Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Red Hat Security Advisory 2024-9472-03

Red Hat Security Advisory 2024-9472-03 - An update for grafana-pcp is now available for Red Hat Enterprise Linux 9.

Packet Storm
Open in Source
#vulnerability#linux#red_hat#redis#js
Red Hat Security Advisory 2024-9470-03

Red Hat Security Advisory 2024-9470-03 - An update for cups is now available for Red Hat Enterprise Linux 9. Issues addressed include a code execution vulnerability.

Red Hat Security Advisory 2024-9468-03

Red Hat Security Advisory 2024-9468-03 - An update for python3.9 is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-9459-03

Red Hat Security Advisory 2024-9459-03 - An update for buildah is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2024-9458-03

Red Hat Security Advisory 2024-9458-03 - An update for python3.11-urllib3 is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-9457-03

Red Hat Security Advisory 2024-9457-03 - An update for python3.12-urllib3 is now available for Red Hat Enterprise Linux 9. Issues addressed include a remote shell upload vulnerability.

GHSA-xhg6-9j5j-w4vf: DotNetZip Directory Traversal vulnerability

Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

GHSA-g8r3-2v89-j6r5: Moodle IDOR when accessing list of badge recipients

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

How CISOs Can Lead the Responsible AI Charge

CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology's promises and opportunities.

GHSA-f3cw-hg6r-chfv: Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI

### Summary Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI. `(Post-authentication, ALLOW_ADMIN_CHANGES=true)` ### Details Note: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw) In [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization: ```php /** * Returns an absolute path based on a source location or the current working directory. * * @param string $to The target path. * @param string|null $from The source location. Defaults to the current working directory. * @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`. * @return string * @since 4.3.5 */ public static function absolutePath( ...