FEDORA-EPEL-2023-b59aa78f7e

Packages in this update:

vtk-9.1.0-18.el9

Update description:

Add upstream patch for CVE-2021-42521 – vtkXMLTreeReader: possible nullptr dereference (bz#2189654)

Read More

It was discovered that PHP incorrectly handled certain invalid Blowfish
password hashes. An invalid password hash could possibly allow applications to
accept any password as valid, contrary to expectations.

Read More

FEDORA-2023-2a2edeb67e

Packages in this update:

java-11-openjdk-11.0.19.0.7-1.fc36

Update description:

updated to java april security update

Read More

FEDORA-2023-812132bc09

Packages in this update:

java-11-openjdk-11.0.19.0.7-1.fc37

Update description:

updated to java april security update

Read More

FEDORA-2023-3370eab930

Packages in this update:

java-11-openjdk-11.0.19.0.7-1.fc38

Update description:

updated to java april security update

Read More

Memory corruption in Automotive due to Improper Restriction of Operations within the Bounds of a Memory Buffer while exporting a shared key.

Read More

A vulnerability, which was classified as problematic, has been found in Mail Subscribe List Plugin up to 2.0.10 on WordPress. This issue affects some unknown processing of the file index.php. The manipulation of the argument sml_name/sml_email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.1 is able to address this issue. The name of the patch is 484970ef8285cae51d2de3bd4e4684d33c956c28. It is recommended to upgrade the affected component. The identifier VDB-227765 was assigned to this vulnerability.

Read More

A vulnerability classified as problematic was found in BestWebSoft Job Board Plugin 1.0.0 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.0.1 is able to address this issue. The name of the patch is dbb71deee071422ce3e663fbcdce3ad24886f940. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227764.

Read More

An untrusted search path vulnerability was discovered in Node.js, which
could result in unexpected searching or loading ICU data when running
with elevated privileges.

Read More

FortiGuard Labs has recently observed a detection spike in DVR Authentication Bypass Vulnerability (CVE-2018-9995). This indicates that attackers tried to exploit the vulnerability potentially resulting in attackers gaining unauthorized access to vulnerable DVR devices.Why is this Significant?This is significant because FortiGuard Labs has recently observed increased exploit attempts for unpatched TBK DVR4104 and DVR4216 Digital Video Recorder (DVR) devices as well as rebranded devices. Proof-of-Concept (PoC) code is readily available, and the vulnerability is trivial to exploit.What is CVE-2018-9995?CVE-2018-9995 is an authentication bypass vulnerability that affects DVR4104 and DVR4216 manufactured by TBK and their rebranded devices. The vulnerability is due to an error in the vulnerable application when handling a maliciously crafted HTTP cookie. A remote attacker may be able to exploit this to bypass authentication and obtain administrative access.CVE-2018-9995 has a CVSS basic score of 9.8 and is rated critical by NIST.Has the Vendor Released an Advisory for CVE-2018-9995?FortiGuard Labs is not aware of a vendor advisory.Has the Vendor Released a Patch for CVE-2018-9995?FortiGuard Labs is not aware of a vendor patch for CVE-2018-9995.What is the Status of Protection?FortiGuard Labs has the following IPS signature in place for CVE-2018-9995:DVR.Cookie.Authentication.BypassAny Suggested Mitigation?Configure DVR’s management interface to be accessible only from trusted IPs.

Read More