#vulnerability

### Impact The version control feature used in resources is subject to potential cross-site scripting (XSS) attack through a malformed URL. ### Workarounds Not available ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by [Open Source Politics](https://opensourcepolitics.eu/) against Decidim done during July 2025.

Amid the noise of new solutions and buzzwords, understanding the balance between securing infrastructure and implementing runtime security is key to crafting an effective cloud strategy.

Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget.

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Ubuntu Security Notice 7048-1 - Suyue Guo discovered that Vim incorrectly handled memory when flushing the typeahead buffer, leading to heap-buffer-overflow. An attacker could possibly use this issue to cause a denial of service.

Ubuntu Security Notice 7015-3 - USN-7015-1 fixed several vulnerabilities in Python. This update provides the corresponding updates for CVE-2023-27043 for python2.7 in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS, and for python3.5 in Ubuntu 16.04 LTS. It was discovered that the Python email module incorrectly parsed email addresses that contain special characters. A remote attacker could possibly use this issue to bypass certain protection mechanisms. It was discovered that Python allowed excessive backtracking while parsing certain tarfile headers. A remote attacker could possibly use this issue to cause Python to consume resources, leading to a denial of service. It was discovered that the Python email module incorrectly quoted newlines for email headers. A remote attacker could possibly use this issue to perform header injection. It was discovered that the Python http.cookies module incorrectly handled parsing cookies that contained backslashes for quot...

Ubuntu Security Notice 7046-1 - It was discovered that Flatpak incorrectly handled certain persisted directories. An attacker could possibly use this issue to read and write files in locations it would not normally have access to. A patch was also needed to Bubblewrap in order to avoid race conditions caused by this fix.

Red Hat Security Advisory 2024-7443-03 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes. The updated image includes security and bug fixes.

Red Hat Security Advisory 2024-7442-03 - A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Issues addressed include an information leakage vulnerability.