WinterCMS version 1.2.3 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in WinterCMS 1.2.3 Plugin Components# Date: 12/7/2023# Exploit Author: tmrswrr# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.3# Tested on: debian 9PoC   1. Access the WinterCMS backend at http://localhost/backend/cms.   2. Navigate to the Plugin Components section.   3. In the Markup Code input field, insert the following payload:   "<sVg/onLy=1 onLoaD=confirm(1)//".   4. Save the input and click on the "Preview" button.   5. The injected script executes, demonstrating the XSS vulnerability.

WinterCMS 1.2.3 Cross Site Scripting

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

CVE-2023-41913: Releases · strongswan/strongswan

Debian Linux Security Advisory 5572-1 - Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5572-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondDecember 04, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2023-47272Debian Bug     : 1055421Rene Rehme discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not properly set headers when handlingattachments. This would allow an attacker to load arbitrary JavaScriptcode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.4.15+dfsg.1-1~deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1.6.5+dfsg-1~deb12u1.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmVtkOQACgkQEL6Jg/PVnWTxhQgAimG1yVgg/Ic84EQIqpB014hb/ev5RzapM+xJ5Dwwb1Xs7HMNsvqYBBeXLNIbXgNKkSGF38k3MP2A9aBwyKMV256SVEtKUkiAzCQhX3xsUB5EkpNMXv0GRs9ksjjj/ATwChVVlz5OusTtuDpog44RYGH8CXJTuAVemK2GusdgkrsMu1EvGr7JhtMvjiFW5uYFjI+ADp5KcoIl3AtLCdYhDHz/p687Ze1vJQ0v18jiS2mUMvF7zd8SmwA4uLPAcLIJ+KCyd8A+LYzyWbHVxbxIqMxmuAjQ7TrOH3oE5Be5jN9ShKJv1pj50P2i5/g4H+e5fQ6gQm8oF1CMVJubS1NpIg===KGev-----END PGP SIGNATURE-----

Debian Security Advisory 5572-1

Debian Linux Security Advisory 5571-1 - It was discovered that missing input sanitising in the HTTP API endpoint of RabbitMQ, an implementation of the AMQP protocol, could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5571-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 01, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : rabbitmq-serverCVE ID         : CVE-2023-46118It was discovered that missing input sanitising in the HTTP API endpointof  RabbitMQ, an implementation of the AMQP protocol, could result indenial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 3.8.9-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.10.8-1.1+deb12u1.We recommend that you upgrade your rabbitmq-server packages.For the detailed security status of rabbitmq-server please refer toits security tracker page at:https://security-tracker.debian.org/tracker/rabbitmq-serverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVqQcwACgkQEMKTtsN8TjYyAg/+JsQaCGn5vhqe5bKN6WmJpnfR+WYTx9FtAfitkOcBb+s+g0dWudOS1kDCIn+gUtelwMXozX1uAt3XNTicHCY9tRaa8fNXG2nAkwq11p6Te20ZO1tbg6/OOtmlFsXO2yGszhWaqUwkw9GseSBpVyu5lr0cdFIrqdelzGFwXdAiVnlV5rWbvC1IgsWyL6dZLs+OZcrnIvPEG2lRHt8+0dvFh0p4bwFpKJXxnmBREMXH46D/RgyejkxNkqntacLala7coqO4ePsYFrCeXrP1IoC8VRtk5iz1jFSOqiPQY1q9nG10iiL2CnOPAJ8w6H5kEzoP8zHzZo2pWvcmQVtzaQ3IEh8xhF/jkiw248Fzf6spjxRM2Pa6XXtWmpUtNNQUps8vzbQOC7gNPDvYsy8ZgE7HlOj+fzG0v9Ny3YGPUTfG6Ag98pOZtko/QO8v5MIiYlMwxEb57wotAYXXYELO4IW6SI8EGisT5oaNjCfKRGDdg83GfUnhVPC2lT9jf29RbECgxjFh0YHV0Kd4sLzWKxV8eXtSMYi2aZCdahoyuk/9JejoevgdgcudsBaJLEXCNepqwpYdLyPxYAySpuo3WzyVgzjbR94zQGH1Z1xAumXdnFNhQH6riomKERZUwg7tUWcOGCyu1ey/h2+zaHPscvSm0DmlZS2lXMgpY3OQTfFsXVw==vX+w-----END PGP SIGNATURE-----

Debian Security Advisory 5571-1

Debian Linux Security Advisory 5569-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5569-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 30, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6348                  CVE-2023-6350 CVE-2023-6351Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.199-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.199-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVouqQACgkQZF0CR8Nudjdmtg//WecYaNpTK78jbWWKXpBZaX5w5XN4gbYH5ky4g1uuyi/ux2U17ynh0b0Q50j5iX4g3obOch8BwNxLDIvsjNoWL30LU6DeiDVBfOP+w+sjMQLUDwI0YU6jW2kYyLnrOUUYEECEE7lIEnMogxVN/o4JESfleShgEgAlDayHfuL4BxwgiqsIM8PZgCVSCtrDamNBbLE7X9FXHPb32mcqUXYh5WoSIPjgo45pOWlUCSizMXBQ47BCm8iuQq38TCIscfvZhjwF7bWrP8NHRimFd1RnQtbQpLsKufJBllnHby7mM1U2+jUq8GIKHpFy2jTQ6q42x5P65H0q6MxOelDkAmdMMOBt68vVgvZ8zIgmpb5/RoIzZNtioPUkpmzFal5/vHTbE1dmIuylffnPOoM4wF16xG6Fs61HuhRWZscrBCflkIuL3UF7Y3rdIyGdyV7Unm2X8fkhVJ00PKg+qC2E73udBYFfTDlvrh8uHf68x12OrmOuNkd6JdNocCnW/se9wVFqLjtyzew//aXC2D3STuyfGMgt9LnGWJDqJx7Lbr+Fp1BCPYPNkinobkjEKKyvx9unR8tM14K16Pf+84xSX/FKpQagcSZ/koqeUjyJ0QpNUC1IuOMrRNgmW6PspLehwd3WExRnclzCsKuE7oNtla8Rjsap3bOGrfBOVeqYA1FjieI==Qn+X-----END PGP SIGNATURE-----

Debian Security Advisory 5569-1

A serialization vulnerability in logback receiver component part of 
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.



CVE-2023-6378: News

Debian Linux Security Advisory 5568-1 - It was discovered that incorrect memory management in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) might result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5568-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 27, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : fastdds  
CVE ID         : CVE-2023-42459  
Debian Bug     : 1054163

It was discovered that incorrect memory management in Fast DDS, a C++  
implementation of the DDS (Data Distribution Service) might result in  
denial of service.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.9.1+ds-1+deb12u2.

We recommend that you upgrade your fastdds packages.

For the detailed security status of fastdds please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/fastdds

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVk6wsACgkQEMKTtsN8  
Tja2FRAAqpa1Zek52KcYiyQSucpEe6ZLajVfzKeGKvieFrfcf491GDYno3sQhF5w  
2uWRyZ3I1OjJk9uuFWj4ql2IwNs3nudefqR8OCEQk4oSZfnWBX4UWTMiuCncE1+g  
YobKkoWlGDGjpS36lT/GX+L9nfq46ERgZYPqQJjLb6xU+vJzGMo29LVGVDliF4VX  
5n7DZlVbnAWb+swXPp0sIIV/F5EPpdgbygisPSAVynCxF4eFqxQfiCOpkXkBdzKF  
27RSsJQJggfDaXiz11t8zkhWWJQU3pDyrRn79NfkyXc0IPNH4q2C0+vQZ4bHQLFD  
8NuoQqZ5Olqx9Z742z8+jXWpphP7nvEcEhItNFnZNE3EBqJ8T8Aum1NWC4vRSQIR  
8G/Ii9pd8dU7yTBGNbTSqyM8yTzMu4oEuvT309YVC4q3E2P51ZwUpgr7edPZRsXy  
+T8DgzVGgyB+iSVhxmmlUK0encc9O3JfVb0a8mCfM2DUSICJCTkXPYpZB5N4En57  
g8P/AF2u74Rq/y/SFwoJAZyE789wXDQOLTZJSQBmFbCSL+mLNe/8W8ZAl75TS2fE  
2YulahAVceLuy64TLXnOGNHmUiWFeoSY7Ad/NSQyjpCssPP7VcC5sJC94YgEsFey  
2/0mf72nviY4cT5K7D8f2cVnTR74Tc4ICVxbe2SMect/x8IRP/E=  
=eh2N  
-----END PGP SIGNATURE-----

Debian Security Advisory 5568-1

Debian Linux Security Advisory 5567-1 - Multiple buffer overflows and memory leak issues have been found in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- - -------------------------------------------------------------------------Debian Security Advisory DSA-5567-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuNovember 27, 2023                     https://www.debian.org/security/faq- - -------------------------------------------------------------------------Package        : tiffCVE ID         : CVE-2023-3576 CVE-2023-40745 CVE-2023-41175Debian Bug     :Brief introductionMultiple buffer overflows and memory leak issues have been found in tiff,the Tag Image File Format (TIFF) library and tools, which may cause denialof service when processing a crafted TIFF image.For the oldstable distribution (bullseye), these problems have been fixedin version 4.2.0-1+deb11u5.For the stable distribution (bookworm), these problems have been fixed inversion 4.5.0-6+deb12u1.We recommend that you upgrade your tiff packages.For the detailed security status of tiff please refer toits security tracker page at:https://security-tracker.debian.org/tracker/tiffFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmVkI0cACgkQO1LKKgqv2VT46QgAvtYySLyFvbEsmMlcHIFWXRtkqO2cxtsb7F0NDN8vl2yATpPN8ZWeEmFxES3DEpRJkAmZ9Of+87a06r4tdFAQlg/uqwMMO4WbdihUlzgnsRLXKUSUqHMFv3Wr9nvckp6OCwztPUb0G+bpAn+dJHqs6iF3q6ukwWcW0cprLQzigUMmxTnvWt4bc4eT1nfWRLWkwVObl488Lq94zawtB3NZoQaNvQDMHxVZ7VPsQvDSrKAT71/TnzFUpXJlUePBCKUmK1Q0a6akxBpoNAr6ujdrWcCPDMNl7+jBJE3AwoMPZptTlIsqKTYTT4qrtd80YDYxVScgc+t2GrO1PgzM12/Mqg==WLU7-----END PGP SIGNATURE-----

Debian Security Advisory 5567-1

Debian Linux Security Advisory 5566-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5566-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 26, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-6212 CVE-2023-6209 CVE-2023-6208 CVE-2023-6207  
                 CVE-2023-6206 CVE-2023-6205 CVE-2023-6204

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:115.5.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:115.5.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmViiyoACgkQEMKTtsN8  
TjaZUhAAmpG5pqXk0eb9Lq/+PjBe6TjmyaZ1NUbrqnaD7Nygcq3CakX7vrLtlfT0  
M8JUiqHBIpAKZr5E/bs62bZDrf3EGzWJdnHkPs/pI9mpqYMPHxKuuJdOxNSnx216  
R5DUTMe945XodklRslY6gUjuPGlYIpmGSQwMSDnwCgGGWbJ2aRwML3wS56dgv/gd  
Uu7tsD7TBa7BoSTdwB5/J2faaGfptCcTTv5mBk4I4+sdUVo0c1Bzuy5oCVrwUpoB  
PtGKH/lRYyUW9S24O4yN26Up4UYbK212gAiiYdcoXCGxCzcmOuxKjPp4e4qxlR6F  
DYndBKM0zRJF+bIaeGQPgEcU0iCwq8GNcYykDeezUPV3OwA10oHVZZyJjHHEPIlT  
5Q6fbwWlFRqnjfmktJHWwlkQNSi/jI7UiGnnrWKNDtiNyRkfhawHPBwRDhZPxk2c  
E9drKQix9kt9ONNNNnJ9cWyrHwLa59VgZQmJ/swFBXZaxpetobNivCa1t0lCpbor  
jEV2RCrWrd1+AEDiXJxOpU9owLCp4RcBHDnDD+rL+s+CAo341HRhLVj0mYBWQcH3  
VtdGUxoKOfqUNZ1pw7uNNixNh3pJT2elJGn3c029nbNYFAGwrmUDoBt3+EKvj387  
s8QcNcCJCbqdyFqs1v3nQDXHe4zzcTohEIkt16dOPWLpfWodqoY=o6QP  
-----END PGP SIGNATURE-----

Debian Security Advisory 5566-1

Debian Linux Security Advisory 5565-1 - Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5565-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 25, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0  
CVE ID         : CVE-2023-44429 CVE-2023-44446  
Debian Bug     : 1056101 1056102

Multiple vulnerabilities were discovered in plugins for the GStreamer  
media framework and its codecs and demuxers, which may result in denial  
of service or potentially the execution of arbitrary code if a malformed  
media file is opened.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1.18.4-3+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 1.22.0-4+deb12u3.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmViCHBfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sw8Q/+Kc9Lp3Zl/JqOl+KE+OQ1BpRmcEdbIjruR+TVuBRkVfasH4IG3nb82dQn  
26SeXbR5GA8o48knQDAlHMhurRUVNVbdXDLuOs2+SsGKFrVuv1KCQacqJIH/ybhr  
AZplbQPUVViJiQlEGy5j80eOfifnlHPvQZKtbqp1y/GvTIK56Pg4d7HNLjWeq7+G  
4sdxZeAPSqKdGTOh2fzzy6QIL7QX3FZgBl0fr48+0EdQLLqtQ0dQwSkpXibHZnf9  
PmT+/q3R1pk47n+u/OqPXHMN5+7fJZU6vWgkwfvYIUEVHHL6MlDuNLBVmA1gAn0X  
neRngzuduDoiiKBPSbPk4slcFUIlXpA979IcG/YhO9fdSDs+cPn0euZegzLOgb5v  
S+javZtGSkRVAwH1O2wNMF+mGvXDWxu1y+foKylQ/KYr2OQBOGymANsX/jw6pWCA  
V2bunxab0pPUO/o8m8aq6+XkRvht+KWBo884ze9KvZFRxOivYRP+uKxzc26dZzrU  
xyIGnVuW1Q+iZjWojNfNgpX/oG/c7Ch6TtBxZQQqAdddAlQQQi1rieNTUq391dT1  
TQkyLynaeVmpdKMEtapYwcg+WZfD4cl6F+HhKD3zjIvZRr3EOXloIUY04Xh+/VKO  
6nnKs+TOyyLXjrEUPEE51qQ22ni9kT0ZppbvHrsDwAsCAER7yxM=Yk/C  
-----END PGP SIGNATURE-----

Tag

#debian