CVE-2023-36880 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-36880
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Vulnerabilidad de divulgación de información de Microsoft Edge (basado en Chromium) • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36880 https://security.gentoo.org/glsa/202402-05 •
CVE-2023-38174 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-38174
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Vulnerabilidad de divulgación de información de Microsoft Edge (basado en Chromium) • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38174 https://security.gentoo.org/glsa/202402-05 •
CVE-2023-46218 – curl: information disclosure by exploiting a mixed case flaw
https://notcve.org/view.php?id=CVE-2023-46218
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. Esta falla permite que un servidor HTTP malicioso establezca "supercookies" en curl que luego se devuelven a más orígenes de los que están permitidos o son posibles. Esto permite que un sitio establezca cookies que luego se enviarán a sitios y dominios diferentes y no relacionados. • https://curl.se/docs/CVE-2023-46218.html https://hackerone.com/reports/2212193 https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD https://security.netapp.com/advisory/ntap-20240125-0007 https://www.debian.org/security/2023/dsa-5587 https://access.redhat • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVE-2023-6271 – Backup Migration Staging < 1.3.6 - Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-6271
The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups. • https://research.cleantalk.org/cve-2023-6271-backup-migration-unauth-sensitive-data-exposure-to-full-control-of-the-site-poc-exploit https://wpscan.com/vulnerability/7ac217db-f332-404b-a265-6dc86fe747b9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
Without an additional information leak, this vulnerability shouldn’t be directly exploitable, even if the instance is reachable from the Internet. • https://cwe.mitre.org/data/definitions/88.html https://en.wikipedia.org/wiki/Pass_the_hash https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a https://github.com/jellyfin/jellyfin/issues/5415 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •