#perl

The WP Popups WordPress plugin before 2.1.5.1 does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficient fix of CVE-2023-24003

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated users via a crafted POST request.

SQL injection in Log4cxx when using the ODBC appender to send log messages to a database.  No fields sent to the database were properly escaped for SQL injection.  This has been the case since at least version 0.9.0(released 2003-08-06) Note that Log4cxx is a C++ framework, so only C++ applications are affected. Before version 1.1.0, the ODBC appender was automatically part of Log4cxx if the library was found when compiling the library.  As of version 1.1.0, this must be both explicitly enabled in order to be compiled in. Three preconditions must be met for this vulnerability to be possible: 1. Log4cxx compiled with ODBC support(before version 1.1.0, this was auto-detected at compile time) 2. ODBCAppender enabled for logging messages to, generally done via a config file 3. User input is logged at some point. If your application does not have user input, it is unlikely to be affected. Users are recommended to upgrade to version 1.1.0 which properly binds the parameters ...

A buffer overflow in the component /proc/ftxxxx-debug of FiiO M6 Build Number v1.0.4 allows attackers to escalate privileges to root.

Ubuntu Security Notice 6058-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges.

Ubuntu Security Notice 6057-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the OverlayFS implementation in the Linux kernel did not properly handle copy up operation in some conditions. A local attacker could possibly use this to gain elevated privileges.

Third-party apps such as Google Analytics, Meta Pixel, HotJar, and JQuery have become critical tools for businesses to optimize their website performance and services for a global audience. However, as their importance has grown, so has the threat of cyber incidents involving unmanaged third-party apps and open-source tools. Online businesses increasingly struggle to maintain complete visibility

### Impact Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard `%ComSpec%` mechanism, with a fallback to a `%PATH%`-based search for `cmd.exe`. While this is the standard practice on Windows systems, it presents somewhat risky behavior. Firstly, `%ComSpec%` could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because `%ComSpec%` is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value. Secondly, a fallback to a relative `cmd.exe` path, resolved via `%PATH%`, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious `cmd.exe` could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the `%SystemRoot%` environment variable (also validated to be an absolut...

An arbitrary file upload vulnerability in Open Networking Foundation ONOS from version 1.9.0 until 2.7.0 allows attackers to execute arbitrary code via uploading a crafted YAML file.