lenovo warranty check/lookup | check warranty status | lenovo support us

In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `wss:` connection made using this library is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. For further background information on this issue, please see the referenced GitHub Advisory. Upgrading `faye-websocket` to v0.11.0 is recommended.

ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.

ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.

The impact of this vulnerability is that Arista's EOS eAPI may skip re-evaluating user credentials when certificate based authentication is used, which allows remote attackers to access the device via eAPI.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET CORE 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a Denial of Service vulnerability, which exists in .NET 6.0, .NET 5.0, and .NET CORE 3.1 when parsing certain types of http form requests. ### Affected Software * Any .NET 6.0 application running on .NET 6.0.2 or lower * Any .NET 5.0 application running on .NET 5.0.14 or lower * Any .NET Core 3.1 application running on .NET Core 3.1.22 or lower ### Patches To fix the issue, please install the latest version of .NET 6.0 or .NET 5.0 or .NET Core 3.1.. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. * If you're using .NET Core 6.0, you should download and install Runtime 6.0.3 or SDK 6.0.201 (for Vi...

WordPress Ecwid Ecommerce Shopping Cart plugin versions 6.10.23 and below suffer from a cross site request forgery vulnerability.

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro, a new analysis from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater,

Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework. Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.

Debian Linux Security Advisory 5265-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.