#vulnerability

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw. The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash. "By reading out-of-bounds memory, an attacker might be able to get secret values,

# CL Signatures Issuer Key Correctness Proof lacks of prime strength checking A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. A sufficient private key is one in which it's components `p` and `q` are safe primes, such that: - `p` and `q` are both prime numbers - `p` and `q` are not equal - `p` and `q` have the same, sufficiently large, size - For example, using two values both 1024 bits long is sufficient, whereas using one value 2040 bits long and the other 8 bits long is not. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys su...

### Impact This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to our search client not correctly escaping all user content from search results. You can find more information in the [advisory published in our readthedocs.org repo](https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-qhqx-5j25-rv48). Users of this extension should update to the 0.3.2 version, and trigger a new build. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild. ### Patches This issue has been patched in our 0.3.2 version. ### References - https://github.com/readthedocs/readthedocs-sphinx-search/commit/8c6f6d01e88e72ef32ed0c220b6c19d1e1121c73 ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]) ([PGP](ht...

By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

### Summary A **stored cross-site scripting (XSS)** vulnerability was found in the **key_value** field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. ### Details The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability can be exploited by an attacker to inject malicious JavaScript code into the key_value field. When a victim views the page containing the malicious code, the code will be executed in their browser. In [avo/fields/common/key_value_component.html.erb]( https://github.com/avo-hq/avo/blob/main/app/components/avo/fields/common/key_value_component.html.erb#L38C21-L38C33) the value is taken in lines **38** and **49** and seems to be interpreted directly as html in lines **44** and **55**. ### PoC ![POC](https://user-images.githubuserc...

Gentoo Linux Security Advisory 202401-24 - Multiple denial of service vulnerabilities have been discovered in Nettle. Versions greater than or equal to 3.9.1 are affected.

Gentoo Linux Security Advisory 202401-23 - A buffer overread vulnerability has been found in libuv. Versions greater than or equal to 1.41.1 are affected.

Gentoo Linux Security Advisory 202401-22 - Multiple vulnerabilities have been discovered in libspf2, the worst of which can lead to remote code execution. Versions greater than or equal to 1.2.11 are affected.