A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-33420
https://github.com/…
An issue was discovered in the fe_change_pwd (aka Change password for frontend users) extension before 2.0.5, and 3.x before 3.0.3, for TYPO3. The extension fails to revoke existing sessions for the current user when the password has been changed.
Refe…
A vulnerability classified as critical was found in scifio. Affected by this vulnerability is the function downloadAndUnpackResource of the file src/test/java/io/scif/util/DefaultSampleFilesService.java of the component ZIP File Handler. The manipulati…
Unauthorized access to settings update, logs , history, delete etc in GitHub repository ikus060/rdiffweb prior to 2.5.2.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4314
https://github.com/ikus060/rdiffweb/commit/b2df3679564d0daa2856213bb307d…
Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution. A patch is available on the develop branch of the repository and anticipated to be part of a 2.4 release.
References
https://nvd.nist.gov/v…
Out-of-bounds read in gather_tree in PaddlePaddle before 2.4. A patch is available in the release/2.4 branch.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-46741
https://github.com/PaddlePaddle/Paddle/blob/develop/security/advisory/pdsa-2022-00…
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.
References
https://nvd.nist.gov/vuln/detail/CVE-2…
Impact
Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts.
Patches
Patched in 2.6.1
Workarounds
Site maintainers can cherry-pick https…
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain appkey of the product and execute an arbitrary OS command on the product.
References
https://nvd.nist.go…
OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.68 and earlier allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product.
Release notes for versions 3.3.62 and 3.3.69 both…
