![]() Every application that stores attachments with `Attachment::save()` without providing a `$filename` or passing unsanitized user input is affected by this attack. Prior to version 5.3.0, an unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in a remote code execution vulnerability. ![]() PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. The URI parser mishandles invalid URLs that have specific characters. Attackers who bypass the selinux permission can exploit this vulnerability to crash the program.Ī ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. As a workaround, pass the key as a file instead of a string.įormat string vulnerability in the distributed file system. Users should upgrade to version 8.5.3 to receive the patch. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. League/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |