Category Archives: Advisories

USN-6672-1: Node.js vulnerabilities

Read Time:51 Second

Morgan Jones discovered that Node.js incorrectly handled certain inputs that
leads to false positive errors during some cryptographic operations. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 23.10. (CVE-2023-23919)

It was discovered that Node.js incorrectly handled certain inputs leaded to a
untrusted search path vulnerability. If a user or an automated system were
tricked into opening a specially crafted input file, a remote attacker could
possibly use this issue to perform a privilege escalation. (CVE-2023-23920)

Matt Caswell discovered that Node.js incorrectly handled certain inputs with
specially crafted ASN.1 object identifiers or data containing them. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-2650)

Read More

ZDI-24-232: Kofax Power PDF JPG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Kofax Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-27334.

Read More

ZDI-24-230: Kofax Power PDF TIF File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kofax Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-27337.

Read More

ZDI-24-233: Delta Electronics CNCSoft-B DPA File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics CNCSoft-B. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-1941.

Read More

USN-6669-1: Thunderbird vulnerabilities

Read Time:1 Minute, 7 Second

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, cross-site
tracing, or execute arbitrary code. (CVE-2024-0741, CVE-2024-0742,
CVE-2024-0747, CVE-2024-0749, CVE-2024-0750, CVE-2024-0751, CVE-2024-0753,
CVE-2024-0755, CVE-2024-1547, CVE-2024-1548, CVE-2024-1549, CVE-2024-1550,
CVE-2024-1553)

Cornel Ionce discovered that Thunderbird did not properly manage memory when
opening the print preview dialog. An attacker could potentially exploit
this issue to cause a denial of service. (CVE-2024-0746)

Alfred Peters discovered that Thunderbird did not properly manage memory when
storing and re-accessing data on a networking channel. An attacker could
potentially exploit this issue to cause a denial of service. (CVE-2024-1546)

Johan Carlsson discovered that Thunderbird incorrectly handled Set-Cookie
response headers in multipart HTTP responses. An attacker could potentially
exploit this issue to inject arbitrary cookie values. (CVE-2024-1551)

Gary Kwong discovered that Thunderbird incorrectly generated codes on 32-bit
ARM devices, which could lead to unexpected numeric conversions or undefined
behaviour. An attacker could possibly use this issue to cause a denial of
service. (CVE-2024-1552)

Read More