Security
Headlines
HeadlinesLatestCVEs

Tag

#rce

GHSA-mw2w-2hj2-fg8q: yiisoft/yii deserializing untrusted user input can lead to remote code execution

### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.29 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

ghsa
Open in Source
#vulnerability#git#php#rce
CVE-2023-48217: Remote code execution via form uploads

Statamic is a flat-first, Laravel + Git powered CMS designed for building websites. In affected versions certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. Malicious users could leverage this vulnerability to upload and execute code. This issue has been patched in versions 3.4.14 and 4.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-36437

Azure DevOps Server Remote Code Execution Vulnerability

CVE-2023-47130: Prevent RCE when deserializing untrusted user input

Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.

GHSA-rw82-mhmx-grmj: Guest Entries Remote code execution via file uploads

### Impact When using the file uploads feature, it was possible to upload PHP files. ### Patches The vulnerability is fixed in v3.1.2.

CacheWarp Attack: New Vulnerability in AMD SEV Exposes Encrypted VMs

A group of academics has disclosed a new "software fault attack" on AMD's Secure Encrypted Virtualization (SEV) technology that could be potentially exploited by threat actors to infiltrate encrypted virtual machines (VMs) and even perform privilege escalation. The attack has been codenamed CacheWarp (CVE-2023-20592) by researchers from the CISPA Helmholtz Center for Information Security. It

CVE-2023-36396

Windows Compressed Folder Remote Code Execution Vulnerability

CVE-2023-36041

Microsoft Excel Remote Code Execution Vulnerability

CVE-2023-36425

Windows Distributed File System (DFS) Remote Code Execution Vulnerability

CVE-2023-36402

Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability