WordPress Bravo Translate plugin versions 1.2 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP Plugins Bravo Translate <= 1.2 - SQL Injection# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/bravo-translate/# Version: 1.2# Tested on: Windows, Linux# CVE: CVE-2023-49161# Product DescriptionThis plugin allow you to translate your monolingual website in a super easy manner. You do not have to bother about .pot .po or .mo files. It safes you a lot of time cause you can effectively transalte thouse texts in a foreign language with just a few clicks gaining productivity. Bravo translate keeps your translations in your database. You dont have to worry about themes or plugins updates because your translations will not vannish.# Vulnerability overview:The WordPress Plugins Bravo Translate <= 1.2 is vulnerable to Blind SQL Injection via the textTo parameter on /wp-json/bravo-translate/BRAVOTRAN_create endpoint. This vulnerability could lead to unauthorized data access and modification.# Proof of Concept:Affected Endpoint: /wp-json/bravo-translate/BRAVOTRAN_create?textTo=a&yourTranslation=bAffected Parameter: textTopayload: test',(select%20sleep(5)))%23# RecommendationN/A

WordPress Bravo Translate 1.2 SQL Injection

Red Hat Security Advisory 2023-7711-03 - An update for apr is now available for Red Hat Enterprise Linux 9. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7711.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: apr security updateAdvisory ID:        RHSA-2023:7711-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7711Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2022-24963====================================================================Summary: An update for apr is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.Security Fix(es):* apr: integer overflow/wraparound in apr_encode (CVE-2022-24963)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-24963References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2169465

Red Hat Security Advisory 2023-7711-03

Red Hat Security Advisory 2023-7710-03 - An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.12. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7710.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift for Windows Containers 7.2.0 security updateAdvisory ID:        RHSA-2023:7710-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7710Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5528====================================================================Summary: An update for windows-machine-config-operator-bundle-container and windows-machine-config-operator-container is now available for Red Hat OpenShift Container Platform 4.12.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server nodes.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes (CVE-2023-5528)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-5528References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2243296https://bugzilla.redhat.com/show_bug.cgi?id=2247163https://issues.redhat.com/browse/OCPBUGS-13790https://issues.redhat.com/browse/OCPBUGS-17639https://issues.redhat.com/browse/OCPBUGS-17825https://issues.redhat.com/browse/OCPBUGS-20139https://issues.redhat.com/browse/OCPBUGS-20140https://issues.redhat.com/browse/OCPBUGS-20168https://issues.redhat.com/browse/WINC-1023https://issues.redhat.com/browse/WINC-1033https://issues.redhat.com/browse/WINC-1057https://issues.redhat.com/browse/WINC-1097https://issues.redhat.com/browse/WINC-1108https://issues.redhat.com/browse/WINC-635https://issues.redhat.com/browse/WINC-805https://issues.redhat.com/browse/WINC-948https://issues.redhat.com/browse/WINC-950

Red Hat Security Advisory 2023-7710-03

Red Hat Security Advisory 2023-7709-03 - The components for Red Hat OpenShift for Windows Containers 8.1.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a privilege escalation vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7709.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift for Windows Containers 8.1.1 security updateAdvisory ID:        RHSA-2023:7709-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7709Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2023-5528====================================================================Summary: The components for Red Hat OpenShift for Windows Containers 8.1.1 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.Security Fix(es):* kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes (CVE-2023-5528)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.htmlCVEs:CVE-2023-5528References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247163https://issues.redhat.com/browse/OCPBUGS-20259https://issues.redhat.com/browse/OCPBUGS-21768https://issues.redhat.com/browse/OCPBUGS-22748https://issues.redhat.com/browse/WINC-1153

Red Hat Security Advisory 2023-7709-03

A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Affected Resources

OPEN JOURNAL SYSTEMS, version 3.3.0.13.

Description

INCIBE has coordinated the publication of a vulnerability affecting OJS (OPEN JOURNAL SYSTEMS), an open source solution for the management and publication of online academic journals, in its version 3.3.0.13, which has been discovered by David Cámara Galindo, from Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

*   CVE-2023-6671: CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-352.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6671**: a vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

CVE-2023-6671: Cross-Site Request Forgery on OPEN JOURNAL SYSTEMS

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" input.

**jq**

jq is a lightweight and flexible command-line JSON processor akin to sed,awk,grep, and friends for JSON data. It's written in portable C and has zero runtime dependencies, allowing you to easily slice, filter, map, and transform structured data.

**Documentation**

*   **Official Documentation**: jqlang.github.io/jq
*   **Try jq Online**: jqplay.org

**Installation****Prebuilt Binaries**

Download the latest releases from the GitHub release page.

**Docker Image**

Pull the jq image to start quickly with Docker.

**Building from source****Dependencies**

*   libtool
*   make
*   automake
*   autoconf

**Instructions**

git submodule update --init # if building from git to get oniguruma
autoreconf -i               # if building from git
./configure --with-oniguruma=builtin
make -j8
make check
sudo make install

Build a statically linked version:

If you're not using the latest git version but instead building a released tarball (available on the release page), skip the autoreconf step, and flex or bison won't be needed.

**Cross-Compilation**

For details on cross-compilation, check out the GitHub Actions file and the cross-compilation wiki page.

**Community & Support**

*   Questions & Help: Stack Overflow (jq tag)
*   Chat & Community: Join us on Discord
*   Wiki & Advanced Topics: Explore the Wiki

**License**

jq is released under the MIT License.

CVE-2023-49355: GitHub - jqlang/jq at 88f01a741c8d63c4d1b5bc3ef61520c6eb93edaa

Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times.
"Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and

Data Security / Mobile Security

Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times.

"Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them, and in the end gain their funds," ESET said.

The Slovak cybersecurity company is tracking these apps under the name **SpyLoan**, noting they are designed to target potential borrowers located in Southeast Asia, Africa, and Latin America.

The list of apps, which have now been taken down by Google, is below -

*   AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
*   Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
*   Oro Préstamo - Efectivo rápido (com.app.lo.go)
*   Cashwow (com.cashwow.cow.eg)
*   CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
*   ยืมด้วยความมั่นใจ - ยืมด่วน (com.flashloan.wsft)
*   PréstamosCrédito - GuayabaCash (com.guayaba.cash.okredito.mx.tala)
*   Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
*   Go Crédito - de confianza (com.mlo.xango)
*   Instantáneo Préstamo (com.mmp.optima)
*   Cartera grande (com.mxolp.postloan)
*   Rápido Crédito (com.okey.prestamo)
*   Finupp Lending (com.shuiyiwenhua.gl)
*   4S Cash (com.swefjjghs.weejteop)
*   TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
*   EasyCash (king.credit.ng)
*   สินเชื่อปลอดภัย - สะดวก (com.sc.safe.credit)

SMS messages and social media channels such as Twitter, Facebook, and YouTube act as the prominent infection pathways, although the apps are also available for download from scam websites and third-party app stores.

"None of these services provide an option to request a loan using a website, since through a browser the extortionists can't access all sensitive user data that is stored on a smartphone and is needed for blackmailing," ESET security researcher Lukáš Štefanko said.

The apps are part of a broader scheme that dates back to 2020, and adds to a tranche of over 300 apps for Android and iOS that Kaspersky, Lookout, and Zimperium uncovered last year and which exploited "victims' desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages."

Besides harvesting the information from compromised devices, the operators of SpyLoan have also been observed resorting to blackmail and harassment tactics to pressure victims into making payments by threatening to release their photos and videos on social media platforms.

In one message identified by The Hacker News and posted on the Google Play Help Community earlier this February, a user from Nigeria called out EasyCash for "fraudulently giving loans to their victims with high and exorbitant interest rates and forcefully make them pay using threats about blackmails, defamation, and character assassination when obviously they have the debtor's address and full government name including their bank identification number (BVN), but they still go ahead to embarrass people putting them under unnecessary pressure and panic."

Furthermore, the apps use misleading privacy policies to explain why they need permissions to users' media files, camera, calendar, contacts, call logs, and SMS messages. Some of the apps also included a link to bogus websites, replete with stolen office environment photos and stock images, in an effort to give their operations a veil of legitimacy.

To mitigate the risks posed by such spyware threats, it's advised to stick to official sources for downloading apps, validate the authenticity of such offerings, as well as pay close attention to reviews and permissions prior to installation.

SpyLoan serves as an "important reminder of the risks borrowers face when seeking financial services online," Štefanko said. "These malicious applications exploit the trust users place in legitimate loan providers, using sophisticated techniques to deceive and steal a very wide range of personal information."

The development also follows the resurgence of an Android banking trojan dubbed TrickMo that masquerades as a free moving streaming app and comes fitted with upgraded capabilities, such as stealing screen content, downloading runtime modules, and overlay injection to extract credentials from targeted applications, in addition to utilizing JsonPacker to conceal its malicious code.

"The malware's transition to overlay attacks, its use of JsonPacker for code obfuscation, and its consistent behavior with the command and control server highlight the threat actor's dedication to refining their strategies," Cyble said in an analysis last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

**v5.0.0-beta.3**

**5.0.0-beta.3 (2023-10-29)****Bug Fixes**

*   add doctrine/dbal (#6817) (67a3acf)
*   correct ordering of contacts based on preferred displaying of names (#6962) (a46e92b)
*   default template cant be deleted (#6911) (eef206d)
*   fix Dockerfile (#6966) (452f59f)
*   fix locale in DatePicker (#6958) (e6157e7)
*   fix quick facts not being able to be saved (#6912) (b6b78e5)
*   fix sync\_tokens id table change (#6801) (60bdd08)
*   fix syntax error (#6957) (1b351e4)
*   fix uploadcare (#6942) (e9c4f9d)

**Features**

*   add logs for addressbook subscriptions (#6841) (094916d)
*   add monica:getversion command (#6965) (cd1b699)
*   add more vcard exports (#6878) (457081c)
*   add webauthn cookie when registering a new key (#6952) (142de32)
*   download one contact as vcard (#6747) (dd27398)
*   implement DAV client subscriptions (#6751) (2286e79)
*   implement Dav for groups (#6799) (b9783c6)
*   update langs and monica:localize command. Add 3 new languages. (#6917) (2fe7abc)

**v5.0.0-beta.2**

**5.0.0-beta.2 (2023-07-08)****Features**

*   add instance administrator (#6670) (ab3f380)
*   improve telegram setup workflow (#6734) (9ee07fb)

**Bug Fixes**

*   fix AddPostToSliceOfLife (#6681) (7c45d0d)
*   fix address image show (#6672) (ec3a44d)
*   fix addresses report list (#6725) (9c86677)
*   fix basic auth with token (#6673) (fab6c32)
*   fix call reasons (#6686) (ba06e85)
*   fix contact selector (#6680) (05c1333)
*   fix empty useForm() (#6671) (06851c9)
*   fix help links (#6727) (63574d1)
*   fix important date form (#6722) (46f4713)
*   fix ModuleFamilySummaryViewHelper (#6682) (7e77bea)
*   fix sentry integration and some slight errors (#6651) (d94c4ec)
*   fix setting a locale (#6721) (ddcb6e2)
*   fix some vue errors (#6685) (00548f8)
*   fix useForm (#6724) (d356688)
*   fix vue errors (#6707) (c69297f)
*   fix vue refs targets (#6675) (133e426)
*   fix vue refs targets (again) (#6676) (7b8997c)

**v5.0.0-beta.1**

**5.0.0-beta.1 (2023-06-10)**

First pre-release of chandler.  
See https://www.monicahq.com/blog/chandler-is-in-beta

**Bug Fixes**

*   bug fix on loan (monicahq/chandler#85) (bfe5ebe)
*   fix sortByCollator collection macro return keys (monicahq/chandler#556) (c3605ba)
*   fix address pivot (monicahq/chandler#419) (59924a2)
*   fix app\_version warnings (monicahq/chandler#411) (b9e32e9)
*   fix avatar not showing on reminder list (monicahq/chandler#229) (3d9cc3b)
*   fix avatar not uploaded in tabs (5c98f0c)
*   fix avatars here and there (monicahq/chandler#180) (438782f)
*   fix batch of reminders (monicahq/chandler#402) (a23da58)
*   fix batch of scheduled reminders (monicahq/chandler#401) (6a0d603)
*   fix cities blank state (monicahq/chandler#473) (9d2d103)
*   fix contact being clickable when choosing a contact (monicahq/chandler#398) (79f8b9c), closes monicahq/chandler#395
*   fix contact information without a protocol (monicahq/chandler#347) (e53b7ac)
*   fix contacts not being displayed (monicahq/chandler#470) (f7e8101)
*   fix cron again (monicahq/chandler#403) (50c98da)
*   fix dates not being saved (monicahq/chandler#76) (5df1726)
*   fix destroy file (monicahq/chandler#488) (5234096)
*   fix documentation links (monicahq/chandler#264) (2850688)
*   fix due tasks not being displayed on dashboard (monicahq/chandler#351) (ac1a724)
*   fix edit reminder (monicahq/chandler#152) (0759d58)
*   fix emojis on windows (monicahq/chandler#483) (b8b5950)
*   fix empty div showing when no tasks on dashboard (monicahq/chandler#379) (4752f68)
*   fix errors handle (monicahq/chandler#487) (8e2d5f8)
*   fix family summary (monicahq/chandler#265) (478d574)
*   fix favicon url (monicahq/chandler#247) (7230c5d)
*   fix flash emit (monicahq/chandler#389) (03f332c)
*   fix french translation (monicahq/chandler#524) (a7e2302)
*   fix generating api doc (monicahq/chandler#360) (2e11c10)
*   fix i18n for contact selector (monicahq/chandler#489) (2324f87)
*   fix i18n plural forms (monicahq/chandler#486) (721abb9)
*   fix important date type cant be null (monicahq/chandler#397) (6e9362f), closes monicahq/chandler#377
*   fix inconsistency in wording (monicahq/chandler#485) (24786cd)
*   fix life event modal not reset upon save (monicahq/chandler#510) (c791202)
*   fix meilisearch indexes import (monicahq/chandler#378) (55b4bbb)
*   fix memcache fortrabbit integration (monicahq/chandler#372) (8bcd595)
*   fix mixin added for testing (monicahq/chandler#355) (bc6b273)
*   fix months discrimination (monicahq/chandler#560) (1c8e84e)
*   fix notifications looping when processing the batch (monicahq/chandler#392) (dd6d45f), closes monicahq/chandler#390 monicahq/chandler#391
*   fix password saving at registration (monicahq/chandler#306) (88e5502)
*   fix reminders (monicahq/chandler#154) (9227a1a)
*   fix reminders one more time (monicahq/chandler#405) (bf4a138)
*   fix scout config for groups (monicahq/chandler#374) (070503e)
*   fix scribe generate (monicahq/chandler#310) (df63469)
*   fix scribe generate on docker image (monicahq/chandler#309) (74ccb06)
*   fix search with scout database (monicahq/chandler#223) (62978fa)
*   fix setup and dummy in case meilisearch not activated (monicahq/chandler#185) (6a85bca)
*   fix signup form not working (monicahq/chandler#221) (d291bbe)
*   fix socialite integration (monicahq/chandler#554) (2fddbe1)
*   fix suffix label (\[monicahq/chandler#394\](https://github.com/...

**v4.0.0**

**4.0.0 (2023-01-30)****⚠ BREAKING CHANGES**

*   switch to php 8.1+ dependency (#6250)
*   drop php 7.4 support (#6246)

**Features**

*   add DB\_TESTING\_PORT in database config (#6201) (fefa799)
*   add disallow in robots.txt (#6268) (be2e280)
*   add name to user resource (#6174) (8465803)
*   check male translation and fall back to generic (#6039) (4ba9062)
*   drop php 7.4 support (#6246) (84d0232)
*   focus tags input box (#6392) (2d75053)
*   load more activities (#5973) (117fe19)
*   switch to php 8.1+ dependency (#6250) (6a7f49f)

**Bug Fixes**

*   allow configuring port for test database (#6236) (aeffb71), closes #6200
*   allow empty completed\_at task date (#6025) (d4504e3)
*   change APP\_TRUST\_PROXIES to APP\_TRUSTED\_PROXIES (#6095) (5f63bed)
*   Continuously pressing enter shows empty tags (#6314) (2386096), closes #6235
*   fix avatar not being loaded on dashboard (#6224) (7c8105c)
*   fix blurry modals from sweet-modal-vue (#6026) (4cc1d8f)
*   fix Journal sidebar width on mobile (#6027) (d690bf6)
*   fix laravel cloudflare proxy (#6264) (d0b50fe)
*   life event creation with unknown month/day (#6046) (d81123b)
*   only include real contacts in carddav sync (#6014) (626f078)
*   **php8.1:** deprecated trim with null value (#6374) (b4c1c03)
*   skip version check if current version is empty (#6137) (4e1e4ee)
*   typo in french translation of nephew (#6074) (ad11e01)
*   vcard bday export format with unknown year (#6087) (f0db671)

**v3.7.0**

**v3.6.1**

**v3.6.0**

**3.6.0 (2022-01-11)****Features**

*   activate Norwegian and Russian languages (#5856) (8bdccbb)
*   add contact soft delete and prunable (#5826) (6f887df)
*   add reminders/upcoming API (#5783) (a3e9b79)
*   export data as json format (#4779) (8c627a2)
*   implement laravel password strength (#5821) (8295be3)
*   improve reliability of pingversion (#5723) (0c791f6)
*   order introductions contact list by first and last name (#5102) (6ff0738)
*   quick add with email (#5182) (80001fc)
*   re-activate adorable avatars with permanent solution (#5872) (ccf6d4f)
*   sync carddav delete contact requests (#5835) (30d97f9)

**Bug Fixes**

*   add link to reminders endpoint at api root (#5801) (337367a)
*   fix Date display with timezone (#5825) (d73e3c4)
*   version display on heroku (#5860) (0cf965f)

**v3.5.0**

**v3.4.0**

**3.4.0 (2021-10-31)****Features**

*   add dependencies node and yarn in Dockerfile (#5635) (48726b5)
*   added URLs to be exported in vCards. (#5609) (38429a2)
*   get weather from weatherapi (#5668) (d19b6ad)
*   retry get gps coordinate when rate limited second (#5615) (8eed44e)
*   searchable contacts on introductions form (#5632) (cc05552)
*   update last called attribute (#5614) (83e1d68)

**Bug Fixes**

*   fix carddav addressbook add (#5660) (ac44cfb)
*   fix creating default gender (#5607) (6c5ac48)
*   fix distant contact etag handle (#5605) (1da427f)
*   fix duplicate reminders on dashboard (#5569) (bb97115)
*   fix edit an activity with a category (#5661) (9128db8)
*   fix gift api without passport (#5664) (7939a5f)
*   fix import table layout (#5662) (cd138c8)
*   fix vcard company import (#5616) (0dd4b23)

**v3.3.1**

CVE-2023-50465: Releases · monicahq/monica

In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023.

CVE-2023-50428: Common Vulnerabilities and Exposures - Bitcoin Wiki

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

Tag

#js