Page 116 of 8866 results (0.010 seconds)

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1

An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. Un desbordamiento de enteros en el módulo VNC en VideoLAN VLC Media Player hasta la versión 3.0.17.4 permite a los atacantes, al engañar a un usuario para que abra una lista de reproducción manipulada se conecte a un servidor VNC fraudulento, bloquear VLC o ejecutar código bajo algunas condiciones. • https://twitter.com/0xMitsurugi https://www.debian.org/security/2022/dsa-5297 https://www.synacktiv.com/sites/default/files/2022-11/vlc_vnc_int_overflow-CVE-2022-41325.pdf https://www.videolan.org/security/sb-vlc3018.html • CWE-190: Integer Overflow or Wraparound •

CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0

A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. Existe una vulnerabilidad de inyección de comandos del Sistema Operativo en las versiones de Node.js &lt;14.21.1, &lt;16.18.1, &lt;18.12.1, &lt;19.0.1 debido a una verificación insuficiente de IsAllowedHost que se puede omitir fácilmente porque IsIPAddress no lo hace correctamente. verifique si una dirección IP no es válida antes de realizar solicitudes de DBS que permitan volver a vincular ataques. La solución para este problema en https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 estaba incompleta y esto El nuevo CVE es para completar la solución. • https://lists.debian.org/debian-lts-announce/2023/02/msg00038.html https://nodejs.org/en/blog/vulnerability/november-2022-security-releases https://security.netapp.com/advisory/ntap-20230120-0004 https://security.netapp.com/advisory/ntap-20230427-0007 https://www.debian.org/security/2023/dsa-5326 https://access.redhat.com/security/cve/CVE-2022-43548 https://bugzilla.redhat.com/show_bug.cgi?id=2140911 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •

CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0

AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. AWStats 7.x a 7.8 permite XSS en el complemento hostinfo debido a que se imprime una respuesta de Net::XWhois sin las comprobaciones adecuadas. • https://github.com/eldy/AWStats/pull/226 https://lists.debian.org/debian-lts-announce/2022/12/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. • http://www.openwall.com/lists/oss-security/2022/12/03/1 https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html https://www.debian.org/security/2022/dsa-5307 https://access.redhat.com/security/cve/CVE-2021-37533 https://bugzilla.redhat.com/show_bug.cgi?id=2169924 • CWE-20: Improper Input Validation •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data. g810-led 0.4.2, una herramienta de configuración LED para teclados Logitech Gx10, contenía una regla udev para hacer que los nodos de dispositivos compatibles fueran legibles y escribibles en todo el mundo, permitiendo que cualquier proceso en el sistema leyera el tráfico de los teclados, incluidos los datos sensibles. • https://bugs.debian.org/1024998 https://github.com/MatMoul/g810-led/pull/297 https://lists.debian.org/debian-lts-announce/2022/12/msg00002.html • CWE-732: Incorrect Permission Assignment for Critical Resource •