#perl

Debian Linux Security Advisory 5402-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

A predictable patch cadence is nice, but the software giant can do more.

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Cisco Talos recently discovered a new ransomware actor called RA Group that has been operating since at least April 22, 2023.

A government effort to collect people’s internet records is moving beyond its test phase, but many details remain hidden from public view.

### Impact during codegen, the length word of a dynarray is written before the data, which can result in OOB array access in the case where the dynarray is on both the lhs and rhs of an assignment. here is a minimal example producing the issue: ```vyper a:DynArray[uint256,3] @external def test() -> DynArray[uint256,3]: self.a = [1,2,3] self.a = empty(DynArray[uint256,3]) self.a = [self.a[0],self.a[1],self.a[2]] return self.a # return [1,2,3] ``` and here is an example demonstrating the issue can cause data corruption across call frames: ```vyper @external def test() -> DynArray[uint256,3]: self.a() return self.b() # return [1,2,3] @internal def a(): a: uint256 = 0 b: uint256 = 1 c: uint256 = 2 d: uint256 = 3 @internal def b() -> DynArray[uint256,3]: a: DynArray[uint256,3] = empty(DynArray[uint256,3]) a = [a[0],a[1],a[2]] return a ``` examples involving append and pop: ```vyper @internal def foo(): c: DynArray[uint...

### Impact Due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. In the following example, calling `test` returns `354`, meaning that the variable `a` did store `354` a value out of bound for the type `uint8`. ```Vyper @external def test() -> uint16: x:uint8 = 255 a:uint8 = 0 for i in range(x, x+100): a = i return convert(a,uint16) ``` The issue seems to happen only in loops of type `for i in range(a, a + N)` as in loops of type `for i in range(start, stop)` and `for i in range(stop)`, the compiler is able to raise a `TypeMismatch` when trying to overflow the variable. thanks to @trocher for reporting ### Patches The problem is patched at https://github.com/vyperlang/vyper/commit/3de1415ee77a9244eb04bdb695e249d3ec9ed868 ### Workarounds

### Impact Internal calls to internal functions with more than 1 default argument are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the types are incompatible, typechecking is bypassed. In the `bar()` function in the following code, `self.foo(13)` is compiled to `self.foo(13,12)` instead of `self.foo(13,1337)`. ```vyper @internal def foo(a:uint256 = 12, b:uint256 = 1337): pass @internal def bar(): self.foo(13) ``` note that the ability to pass kwargs to internal functions is an undocumented feature that is not well known about. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem is patched at https://github.com/vyperlang/vyper/commit/c3e68c302aa6e1429946473769dd1232145822ac ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find ...

# WWBN AVideo Authenticated RCE A command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for [CVE-2023-30854](https://cve.report/CVE-2023-30854) which affects WWBN Avideo up to version 12.3 ## Vulnerable Code /plugin/CloneSite/cloneClient.json.php ```php $json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile)); $json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles)); $json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles)); // get dump file $cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val); ``` The `$objClone->cloneSiteURL` is not properly sanitized. ## Exploit Proof-of-Concept avidexploit.py ```python fro...

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.