Read Time:9 Second
Security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
Category Archives: Advisories
Multiple Vulnerabilities in LenelS2 NetBox Could Allow for Arbitrary Code Execution
Read Time:34 Second
Multiple vulnerabilities have been discovered in LenelS2 NetBox, the most severe of which could allow for arbitrary code execution. LenelS2 NetBox is a browser-based enterprise access control and event monitoring system designed for deployments with demanding security requirements. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected user account. Depending on the privileges associated with the user account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have less rights on the system could be less impacted than those who operate with administrative user rights.
USN-6803-1: FFmpeg vulnerabilities
Read Time:3 Minute, 23 Second
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 24.04 LTS. (CVE-2023-49501)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-49502)
Zhang Ling and Zeng Yunxiang discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-49528)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2023-50007)
Zeng Yunxiang and Song Jiaxuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-50008)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-50009)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-50010)
Zeng Yunxiang and Li Zeyuan discovered that FFmpeg incorrectly handled
certain input files. An attacker could possibly use this issue to cause
FFmpeg to crash, resulting in a denial of service, or potential arbitrary
code execution. This issue only affected Ubuntu 23.10 and
Ubuntu 24.04 LTS. (CVE-2023-51793)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.10. (CVE-2023-51794, CVE-2023-51798)
Zeng Yunxiang discovered that FFmpeg incorrectly handled certain input
files. An attacker could possibly use this issue to cause FFmpeg to crash,
resulting in a denial of service, or potential arbitrary code execution.
This issue only affected Ubuntu 23.10. (CVE-2023-51795, CVE-2023-51796)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS. (CVE-2024-31578)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10 and Ubuntu 24.04 LTS.
(CVE-2024-31582)
It was discovered that discovered that FFmpeg incorrectly handled certain
input files. An attacker could possibly use this issue to cause FFmpeg to
crash, resulting in a denial of service, or potential arbitrary code
execution. This issue only affected Ubuntu 23.10. (CVE-2024-31585)
nginx-1.26.1-1.fc40
Read Time:34 Second
FEDORA-2024-06e6dcbb42
Packages in this update:
nginx-1.26.1-1.fc40
Update description:
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Bugfix: reduced memory consumption for long-lived requests if “gzip”,
“gunzip”, “ssi”, “sub_filter”, or “grpc_pass” directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the –with-atomic
option was used.
Thanks to Edgar Bonet.
*) Bugfix: in HTTP/3.
nginx-1.26.1-1.fc39
Read Time:34 Second
FEDORA-2024-2e4858330c
Packages in this update:
nginx-1.26.1-1.fc39
Update description:
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
*) Bugfix: reduced memory consumption for long-lived requests if “gzip”,
“gunzip”, “ssi”, “sub_filter”, or “grpc_pass” directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the –with-atomic
option was used.
Thanks to Edgar Bonet.
*) Bugfix: in HTTP/3.
USN-6802-1: PostgreSQL vulnerability
Read Time:39 Second
Lukas Fittl discovered that PostgreSQL incorrectly performed authorization
in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged
database user can use this issue to read most common values and other
statistics from CREATE STATISTICS commands of other users.
NOTE: This update will only fix fresh PostgreSQL installations. Current
PostgreSQL installations will remain vulnerable to this issue until manual
steps are performed. Please see the instructions in the changelog located
at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated
packages have been installed, or in the PostgreSQL release notes located
here:
https://www.postgresql.org/docs/16/release-16-3.html
https://www.postgresql.org/docs/15/release-15-7.html
https://www.postgresql.org/docs/14/release-14-12.html
USN-6801-1: PyMySQL vulnerability
Read Time:7 Second
It was discovered that PyMySQL incorrectly escaped untrusted JSON input. An
attacker could possibly use this issue to perform SQL injection attacks.
USN-6800-1: browserify-sign vulnerability
Read Time:14 Second
It was discovered that browserify-sign incorrectly handled an upper bound check
in signature verification. If a user or an automated system were tricked into
opening a specially crafted input file, a remote attacker could possibly use
this issue to perform a signature forgery attack.
ZDI-24-526: (Pwn2Own) VMware Workstation VBluetoothHCI_PacketOut Use-After-Free Privilege Escalation Vulnerability
Read Time:17 Second
This vulnerability allows local attackers to escalate privileges on affected installations of VMware Workstation. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2024-22267.
CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420
Read Time:15 Second
Posted by Thomas Weber via Fulldisclosure on May 29
CyberDanube Security Research 20240528-0
——————————————————————————-
title| Multiple Vulnerabilities
product| ORing IAP-420
vulnerable version| 2.01e
fixed version| –
CVE number| CVE-2024-5410, CVE-2024-5411
impact| High
homepage| https://oringnet.com/
found| 2024-01-19
by| T. Weber…