lenovo warranty check/lookup | check warranty status | lenovo support us

Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

SurrealDB allows authenticated users with `OWNER` or `EDITOR` permissions at the root, database or namespace levels to define their own database functions using the `DEFINE FUNCTION` statement A custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a `FOR` keyword, used to implement for-loops. Whilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each. Executing the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, com...

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Remote Code Execution vulnerability exists in .NET 6.0, .NET 5.0, and .NET Core 3.1 where a stack buffer overrun occurs in .NET Double Parse routine. ### Patches * Any .NET 6.0 application running on .NET 6.0.2 or lower * Any .NET 5.0 application running on .NET 5.0.14 or lower * Any .NET Core 3.1 application running on .NET Core 3.1.22 or lower To fix the issue, please install the latest version of .NET 6.0, .NET 5.0, or .NET Core 3.1. If you have installed one or more .NET Core SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET Core SDKs. * If you're using .NET 6.0, you should download and install Runtime 6.0.3 or SDK 6.0.103 (for Visual Studio 2019 v17.0) or SDK 6...

This Metasploit module exploits CVE-2022-28219, which is a pair of vulnerabilities in ManageEngine ADAudit Plus versions before build 7060. They include a path traversal in the /cewolf endpoint along with a blind XML external entity injection vulnerability to upload and execute a file.

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.