Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries

By Deeba Ahmed There is no evidence of exploitation of these vulnerabilities as yet. This is a post from HackRead.com Read the original post: Crit.IX: Flaws in Honeywell Experion DCS, Posing Risk to Critical Industries

HackRead
Open in Source
#vulnerability#mac#git#rce#buffer_overflow#auth
CVE-2023-37463: Quadratic complexity bugs may lead to a denial of service

cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. These vulnerabilities have been patched in 0.29.0.gfm.12.

GHSA-f28g-86hc-823q: Tokenizer vulnerable to client brute-force of token secrets

### Impact Authorized clients, having an `inject_processor` secret, could brute-force the secret token value by abusing the `fmt` parameter to the `Proxy-Tokenizer` header. ### Patches This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in https://github.com/superfly/tokenizer/pull/9.

CVE-2023-34458: Relayed transactions always increment nonce

mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. This vulnerability has been patched in version 1.4.17.

CVE-2022-42045: GitHub - ReCryptLLC/CVE-2022-42045

Certain Zemana products are vulnerable to Arbitrary code injection. This affects Watchdog Anti-Malware 4.1.422 and Zemana AntiMalware 3.2.28.

GHSA-667r-p4gg-7m2q: ImpressCMS Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `smile_code` parameter of the component `/editprofile.php`.

CVE-2023-30559: BD Alaris™ System with Guardrails™ Suite MX

The firmware update package for the wireless card is not properly signed and can be modified.

QR codes are relevant again for everyone from diners to threat actors

QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video.

CVE-2023-37786: GitHub - CrownZTX/reflectedxss1: Reflected XSS Vulnerabilitiy in public_html/admin/configuration.php of Geeklog v2.2.2

Multiple cross-site scripting (XSS) vulnerabilities in Geeklog v2.2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Mail Settings[backend], Mail Settings[host], Mail Settings[port] and Mail Settings[auth] parameters of the /admin/configuration.php.

CVE-2023-37787: GitHub - CrownZTX/storedXSS: Geeklog v2.2.2 is vulnerable to Stored Cross-Site Scripting (XSS) in public_html/admin/router.php

Multiple cross-site scripting (XSS) vulnerabilities in Geeklog v2.2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Rule and Route parameters of /admin/router.php.