lenovo warranty check/lookup | check warranty status | lenovo support us

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

Buffer Over-read in GitHub repository vim/vim prior to 8.2.

@fastify/oauth2, a wrapper around the `simple-oauth2` library, is vulnerable to cross site request forgery (CSRF) prior to version 7.2.0.. All versions of @fastify/oauth2 used a statically generated `state` parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 `state` parameter is to prevent CSRF attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. Version 7.2.0 changes the default behavior to store the `state` in a cookie with the `http-only` and `same-site=lax` attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the `checkStateFunction` function, which now accepts the full `Request` object. There are no known workarounds for the issue.

Amazon informed Echo users in the US that the "Do not send voice recordings" feature will stop working on March 28, 2025.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q4 Security Researcher Leaderboard are: goodbyeselene, Jarvis_1oop, and kap0k! Check out the full list of researchers recognized this quarter here.

CVE description: Authd, through version 0.3.6, did not sufficiently randomize user IDs to prevent collisions. A local attacker who can register user names could spoof another user's ID and gain their privileges. ----- original report ----- # Cause authd assigns user IDs as a pure function of the user name. Moreover, the set of UIDs is much too small for pseudo-random assignment to work: the birthday bound predicts random collisions will occur with probability 50% after only 54 562 IDs were assigned. `authd` only checks for uniqueness [within its local cache](https://github.com/ubuntu/authd/blob/4946962aa4ac6e5b7d2b53503026659581c73907/internal/users/cache/update.go#L67-L71), which - may be inconsistent across multiple systems within the same domain ; - may be purged, due to being stored in `/var/cache` ; - automatically removes entries of users who have not logged into that specific system within the last 6 months. The current `GenerateID` method, authored in September 2024 (commi...

## Impact Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the [`dangerousRemoteDomainIpcAccess`](https://v1.tauri.app/api/config/#securityconfig.dangerousremotedomainipcaccess) in v1 and in the [`capabilities`](https://v2.tauri.app/security/capabilities/#remote-api-access) in v2. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window. For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application. ## Patches The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems. This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origi...

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

An issue was discovered in Webmin <=1.920. The parameter old in password_change.cgi contains a command injection vulnerability.

This Metasploit module exploits a Python code injection vulnerability in the Content Server component of Calibre version 6.9.0 through 7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.