I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.
NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is vulnerable to a stored cross site scripting issue. An unauthenticated user can simulate an agent registration to cause the cross site scripting attack and take over a users session. With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts (agents), and kill the original agent. Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on Ubuntu 22.04. The agent was running on Windows 10 19045.
This Metasploit module exploits an unauthenticated remote code execution vulnerability in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the submitIndex.php file, where user-supplied input is passed directly to the require() function without proper sanitization. By exploiting this, an attacker can leverage the PHP filter chaining technique to execute arbitrary PHP code on the server. This allows for the execution of commands and control over the affected system. The exploit is particularly dangerous because it does not require authentication, making it possible for any remote attacker to exploit this vulnerability.
Ubuntu Security Notice 6782-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. Thomas Rinsma discovered that Thunderbird did not properly handle type check when handling fonts in PDF.js. An attacker could potentially exploit this issue to execute arbitrary javascript code in PDF.js.
Ubuntu Security Notice 6777-3 - Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.
Ubuntu Security Notice 6775-2 - Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.
Chat Bot version 1.0 suffers from a remote SQL injection vulnerability.
CHAOS version 5.0.8 is a free and open-source Remote Administration Tool that allows generated binaries to control remote operating systems. The web application contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The web application also contains a cross site scripting vulnerability within the view of a returned command being executed on an agent.
Ubuntu Security Notice 6780-1 - Guido Vranken discovered that idna did not properly manage certain inputs, which could lead to significant resource consumption. An attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6781-1 - Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated input from a file into a string-type "eval". An attacker could craft a malicious file to achieve arbitrary code execution.
Joomla versions 4.2.8 and below remote unauthenticated information disclosure exploit.
Ubuntu Security Notice 6779-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jan-Ivar Bruaroey discovered that Firefox did not properly manage memory when audio input connected with multiple consumers. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code.
The NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross site scripting vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a malicious payload as to execute arbitrary web scripts or HTML. Versions 7 and 8 are affected.
PowerVR suffers from a wrong order of operations in DevmemIntChangeSparse2() that leads to a temporarily dangling page table entry.
PowerVR suffers from a use-after-free vulnerability in _UnrefAndMaybeDestroy().
Red Hat Security Advisory 2024-2945-03 - Red Hat AMQ Broker 7.12.0 is now available from the Red Hat Customer Portal. Issues addressed include bypass, cross site scripting, denial of service, and deserialization vulnerabilities.
Red Hat Security Advisory 2024-2944-03 - This is the multiarch release of the AMQ Broker 7.12.0 aligned Operator and associated container images on Red Hat Enterprise Linux 8 for the OpenShift Container Platform. Issues addressed include denial of service and deserialization vulnerabilities.
Arm Mali versions since r45p0 suffer from a broken KBASE_USER_BUF_STATE_* state machine for userspace mappings that can lead to a use-after-free condition.
Red Hat Security Advisory 2024-2941-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes changes, bug fixes, and updates to patch vulnerabilities.
Red Hat Security Advisory 2024-2938-03 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2937-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2936-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2935-03 - An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2892-03 - An update for go-toolset-1.19-golang is now available for Red Hat Developer Tools. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2865-03 - Red Hat OpenShift Container Platform release 4.15.14 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.