Tag
#java
## Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. **Impacted versions: 0.1.0 through 0.27.0** ## Patches Patched Deep Learning Containers: [v1.1-djl-0.27.0-inf-cpu-full](https://github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full) [v1.4-djl-0.27.0-inf-ds-0.12.6](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6) [v1.4-djl-0.27.0-inf-trt-0.8.0](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0) [v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1](https://github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1) Patched Library: [v0.28.0](https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0)
Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German
In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.Red Hat uses CISA as a source for known exploited vulnerabilitiesThe Cybersecurity and Infrastructure Secur
Ubuntu Security Notice 6834-1 - It was discovered that H2 was vulnerable to deserialization of untrusted data. An attacker could possibly use this issue to execute arbitrary code. It was discovered that H2 incorrectly handled some specially crafted connection URLs. An attacker could possibly use this issue to execute arbitrary code.
Premium Support Tickets For WHMCS version 1.2.10 suffers from a cross site scripting vulnerability.
Lost and Found Information System version 1.0 suffers from a reflective cross site scripting vulnerability.
Lost and Found Information System version 1.0 suffers from a persistent cross site scripting vulnerability.
Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.”
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails.
### Impact A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. ### Patches ```diff diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js index 79411e928e1..25eaa721c54 100644 --- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js +++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js @@ -155,12 +155,16 @@ * but it's not yet supported in Safari. */ connectedCallback() { - let inputs = ''...