#vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An authenticated attacker would be able to delete targeted files on a system which could result in them gaining SYSTEM privileges.

Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild. Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris

A header injection vulnerability has been identified in the NativeMailerHandler of the Monolog library. This vulnerability may allow an attacker to manipulate email headers when log messages are sent via email.

Magento Commerce and Open Source 2.3.0, 2.2.7 and 2.1.16 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Magento Commerce and Open Source 2.2.6 and 2.1.15 contain multiple security enhancements that help close Cross-Site Scripting (XSS) and other vulnerabilities.

Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 have been enhanced with critical security updates to address multiple vulnerabilities, including remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and more. The following issues have been identified and remediated: - PRODSECBUG-1589: Stops Brute Force Requests via basic RSS authentication - MAG-23: M1 Credit Card Storage Capability - PRODSECBUG-2149: Authenticated RCE using customer import - PRODSECBUG-2159: API Based RCE Vulnerability - PRODSECBUG-2156: RCE Via Unauthorized Upload - PRODSECBUG-2155: Authenticated RCE using dataflow - PRODSECBUG-2053: Prevents XSS in Newsletter Template - PRODSECBUG-2142: XSS in CMS Preview - PRODSECBUG-1860: Admin Account XSS Attack Cessation via Filename - PRODSECBUG-2119: EE Patch to include names in templates - PRODSECBUG-2129: XSS in Google Analytics Vulnerability - PRODSECBUG-2019: Merchant Wishlist Security Strengthening - PRODSECBUG-2104: Send to a Frie...

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well. Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to: - use sendmail as the mail transport agent - have specific, non-default configuration settings as described [here](https://magento.com/security/patches/supee-9652#:~:text=settings%20as%20described-,here,-.).

SUPEE-10975, Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.