CVE-2024-52595 – HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
https://notcve.org/view.php?id=CVE-2024-52595
lxml_html_clean is a project for HTML cleaning functionalities copied from `lxml.html.clean`. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. • https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808 https://github.com/fedora-python/lxml_html_clean/pull/19 https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page CWE-184: Incomplete List of Disallowed Inputs •
CVE-2024-2746 – Incomplete fix for CVE-2024-1929
https://notcve.org/view.php?id=CVE-2024-2746
Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. • https://github.com/xct/CVE-2024-27460 https://github.com/Alaatk/CVE-2024-27460 https://github.com/Alaatk/CVE-2024-27462 https://github.com/10cks/CVE-2024-27460-installer https://www.openwall.com/lists/oss-security/2024/04/03/5 • CWE-20: Improper Input Validation •
CVE-2024-1929 – Local Root Exploit via Configuration Dictionary
https://notcve.org/view.php?id=CVE-2024-1929
Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary. There are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration. Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. • https://www.openwall.com/lists/oss-security/2024/03/04/2 • CWE-20: Improper Input Validation •
CVE-2024-1930 – No Limit on Number of Open Sessions / Bad Session Close Behaviour
https://notcve.org/view.php?id=CVE-2024-1930
No Limit on Number of Open Sessions / Bad Session Close Behaviour in dnf5daemon-server before 5.1.17 allows a malicious user to impact Availability via No Limit on Number of Open Sessions. There is no limit on how many sessions D-Bus clients may create using the `open_session()` D-Bus method. For each session a thread is created in dnf5daemon-server. This spends a couple of hundred megabytes of memory in the process. Further connections will become impossible, likely because no more threads can be spawned by the D-Bus service. Sin límite en el número de sesiones abiertas / mal comportamiento de cierre de sesión en dnf5daemon-server anterior a 5.1.17 permite que un usuario malintencionado afecte la disponibilidad mediante Sin límite en el número de sesiones abiertas. • https://www.openwall.com/lists/oss-security/2024/03/04/2 • CWE-400: Uncontrolled Resource Consumption •
CVE-2015-3983 – pcs: improper web session variable signing
https://notcve.org/view.php?id=CVE-2015-3983
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types. El demonio pcs (pcsd) en PCS 0.9.137 y anteriores no incluye el indicador HTTPOnly en una cabecera Set-Cookie, lo que facilita a atacantes remotos obtener información potencialmente sensible a través de acceso de secuencias de comandos a esta cookie. NOTA: este problema fue separado (SPLIT) de la CVE-2015-1848 por ADT2 debido a diferentes tipos de vulnerabilidad. It was found that the pcs daemon did not sign cookies containing session data that were sent to clients connecting via the pcsd web UI. • http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159374.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159401.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159412.html http://rhn.redhat.com/errata/RHSA-2015-0980.html http://rhn.redhat.com/errata/RHSA-2015-0990.html http://www.securityfocus.com/bid/74682 https://bugzilla.redhat.com/attachment.cgi?id=1009855 https://access.redhat.com/security/cve/CVE-2015-3983 https:/ • CWE-310: Cryptographic Issues CWE-347: Improper Verification of Cryptographic Signature •