#vulnerability

### Impact The "download image from remote URL" feature can be abused by a malicious actor to potentially extract information about server side resources. Submitting a crafted URL (in place of a valid image) can raise a server side error, which is reported back to the user. This error message may contain sensitive information about the server side request, including information about the availability of the remote resource. ### Patches The solution to this vulnerability is to prevent the server from returning any specific information about the observed exception. Instead, a generic error message is returned to the client. This patch has been applied to the upcoming 0.17.0 release, and also back-ported to the 0.16.5 stable release. ### Workarounds To avoid this issue with unpatched versions, the "download image from remote URL" feature can be disabled in InvenTree, preventing users from accessing this information. ### References Thanks to @febin0x10 for identifying this vulne...

This article explores the Linux vulnerability discovered by Simone Margaritelli, which, according to cybersecurity companies Uptycs and Akamai,…

Proof of concept remote command execution exploit for CUPS that leverages the vulnerability outlined in CVE-2024-47176.

Ubuntu Security Notice 7051-1 - Fabian Bäumer, Marcus Brinkmann, Joerg Schwenk discovered that the SSH protocol was vulnerable to a prefix truncation attack. If a remote attacker was able to intercept SSH communications, extension negotiation messages could be truncated, possibly leading to certain algorithms and features being downgraded. This issue is known as the Terrapin attack. This update adds protocol extensions to mitigate this issue.

SeedDMS version 6.0.28 suffers from a persistent cross site scripting vulnerability.

Ubuntu Security Notice 7047-1 - Vladimír Čunát discovered that Knot Resolver incorrectly handled input during DNSSEC validation. A remote attacker could possibly use this issue to bypass certain validations. Vladimír Čunát discovered that Knot Resolver incorrectly handled input during DNSSEC validation. A remote attacker could possibly use this issue to downgrade DNSSEC-secure domains to a DNSSEC-insecure state, resulting in a domain hijacking attack.

Ubuntu Security Notice 7050-1 - Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled generating multi-factor authentication codes. An attacker could possibly use this issue to generate valid multi-factor authentication codes.

Microsoft Office 2019 MSO build 1808 (16.0.10411.20011) and Microsoft 365 MSO version 2403 build 16.0.17425.20176 suffer from an NTLMv2 hash disclosure vulnerability.

Organizations looking to maximize their security posture will find AI a valuable complement to existing people, systems, and processes.

Ubuntu Security Notice 7043-2 - USN-7043-1 fixed a vulnerability in cups-filters. This update provides the corresponding update for Ubuntu 18.04 LTS. Simone Margaritelli discovered that the cups-filters cups-browsed component could be used to create arbitrary printers from outside the local network. In combination with issues in other printing components, a remote attacker could possibly use this issue to connect to a system, created manipulated PPD files, and execute arbitrary code when a printer is used. This update disables support for the legacy CUPS printer discovery protocol.