[webapps] Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path

Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path

[webapps] Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)

Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)

[webapps] Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks

Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks

[webapps] Jedox 2022.4.2 - Code Execution via RPC Interfaces

Jedox 2022.4.2 - Code Execution via RPC Interfaces

[webapps] EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)

EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal)

[webapps] File Thingie 2.5.7 - Remote Code Execution (RCE)

File Thingie 2.5.7 - Remote Code Execution (RCE)

APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 and Beats Firmware Update 5B66

Posted by Apple Product Security via Fulldisclosure on May 04

APPLE-SA-2023-05-03-1 AirPods Firmware Update 5E133 and
Beats Firmware Update 5B66

AirPods Firmware Update 5E133 and Beats Firmware Update 5B66
address the following issues. Information about the security content
is also available at https://support.apple.com/HT213752.

AirPods Firmware Update 5E133

Released April 11, 2023

Bluetooth

Available for: AirPods (2nd generation and later), AirPod Pro (all models),
AirPods Max
Impact: When your...

Ubuntu Security Notice USN-6055-1

Ubuntu Security Notice 6055-1 - It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. This issue is being addressed only for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2104-01

Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2097-03

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

GV-Edge Recording Manager 2.2.3.0 Privilege Escalation

GV-Edge Recording Manager version 2.2.3.0 suffers from a privilege escalation vulnerability.

Red Hat Security Advisory 2023-2100-01

Red Hat Security Advisory 2023-2100-01 - This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass, code execution, cross site scripting, denial of service, man-in-the-middle, memory exhaustion, resource exhaustion, and traversal vulnerabilities.

Red Hat Security Advisory 2023-2101-01

Red Hat Security Advisory 2023-2101-01 - Red Hat Update Infrastructure offers a highly scalable, highly redundant framework that enables you to manage repositories and content. It also enables cloud providers to deliver content and updates to Red Hat Enterprise Linux instances. Issues addressed include denial of service and remote shell upload vulnerabilities.

Red Hat Security Advisory 2023-2098-01

Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2099-01

Red Hat Security Advisory 2023-2099-01 - A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include denial of service and resource exhaustion vulnerabilities.

Ubuntu Security Notice USN-6054-1

Ubuntu Security Notice 6054-1 - Moataz Al-Sharida and nawaik discovered that Django incorrectly handled uploading multiple files using one form field. A remote attacker could possibly use this issue to bypass certain validations.

Debian Security Advisory 5397-1

Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Gentoo Linux Security Advisory 202305-23

Gentoo Linux Security Advisory 202305-23 - Multiple vulnerabilities have been discovered in Lua, the worst of which could result in arbitrary code execution.

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

Red Hat Security Advisory 2023-2085-01

Red Hat Security Advisory 2023-2085-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Gentoo Linux Security Advisory 202305-20

Gentoo Linux Security Advisory 202305-20 - A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service. Versions less than 2.17 are affected.

Gentoo Linux Security Advisory 202305-19

Gentoo Linux Security Advisory 202305-19 - A vulnerability has been discovered in Firejail which could result in local root privilege escalation.

Gentoo Linux Security Advisory 202305-18

Gentoo Linux Security Advisory 202305-18 - Multiple vulnerabilities have been found in libsdl2, the worst of which could result in arbitrary code execution. Versions less than 2.26.0 are affected.

Gentoo Linux Security Advisory 202305-17

Gentoo Linux Security Advisory 202305-17 - Multiple vulnerabilities have been found in libsdl, the worst of which could result in arbitrary code execution. Versions less than 1.2.15_p20221201>= are affected.

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

Debian Security Advisory 5396-1

Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Red Hat Security Advisory 2023-2083-01

Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.

Gentoo Linux Security Advisory 202305-15

Gentoo Linux Security Advisory 202305-15 - Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.

Gentoo Linux Security Advisory 202305-14

Gentoo Linux Security Advisory 202305-14 - A vulnerability has been discovered in uptimed which could result in root privilege escalation. Versions less than 0.4.6-r1 are affected.

Gentoo Linux Security Advisory 202305-12

Gentoo Linux Security Advisory 202305-12 - A vulnerability has been discovered in sudo which could result in root privilege escalation. Versions less than 1.9.12_p2 are affected.

Gentoo Linux Security Advisory 202305-11

Gentoo Linux Security Advisory 202305-11 - Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service. Versions less than 0.4.7.13 are affected.

Gentoo Linux Security Advisory 202305-10

Gentoo Linux Security Advisory 202305-10 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 109.0.5414.74-r1>= are affected.

Gentoo Linux Security Advisory 202305-09

Gentoo Linux Security Advisory 202305-9 - A denial of service vulnerability was discovered in rsyslog related to syslog input over the network. Versions less than 3.38.1 are affected.

Gentoo Linux Security Advisory 202305-08

Gentoo Linux Security Advisory 202305-8 - Multiple vulnerabilities have been found in D-Bus, the worst of which could result in denial of service. Versions less than 1.14.4 are affected.

Gentoo Linux Security Advisory 202305-05

Gentoo Linux Security Advisory 202305-5 - A vulnerability has been discovered in xfce4-settings which could result in universal cross site scripting (uXSS). Versions less than 4.17.1 are affected.

Gentoo Linux Security Advisory 202305-06

Gentoo Linux Security Advisory 202305-6 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions less than 102.7.0:esr are affected.

Gentoo Linux Security Advisory 202305-04

Gentoo Linux Security Advisory 202305-4 - Multiple vulnerabilities have been found in dbus-broker, the worst of which could result in denial of service. Versions less than 31 are affected.

Gentoo Linux Security Advisory 202305-03

Gentoo Linux Security Advisory 202305-3 - A vulnerability has been discovered in ProFTPd which could result in memory disclosure. Versions less than 1.3.7c are affected.

Gentoo Linux Security Advisory 202305-02

Gentoo Linux Security Advisory 202305-2 - Multiple vulnerabilities have been found in Python and PyPy, the worst of which could result in arbitrary code execution.

Red Hat Security Advisory 2023-2084-01

Red Hat Security Advisory 2023-2084-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

SEC Consult SA-20230502-0 :: Bypassing cluster isolation through insecure defaults and shared storage in Databricks Platform

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on May 02

SEC Consult Vulnerability Lab Security Advisory < 20230502-0 >
=======================================================================
title: Bypassing cluster isolation through insecure defaults and
shared storage
product: Databricks Platform
vulnerable version: PaaS version as of 2023-01-26
fixed version: Current PaaS version
CVE number: -
impact: critical...

[webapps] PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)

PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)

[webapps] OpenEMR v7.0.1 - Authentication credentials brute force

OpenEMR v7.0.1 - Authentication credentials brute force

[webapps] admidio v4.2.5 - CSV Injection

admidio v4.2.5 - CSV Injection

[local] MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control

MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control

[webapps] Serendipity 2.4.0 - File Inclusion RCE

Serendipity 2.4.0 - File Inclusion RCE

[webapps] Companymaps v8.0 - Stored Cross Site Scripting (XSS)

Companymaps v8.0 - Stored Cross Site Scripting (XSS)

[webapps] SoftExpert (SE) Suite v2.1.3 - Local File Inclusion

SoftExpert (SE) Suite v2.1.3 - Local File Inclusion

[webapps] PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)

PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)

[webapps] GLPI 9.5.7 - Username Enumeration

GLPI 9.5.7 - Username Enumeration

[webapps] PHPJabbers Simple CMS 5.0 - SQL Injection

PHPJabbers Simple CMS 5.0 - SQL Injection

[local] FS-S3900-24T4S - Privilege Escalation

FS-S3900-24T4S - Privilege Escalation

[local] Advanced Host Monitor v12.56 - Unquoted Service Path

Advanced Host Monitor v12.56 - Unquoted Service Path

Red Hat Security Advisory 2023-2076-01

Red Hat Security Advisory 2023-2076-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Debian Security Advisory 5395-1

Debian Linux Security Advisory 5395-1 - An untrusted search path vulnerability was discovered in Node.js, which could result in unexpected searching or loading ICU data when running with elevated privileges.

Ubuntu Security Notice USN-6053-1

Ubuntu Security Notice 6053-1 - It was discovered that PHP incorrectly handled certain invalid Blowfish password hashes. An invalid password hash could possibly allow applications to accept any password as valid, contrary to expectations.

Red Hat Security Advisory 2023-2072-01

Red Hat Security Advisory 2023-2072-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2073-01

Red Hat Security Advisory 2023-2073-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.

Red Hat Security Advisory 2023-2077-01

Red Hat Security Advisory 2023-2077-01 - The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format. Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently. Issues addressed include a double free vulnerability.