lenovo warranty check/lookup | check warranty status | lenovo support us

New web targets for the discerning hacker

Rite Aid has started notifying 2.2 million people that were affected by data breach that was part of a June ransomware attack.

Adobe Premiere Elements version 5.2 (and earlier) is affected by an insecure temporary file creation vulnerability. An unauthenticated attacker could leverage this vulnerability to call functions against the installer to perform high privileged actions. Exploitation of this issue does not require user interaction.

Insufficient control flow management in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable denial of service via adjacent access.

Red Hat OpenShift Container Platform release 4.10.47 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates.

ZwiiCMS version 12.2.04 suffers from an authenticated remote code execution vulnerability.

Authoritarian societies depend on people ratting each other out for activities that were recently legal—and it's already happening in the US.

### Impact The attacker can use the incorrect `Content-Type` to bypass the `Pre-Flight` checking of `fetch`. `fetch()` requests with Content-Type’s [essence](https://mimesniff.spec.whatwg.org/#mime-type-essence) as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts `application/json` content type, thus bypassing any [CORS protection](https://fetch.spec.whatwg.org/#simple-header), and therefore they could lead to a Cross-Site Request Forgery attack. ### Patches For `4.x` users, please update to at least `4.10.2`. For `3.x` users, please update to at least `3.29.4`. ### Workarounds Implement Cross-Site Request Forgery protection using [`@fastify/csrf`](https://www.npmjs.com/package/@fastify/csrf). ### References Check out the HackerOne report: https://hackerone.com/reports/1763832. ### For more information [Fastify security policy](https://github.com/fastify/fastify/security/policy)

### Summary In `eza`, there exists a potential heap overflow vulnerability, first seen when using Ubuntu for Raspberry Pi series system, on `ubuntu-raspi` kernel, relating to the `.git` directory. ### Details The vulnerability seems to be triggered by the `.git` directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include `.git/HEAD`, `.git/refs`, and `.git/objects`. As @polly pointed out to me, this is likely caused by [GHSA-j2v7-4f6v-gpg8](https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8), which we do seem to use currently. ### PoC For more information check @CuB3y0nd's blogpost [blog](https://www.cubeyond.net/blog/eza-cve-report). ### Impact Arbitrary code execution.