Packet Storm

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated configuration download vulnerability. This can be exploited to download the CSV DB that contains the configuration mappings information via the VMobileImportExportServlet by directly calling the vstatConfigurationDownload.php script.

The Akuvox Smart Intercom/Doorphone suffers from an insecure service API access control. The vulnerability in ServicesHTTPAPI endpoint allows users with "User" privileges to modify API access settings and configurations. This improper access control permits privilege escalation, enabling unauthorized access to administrative functionalities. Exploitation of this issue could compromise system integrity and lead to unauthorized system modifications.

Debian Linux Security Advisory 5819-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service, CLRF injection or information disclosure.

Ubuntu Security Notice 7126-1 - It was discovered that libsoup ignored certain characters at the end of header names. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack. It was discovered that libsoup did not correctly handle memory while performing UTF-8 conversions. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libsoup could enter an infinite loop when reading certain websocket data. An attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice 7127-1 - It was discovered that libsoup ignored certain characters at the end of header names. A remote attacker could possibly use this issue to perform a HTTP request smuggling attack. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It was discovered that libsoup did not correctly handle memory while performing UTF-8 conversions. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Ubuntu Security Notice 7130-1 - It was discovered that GitHub CLI incorrectly handled username validation. An attacker could possibly use this issue to perform remote code execution if the user connected to a malicious server.

Ubuntu Security Notice 7125-1 - It was discovered that RapidJSON incorrectly parsed numbers written in scientific notation, leading to an integer underflow. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

Ubuntu Security Notice 6988-2 - USN-6988-1 fixedCVE-2024-41671 in Twisted. The USN incorrectly stated that previous releases were unaffected. This update provides the equivalent fix for Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04 LTS. Ben Kallus discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS.

Ubuntu Security Notice 7129-1 - It was discovered that TinyGLTF performed file path expansion in an insecure way on certain inputs. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

Ubuntu Security Notice 7128-1 - Sebastian Chnelik discovered that Pygments had an inefficient regex query for analyzing certain inputs. An attacker could possibly use this issue to cause a denial of service.