#perl

Ubuntu Security Notice 6988-1 - It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS. It was discovered that Twisted did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection leading to a cross-site scripting attack.

**Name**: ASA-2024-009: State syncing validator from malicious node may lead to a chain split **Component**: CometBFT **Criticality**: Medium ([ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L: Possible) **Affected versions**: >= 0.34.0, <= 0.34.33, >=0.37.0, <= 0.37.10, >= 0.38.0, <= 0.38.11 ### Summary The state sync protocol retrieves a snapshot of the application and installs it in a fresh node. In order for this node to be ready to run consensus and block sync from the installed snapshot height, we also need to install a valid `State` in the node, which is the starting state from which it is able to validate new blocks and append them to the blockchain. The `State` object used by state sync is computed using the light client protocol, which retrieves information about committed blocks from at least two RPC endpoints. The light client protocol performs several state validations and, in particular, compares the state p...

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

This Metasploit module exploits a directory traversal flaw found in A10 Networks (Soft) AX Loadbalancer version 2.6.1-GR1-P5/2.7.0 or less. When handling a file download request, the xml/downloads class fails to properly check the filename parameter, which can be abused to read any file outside the virtual directory. Important files include SSL certificates. This Metasploit module works on both the hardware devices and the Virtual Machine appliances. IMPORTANT NOTE: This Metasploit module will also delete the file on the device after downloading it. Because of this, the CONFIRM_DELETE option must be set to true either manually or by script.

This Metasploit module exploits a directory traversal vulnerability found in S40 CMS. The flaw is due to the page function not properly handling the $pid parameter, which allows a malicious user to load an arbitrary file path.

This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.

This exploits a command execution in Pi-Hole Web Interface less than or equal to 5.5. The Settings > API/Web inetrace page contains the field Top Domains/Top Advertisers which is validated by a regex which does not properly filter system commands, which can then be executed by calling the gravity functionality. However, the regex only allows a-z, 0-9, _.