this update:
frr-8.0.1-2.fc34
Update description:
Security fix for CVE-2022-26126.
frr-8.2.2-2.fc36
FEDORA-2022-376cb924bd
Packages in this update:
frr-8.2.2-2.fc36
Update description:
Security fix for CVE-2022-26126.
firefox-99.0-1.fc34 nss-3.77.0-1.fc34
FEDORA-2022-ea66694ce2
Packages in this update:
firefox-99.0-1.fc34
nss-3.77.0-1.fc34
Update description:
Update to latest upsream (Firefox 99.0 & nss 3.77)
firefox-99.0-1.fc35 nss-3.77.0-1.fc35
FEDORA-2022-3781e69ebd
Packages in this update:
firefox-99.0-1.fc35
nss-3.77.0-1.fc35
Update description:
Update to latest upstream (Firefox 99.0 & nss 3.77).
USN-5331-2: tcpdump vulnerabilities
USN-5331-1 fixed several vulnerabilities in tcpdump. This update provides
the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
It was discovered that tcpdump incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service,
or possibly execute arbitrary code. (CVE-2018-16301)
It was discovered that tcpdump incorrectly handled certain captured data.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2020-8037)