FEDORA-2024-a3fecfab32

Packages in this update:

emacs-29.4-3.fc40

Update description:

Update to Emacs 29.4, fixing CVE-2024-39331.

Read More

Rory McNamara discovered that when starting the cupsd server with a
Listen configuration item, the cupsd process fails to validate if
bind call passed. An attacker could possibly trick cupsd to perform
an arbitrary chmod of the provided argument, providing world-writable
access to the target.

Read More

It was discovered that Hibernate incorrectly handled certain inputs with
unsanitized literals. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to obtain sensitive information.

Read More

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 23

SEC Consult Vulnerability Lab Security Advisory < 20240620-0 >
=======================================================================
title: Arbitrary File Upload
product: edu-sharing (metaVentis GmbH)
vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19
fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19
CVE number: CVE-2024-28147
impact: high…

Read More

Posted by Egidio Romano on Jun 23

Hello list,

Just wanted to share with you my latest blog post:

https://karmainsecurity.com/zip-slip-meets-artifactory-a-bug-bounty-story

Enjoy it!

Read More

Posted by malvuln on Jun 23

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/eeb631127f1b9fb3d13d209d8e675634.txt
Contact: malvuln13 () gmail com
Media: x.com/malvuln

Threat: Backdoor.Win32.Plugx
Vulnerability: Insecure Permissions
Family: Plugx
Type: PE32
MD5: eeb631127f1b9fb3d13d209d8e675634
SHA256: c2804080c3f45e8232b3e955611f56c9ba513a7845ddad56a588c4191d139990
Vuln ID: MVID-2024-0686
Disclosure: 06/17/2024…

Read More

Posted by SBA Research Security Advisory via Fulldisclosure on Jun 23

# Paradox IP150 Internet Module Cross-Site Request Forgery #

Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery

## Vulnerability Overview ##

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to
Cross-Site Request Forgery (CSRF) attacks due to
a lack of countermeasures and the use of the HTTP method `GET` to introduce
changes in the system.

* **Identifier**…

Read More

The update for composer released as DSA 5715 introduced a regression
in the handling of git feature branches. Updated composer packages
are now available to address this issue.

https://security-tracker.debian.org/tracker/DSA-5715-2

Read More

FEDORA-EPEL-2024-28e58f443c

Packages in this update:

python-PyMySQL-0.9.3-2.el7

Update description:

Security fix for CVE-2024-36039

Read More

FEDORA-2024-07c9cfd337

Packages in this update:

libreswan-4.15-1.fc39

Update description:

Update to 4.15 for CVE-2024-3652

Read More