Debian Security Advisory 5652-1

Debian Linux Security Advisory 5652-1 - A directory traversal vulnerability was discovered in py7zr, a library and command-line utility to process 7zip archives.

Ubuntu Security Notice USN-6720-1

Ubuntu Security Notice 6720-1 - Kentaro Kawane discovered that Cacti incorrectly handled user provided input sent through request parameters to the graph_view.php script. A remote authenticated attacker could use this issue to perform SQL injection attacks.

Red Hat Security Advisory 2024-1601-03

Red Hat Security Advisory 2024-1601-03 - An update for curl is now available for Red Hat Enterprise Linux 8. Issues addressed include an information leakage vulnerability.

Red Hat Security Advisory 2024-1607-03

Red Hat Security Advisory 2024-1607-03 - An update for kernel is now available for Red Hat Enterprise Linux 8. Issues addressed include code execution, null pointer, privilege escalation, and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-1608-03

Red Hat Security Advisory 2024-1608-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-1610-03

Red Hat Security Advisory 2024-1610-03 - An update for less is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-1612-03

Red Hat Security Advisory 2024-1612-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8. Issues addressed include a privilege escalation vulnerability.

[webapps] Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

[webapps] Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

[webapps] Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

[webapps] CE Phoenix v1.0.8.20 - Remote Code Execution

CE Phoenix v1.0.8.20 - Remote Code Execution

[webapps] Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

[webapps] FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

[webapps] Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

[webapps] E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

[webapps] Gibbon LMS v26.0.00 - SSTI vulnerability

Gibbon LMS v26.0.00 - SSTI vulnerability

[webapps] Smart School 6.4.1 - SQL Injection

Smart School 6.4.1 - SQL Injection

[webapps] Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection

Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection

[webapps] Casdoor < v1.331.0 - '/api/set-password' CSRF

Casdoor

[webapps] Daily Habit Tracker 1.0 - SQL Injection

Daily Habit Tracker 1.0 - SQL Injection

[local] ASUS Control Center Express 01.06.15 - Unquoted Service Path

ASUS Control Center Express 01.06.15 - Unquoted Service Path

[webapps] Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

[webapps] OpenCart Core 4.0.2.3 - 'search' SQLi

OpenCart Core 4.0.2.3 - 'search' SQLi

[webapps] FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

[local] Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

[local] Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

[local] Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

[webapps] Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)

Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)

[webapps] Axigen < 10.5.7 - Persistent Cross-Site Scripting

Axigen

[webapps] Elementor Website Builder < 3.12.2 - Admin+ SQLi

Elementor Website Builder

[remote] GL-iNet MT6000 4.5.5 - Arbitrary File Download

GL-iNet MT6000 4.5.5 - Arbitrary File Download

[webapps] Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

Wordpress Plugin - Membership For WooCommerce

[webapps] Daily Habit Tracker 1.0 - Broken Access Control

Daily Habit Tracker 1.0 - Broken Access Control

[webapps] LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

Debian Security Advisory 5651-1

Debian Linux Security Advisory 5651-1 - Two security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or denial of service.

Gentoo Linux Security Advisory 202403-04

Gentoo Linux Security Advisory 202403-4 - A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. Versions less than 5.6.0 are affected.

Debian Security Advisory 5650-1

Debian Linux Security Advisory 5650-1 - Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.

Red Hat Security Advisory 2024-1576-03

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

xz/liblzma Backdoored

It has been discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library. Included in this archive are not only the advisory but additional data and a testing script to see if you're affected.

Debian Security Advisory 5648-1

Debian Linux Security Advisory 5648-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

Debian Security Advisory 5649-1

Debian Linux Security Advisory 5649-1 - Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library.

Ubuntu Security Notice USN-6707-4

Ubuntu Security Notice 6707-4 - Lonial Con discovered that the netfilter subsystem in the Linux kernel did not properly handle element deactivation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Ubuntu Security Notice USN-6704-4

Ubuntu Security Notice 6704-4 - It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service. Quentin Minster discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests. A remote attacker could possibly use this to cause a denial of service.

Intel PowerGadget 3.6 Local Privilege Escalation

Intel PowerGadget version 3.6 suffers from a local privilege escalation vulnerability.

Red Hat Security Advisory 2024-1570-03

Red Hat Security Advisory 2024-1570-03 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a denial of service vulnerability.

Intel PowerGadget 3.6 Local Privilege Escalation

Posted by Julian Horoszkiewicz via Fulldisclosure on Mar 28

Vulnerability summary: Local Privilege Escalation from regular user to SYSTEM, via conhost.exe hijacking triggered by
MSI installer in repair mode
Affected Products: Intel PowerGadget
Affected Versions: tested on PowerGadget_3.6.msi (a3834b2559c18e6797ba945d685bf174), file signed on ‎Monday, ‎February
‎1, ‎2021 9:43:20 PM (this seems to be the latest version), earlier versions might be affected as well.
Affected Platforms: Windows...

Ubuntu Security Notice USN-6719-1

Ubuntu Security Notice 6719-1 - Skyler Ferrante discovered that the util-linux wall command did not filter escape sequences from command line arguments. A local attacker could possibly use this issue to obtain sensitive information.

Ubuntu Security Notice USN-6715-1

Ubuntu Security Notice 6715-1 - It was discovered that unixODBC incorrectly handled certain bytes. An attacker could use this issue to execute arbitrary code or cause a crash.

Apple Security Advisory 03-25-2024-1

Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-1554-03

Red Hat Security Advisory 2024-1554-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1555-03

Red Hat Security Advisory 2024-1555-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1557-03

Red Hat Security Advisory 2024-1557-03 - An update is now available for Red Hat OpenShift Builds 1.0. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2024-1549-03

Red Hat Security Advisory 2024-1549-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes bug and security fixes. Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2024-1552-03

Red Hat Security Advisory 2024-1552-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1553-03

Red Hat Security Advisory 2024-1553-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1544-03

Red Hat Security Advisory 2024-1544-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-1545-03

Red Hat Security Advisory 2024-1545-03 - An update for dnsmasq is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

Apple Security Advisory 03-25-2024-2

Apple Security Advisory 03-25-2024-2 - macOS Sonoma 14.4.1 addresses code execution and out of bounds write vulnerabilities.

Ubuntu Security Notice USN-6686-5

Ubuntu Security Notice 6686-5 - It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service. It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

Red Hat Security Advisory 2024-1538-03

Red Hat Security Advisory 2024-1538-03 - An update for cnf-tests-container, dpdk-base-container, performance-addon-operator-must-gather NUMA-aware secondary scheduler, numaresources-operator is now available for Red Hat OpenShift Container Platform 4.12.