#ssl

Red Hat OpenShift Service Mesh 2.2.9 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-27487: A flaw was found in envoy. The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. The faked header could then be used for trace logs and grpc logs, used in the URL for jwt_authn checks if the jwt_authn filter is used, and any other upstr...

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.

Buffer Overflow vulnerability in XNView before 2.50, allows local attackers to execute arbitrary code via crafted GEM bitmap file.

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Request-Baskets version 1.2.1 suffers from a server-side request forgery vulnerability.

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday. Kyber was chosen by the U.S. Department of Commerce's

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.

1. EXECUTIVE SUMMARY ​CVSS v3 5.9 ​ATTENTION: Exploitable remotely ​Vendor: Siemens ​Equipment: SIMATIC, SIPLUS ​Vulnerability: Inadequate Encryption Strength 2. RISK EVALUATION ​Successful exploitation of this vulnerability could allow an attacker to recover the product’s connection secret. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ​The following products from Siemens are affected:  ​SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): versions prior to V2.2 ​SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): versions prior to V2.2 ​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions V3.0.1 to V3.0.3 ​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions prior to V2.9.7 ​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions V3.0.1 to V3.0.3 ​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions prior to V2.9.7 ​SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): versions prior to V3.2.19 ​SIMATIC ET 200pro IM154-8F PN/DP CPU (...