Skip to Content

Security Advisories Notices Update on March 31, 2022

Two advisories for 3CX published and a hotfix from 3CX for a separate issue

Emanuel Duss from Compass Security reported 2 medium severity security issues in 3CX phone system components:

In the first case, the subject of the advisory explains everything. The Windows (legacy), Android or iOS clients simply do not verify the TLS certificate of the 3CX server. This allows man-in-the-middle attackers to get the provisioning data which would typically include credentials and so on.

As for mitigation, the advisory says:

  • According to the 3CX, the vulnerability will be tackled in future redesigns of the mobile apps.
  • Users of the legacy Windows client can switch to the new Electron based 3CX
    Desktop App which is not affected.

The second issue has been well known since a few years according to the references to German 3CX forums but does not appear to be addressed yet.

The advisory says that:

  • There is no security update for this vulnerability at the moment. According to the 3CX, the vulnerability will be tackled in future redesigns of the
    management console.

3CX also published a hotfix with the following basic information in their changelog:

  • Fix for a security vulnerability
  • Fix of memory leak affecting business systems in particular conditions
  • Fix for application crash of the call manager if under DDOS attack.

If you use 3CX’s software, do upgrade as we’re told these are high or critical severity vulnerabilities. See their post here: Security & Memory Hotfix Available for V18 Update 3.

Kerbit blog posts about Pascom and VoIPmonitor

Security researchers at Kerbit released two interesting blog posts:

In the case of Pascom’s phone system, they essentially chained three different vulnerabilities to get remote code execution. The first vulnerability was a path traversal in the Nginx proxy. This allowed them to reach any application on a Tomcat server behind Nginx. This in turn, exposed an Openfire (XMPP) server that had an SSRF vulnerability – this being the second vulnerability in the chain. This SSRF issue was then used to reach a localhost web service that exposes a (random) password for the user moby. These credentials could then be used to schedule a task that is executed by a Perl script that runs as root.

The second post is about the VoIPmonitor GUI where they found multiple vulnerabilities, such as authentication bypass, SQL injection and remote code execution.

CVE-2022-26143: Mitel MiCollab and MiVoice Business Express used to launch DDoS attacks

Mitel MiCollab phone system has a vulnerability that may be abused in UDP amplification attacks, i.e. be used to launch DDoS attacks. The impressive thing about this issue is the amplification factor of 220 billion percent.

To abuse this issue, attackers need to find Mitel equipment that runs tp240dvr (“TP-240 driver”) on UDP port 10074 that happens to be exposed to the Internet. Then the attacker needs to be able to send a debugging command startblast from a spoofed IP address which belongs to the target victim organisation. When this is done on a wide scale, attackers get to do bandwidth saturation DDoS attacks for free.

The vulnerable TP-240 driver can also be used for other purposes, such as toll fraud.

This issue was abused in the wild by booter DDoS services which is why it is such a great deal.

Read more in

More on PJSIP’s vulnerabilities fixed last month

The original reporters from JFrog have now issued technical details about the PJSIP vulnerabilities on their blog: JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library

The vulnerabilities are tracked under the following CVEs:

  • CVE-2021-43299 – Stack overflow in PJSUA API when calling pjsua_player_create
  • CVE-2021-43300 – Stack overflow in PJSUA API when calling pjsua_recorder_create
  • CVE-2021-43301 – Stack overflow in PJSUA API when calling pjsua_playlist_create
  • CVE-2021-43302 – Read out-of-bounds in PJSUA API when calling pjsua_recorder_create
  • CVE-2021-43303 – Buffer overflow in PJSUA API when calling pjsua_call_dump

It looks like by mentioning 3rd party software such as Asterisk, WhatsApp and BlueJeans, journalists covering this might have assumed that these third-party applications are necessarily vulnerable. In their blog post, the JFrog security team tried to clarify that they did not actually test software that relies on the PJSIP library and only tested the library itself.

Asterisk Advisories

With regards to the multipart issue, the Asterisk developers are not sure if it really a problem but they issued an advisory anyway. Then, the STUN issue is relevant when ICE/WebRTC support is switched on (not default). Finally, the “use after free of dialog set” is marked as a major vulnerability too.

Apple Security Advisory

Safari 15.4 Security Content
iOS 15.4 and iPadOS 15.4 Security Content
watchOS 8.5 Security Content
tvOS 15.4 Security Content
macOS Monterey 12.3 Security Content
macOS Big Sur 11.6.5 Security Content
Security Update 2022-003 Catalina Security Content
Xcode 13.3 Security Content
Logic Pro X 10.7.3 Security Content
GarageBand 10.4.6 Security Content

Adobe Security Bulletins and Advisories

Security Updates Available for Adobe Illustrator | APSB21-12 APSB22-15
Security updates available for Adobe Photoshop | APSB21-28 APSB22-14

Mozilla Security Advisories

Security Vulnerabilities fixed in Thunderbird 91.7 mfsa2022-12
Security Vulnerabilities fixed in Firefox 98 mfsa2022-10
Security Vulnerabilities fixed in Firefox ESR 91.7 mfsa2022-11
Security Vulnerabilities fixed in Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 mfsa2022-09

Ubuntu Security Notices

USN-5321-3: Firefox regressions
USN-5347-1: OpenVPN vulnerability
USN-5346-1: Linux kernel (OEM) vulnerability
USN-5345-1: Thunderbird vulnerabilities
LSN-0085-1: Kernel Live Patch Security Notice
USN-5343-1: Linux kernel vulnerabilities
USN-5340-1: CKEditor vulnerabilities
USN-5341-1: GNU binutils vulnerabilities
USN-5339-1: Linux kernel vulnerabilities
USN-5338-1: Linux kernel vulnerabilities
USN-5337-1: Linux kernel vulnerabilities
USN-5335-1: ImageMagick vulnerabilities
USN-5333-2: Apache HTTP Server vulnerabilities
USN-5332-2: Bind vulnerability
USN-5321-2: Firefox vulnerabilities
USN-5334-1: man-db vulnerability
USN-5333-1: Apache HTTP Server vulnerabilities
USN-5332-1: Bind vulnerabilities
USN-5331-1: tcpdump vulnerabilities
USN-5328-2: OpenSSL vulnerability
USN-5330-1: LibreOffice vulnerability
USN-5329-1: tar vulnerability
USN-5328-1: OpenSSL vulnerability
USN-5327-1: rsh vulnerability
USN-5325-1: Zsh vulnerabilities
USN-5324-1: libxml2 vulnerability
USN-5323-1: NBD vulnerabilities
USN-5322-1: Subversion vulnerability
USN-5321-1: Firefox vulnerabilities
USN-5320-1: Expat vulnerabilities and regression
USN-5319-1: Linux kernel vulnerabilities
USN-5318-1: Linux kernel vulnerabilities
USN-5317-1: Linux kernel vulnerabilities
USN-5316-1: Redis vulnerability
USN-5310-2: GNU C Library vulnerabilities
USN-5300-3: PHP vulnerabilities
USN-5313-1: OpenJDK vulnerabilities
USN-5314-1: Firefox vulnerabilities
USN-5311-1: containerd vulnerability
USN-5300-2: PHP vulnerabilities
USN-5312-1: HAProxy vulnerability
USN-5310-1: GNU C Library vulnerabilities
USN-5309-1: virglrenderer vulnerabilities
USN-5307-1: QEMU vulnerabilities
USN-5306-1: WebKitGTK vulnerabilities
USN-5305-1: MariaDB vulnerabilities
USN-5303-1: PHP vulnerability
USN-5304-1: PolicyKit vulnerability

Red Hat Security Advisory

(RHSA-2022:1056) Moderate: Release of OpenShift Serverless Client kn 1.21.0
(RHSA-2022:1053) Important: Red Hat Virtualization Host security and enhancement update [ovirt-4.4.10] Async #2
(RHSA-2022:1051) Moderate: Release of OpenShift Serverless 1.21.0
(RHSA-2022:1049) Important: httpd:2.4 security update
(RHSA-2022:0982) Important: Red Hat OpenStack Platform 16.1 (python-twisted) security update
(RHSA-2022:0987) Moderate: Red Hat OpenStack Platform 16.1 (numpy) security update
(RHSA-2022:0990) Moderate: Red Hat OpenStack Platform 16.1 (openstack-neutron) security update
(RHSA-2022:0983) Moderate: Red Hat OpenStack Platform 16.1 (openstack-nova) security update
(RHSA-2022:0989) Moderate: Red Hat OpenStack Platform 16.1 (golang-qpid-apache) security update
(RHSA-2022:0988) Moderate: Red Hat OpenStack Platform 16.1 (golang-github-vbatts-tar-split) security update
(RHSA-2022:1045) Important: httpd security update
(RHSA-2022:1042) Important: Red Hat OpenShift GitOps security update
(RHSA-2022:0992) Important: Red Hat OpenStack Platform 16.2 (python-twisted) security update
(RHSA-2022:1040) Important: Red Hat OpenShift GitOps security update
(RHSA-2022:1041) Important: Red Hat OpenShift GitOps security update
(RHSA-2022:1039) Important: Red Hat OpenShift GitOps security update
(RHSA-2022:0866) Important: OpenShift Container Platform 4.6.56 packages and security update
(RHSA-2022:1029) Important: Red Hat Integration Camel-K 1.6.4 release and security update
(RHSA-2022:0871) Important: OpenShift Container Platform 4.8.35 security update
(RHSA-2022:1012) Important: expat security update
(RHSA-2022:1013) Moderate: Red Hat Integration Camel Extensions for Quarkus 2.2.1 security update
(RHSA-2022:0870) Important: OpenShift Container Platform 4.7.45 packages and security update
(RHSA-2022:1010) Moderate: rh-mariadb103-mariadb security and bug fix update
(RHSA-2022:1007) Moderate: rh-mariadb105-mariadb security and bug fix update
(RHSA-2022:0860) Important: OpenShift Container Platform 4.9.25 security update
(RHSA-2022:0927) Moderate: OpenShift Container Platform 4.10.5 packages and security update
(RHSA-2022:0973) Moderate: virt:av and virt-devel:av qemu-kvm security update
(RHSA-2022:0971) Moderate: virt:av and virt-devel:av security and bug fix update
(RHSA-2022:0968) Moderate: java-1.8.0-ibm security update
(RHSA-2022:0969) Moderate: java-1.7.1-ibm security update
(RHSA-2022:0970) Moderate: java-1.8.0-ibm security update
(RHSA-2022:0958) Important: kpatch-patch-4_18_0-147_58_1 security and bug fix update
(RHSA-2022:0951) Important: expat security update
(RHSA-2022:0952) Moderate: redhat-ds:11.3 security and bug fix update
(RHSA-2022:0949) Moderate: virt:av and virt-devel:av security and bug fix update
(RHSA-2022:0947) Moderate: OpenShift Virtualization 4.10.0 Images security and bug fix update
(RHSA-2022:0810) Important: OpenShift Container Platform 4.10.4 security update
(RHSA-2022:0925) Important: kpatch-patch security update
(RHSA-2022:0886) Moderate: virt:rhel and virt-devel:rhel security update
(RHSA-2022:0891) Moderate: httpd:2.4 security update
(RHSA-2022:0889) Low: 389-ds:1.4 security and bug fix update
(RHSA-2022:0896) Moderate: glibc security update
(RHSA-2022:0856) Moderate: Red Hat Advanced Cluster Management 2.2.11 security updates and bug fixes
(RHSA-2022:0855) Moderate: OpenShift sandboxed containers 1.2.0 security update
(RHSA-2022:0853) Important: thunderbird security update
(RHSA-2022:0850) Important: thunderbird security update
(RHSA-2022:0851) Important: kpatch-patch security update
(RHSA-2022:0845) Important: thunderbird security update
(RHSA-2022:0847) Important: thunderbird security update
(RHSA-2022:0849) Important: kpatch-patch security update
(RHSA-2022:0843) Important: thunderbird security update
(RHSA-2022:0842) Important: Release of containers for OSP 16.2 director operator tech preview
(RHSA-2022:0841) Important: Red Hat Virtualization Host security and bug fix update [ovirt-4.4.10] Async #1
(RHSA-2022:0056) Moderate: OpenShift Container Platform 4.10.3 security update
(RHSA-2022:0830) Important: .NET 5.0 security and bugfix update
(RHSA-2022:0831) Important: kernel security update
(RHSA-2022:0827) Important: .NET Core 3.1 security and bugfix update
(RHSA-2022:0832) Important: .NET 6.0 on RHEL 7 security and bugfix update
(RHSA-2022:0829) Important: .NET Core 3.1 on RHEL 7 security and bugfix update
(RHSA-2022:0826) Important: .NET 6.0 security and bugfix update
(RHSA-2022:0828) Important: .NET 5.0 on RHEL 7 security and bugfix update
(RHSA-2022:0825) Important: kernel security, bug fix, and enhancement update
(RHSA-2022:0824) Critical: firefox security and bug fix update
(RHSA-2022:0820) Important: kernel security, bug fix, and enhancement update
(RHSA-2022:0823) Important: kernel security update
(RHSA-2022:0822) Important: kernel-rt security update
(RHSA-2022:0821) Important: kernel-rt security and bug fix update
(RHSA-2022:0818) Critical: firefox security update
(RHSA-2022:0817) Critical: firefox security update
(RHSA-2022:0816) Critical: firefox security update
(RHSA-2022:0819) Important: kernel-rt security and bug fix update
(RHSA-2022:0815) Critical: firefox security update
(RHSA-2022:0790) Low: Satellite 6.10.3 Async Bug Fix Update
(RHSA-2022:0780) Important: cyrus-sasl security update
(RHSA-2022:0777) Important: kernel security, bug fix, and enhancement update
(RHSA-2022:0772) Important: kpatch-patch security update
(RHSA-2022:0771) Important: kernel-rt security and bug fix update
(RHSA-2022:0759) Moderate: virt:rhel and virt-devel:rhel security and bug fix update
(RHSA-2022:0735) Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes
(RHSA-2022:0731) Important: cyrus-sasl security update
(RHSA-2022:0730) Important: cyrus-sasl security update
(RHSA-2022:0728) Moderate: OpenShift Logging bug fix and security update (5.2.8)
(RHSA-2022:0727) Moderate: OpenShift Logging bug fix and security update (5.1.9)
(RHSA-2022:0722) Moderate: rh-maven36-httpcomponents-client security update
(RHSA-2022:0721) Moderate: OpenShift Logging bug fix and security update (5.3.5)
(RHSA-2022:0718) Important: kpatch-patch security update
(RHSA-2022:0655) Low: OpenShift Container Platform 4.9.23 bug fix and security update
(RHSA-2022:0708) Important: rh-ruby26-ruby security, bug fix, and enhancement update
(RHSA-2022:0687) Moderate: OpenShift API for Data Protection (OADP) 1.0.1 security and bug fix update

Cisco Security Advisory

Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability
Cisco StarOS Command Injection Vulnerability
Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities
Cisco Ultra Cloud Core – Subscriber Microservices Infrastructure Privilege Escalation Vulnerability

Microsoft Security

Chromium: CVE-2022-1096 Type Confusion in V8
Chromium: CVE-2022-0972 Use after free in Extensions
Chromium: CVE-2022-0974 Use after free in Splitscreen
Chromium: CVE-2022-0973 Use after free in Safe Browsing
Chromium: CVE-2022-0975 Use after free in ANGLE
Chromium: CVE-2022-0980 Use after free in New Tab Page
Chromium: CVE-2022-0979 Use after free in Safe Browsing
Chromium: CVE-2022-0978 Use after free in ANGLE
Chromium: CVE-2022-0977 Use after free in Browser UI
Chromium: CVE-2022-0976 Heap buffer overflow in GPU
Chromium: CVE-2022-0971 Use after free in Blink Layout
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Visual Studio Code Spoofing Vulnerability
Windows Update Stack Elevation of Privilege Vulnerability
Brotli Library Buffer Overflow Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Azure Site Recovery Elevation of Privilege Vulnerability
Azure Site Recovery Elevation of Privilege Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Azure Site Recovery Elevation of Privilege Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Microsoft Office Word Tampering Vulnerability
Microsoft Word Security Feature Bypass Vulnerability
Microsoft Office Visio Remote Code Execution Vulnerability
Microsoft Office Visio Remote Code Execution Vulnerability
Microsoft Office Visio Remote Code Execution Vulnerability
Tablet Windows User Interface Application Elevation of Privilege Vulnerability
Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Windows ALPC Elevation of Privilege Vulnerability
Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
Windows DWM Core Library Elevation of Privilege Vulnerability
Windows ALPC Elevation of Privilege Vulnerability
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Remote Desktop Client Remote Code Execution Vulnerability
Windows Print Spooler Elevation of Privilege Vulnerability
Windows ALPC Elevation of Privilege Vulnerability
Paint 3D Remote Code Execution Vulnerability
Windows Common Log File System Driver Information Disclosure Vulnerability
Microsoft Defender for Endpoint Spoofing Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Point-to-Point Tunneling Protocol Denial of Service Vulnerability
Windows Media Center Update Denial of Service Vulnerability
Skype Extension for Chrome Information Disclosure Vulnerability
Azure Site Recovery Remote Code Execution Vulnerability
Azure Site Recovery Elevation of Privilege Vulnerability
Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability
.NET and Visual Studio Denial of Service Vulnerability
.NET and Visual Studio Remote Code Execution Vulnerability
Microsoft Exchange Server Spoofing Vulnerability
Windows Fax and Scan Service Elevation of Privilege Vulnerability
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Azure Site Recovery Elevation of Privilege Vulnerability
HEIF Image Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
Windows CD-ROM Driver Elevation of Privilege Vulnerability
Remote Desktop Protocol Client Information Disclosure Vulnerability
Windows Security Support Provider Interface Elevation of Privilege Vulnerability
Windows HTML Platforms Security Feature Bypass Vulnerability
VP9 Video Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
VP9 Video Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
HEVC Video Extensions Remote Code Execution Vulnerability
Raw Image Extension Remote Code Execution Vulnerability
Windows PDEV Elevation of Privilege Vulnerability
Windows NT OS Kernel Elevation of Privilege Vulnerability
Windows Installer Elevation of Privilege Vulnerability
Raw Image Extension Remote Code Execution Vulnerability
Windows Event Tracing Remote Code Execution Vulnerability
Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
Windows DWM Core Library Elevation of Privilege Vulnerability
Windows Inking COM Elevation of Privilege Vulnerability
Microsoft Defender for IoT Elevation of Privilege Vulnerability
Microsoft Defender for IoT Remote Code Execution Vulnerability
Remote Desktop Client Remote Code Execution Vulnerability
Windows Hyper-V Denial of Service Vulnerability
Media Foundation Information Disclosure Vulnerability
Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
Media Foundation Information Disclosure Vulnerability
Chromium: CVE-2022-0806 Data leak in Canvas
Chromium: CVE-2022-0805 Use after free in Browser Switcher
Chromium: CVE-2022-0807 Inappropriate implementation in Autofill
Chromium: CVE-2022-0808 Use after free in Chrome OS Shell
Chromium: CVE-2022-0809 Out of bounds memory access in WebXR
Chromium: CVE-2022-0797 Out of bounds memory access in Mojo
Chromium: CVE-2022-0789 Heap buffer overflow in ANGLE
Chromium: CVE-2022-0790 Use after free in Cast UI
Chromium: CVE-2022-0791 Use after free in Omnibox
Chromium: CVE-2022-0792 Out of bounds read in ANGLE
Chromium: CVE-2022-0793 Use after free in Views
Chromium: CVE-2022-0794 Use after free in WebShare
Chromium: CVE-2022-0795 Type Confusion in Blink Layout
Chromium: CVE-2022-0796 Use after free in Media
Chromium: CVE-2022-0798 Use after free in MediaStream
Chromium: CVE-2022-0799 Insufficient policy enforcement in Installer
Chromium: CVE-2022-0800 Heap buffer overflow in Cast UI
Chromium: CVE-2022-0801 Inappropriate implementation in HTML parser
Chromium: CVE-2022-0802 Inappropriate implementation in Full screen mode
Chromium: CVE-2022-0803 Inappropriate implementation in Permissions
Chromium: CVE-2022-0804 Inappropriate implementation in Full screen mode

Github Security Advisories

[GHSA-gcx2-gvj7-pxv3] Insufficient Protection against HTTP Request Smuggling in mitmproxy
[GHSA-3p22-ghq8-v749] Renderers can obtain access to random bluetooth device without permission in Electron
[GHSA-4fc4-4p5g-6w89] HTML processing vulnerability allowing to execute JavaScript code
[GHSA-6x2m-w449-qwx7] Code Injection in CRI-O
[GHSA-w2j5-3rcx-vx7x] Sysctls applied to containers with host IPC or host network namespaces can affect the host
[GHSA-2xmm-g482-4439] DQL injection through sorting parameters blocked
[GHSA-rjmq-6v55-4rjv] Improper Authorization in org.cometd.oort
[GHSA-7j52-6fjp-58gr] Inconsistent storage layout for ERC2771ContextUpgradeable
[GHSA-gw5h-h6hj-f56g] Improper Authorization in Gogs
[GHSA-q347-cg56-pcq4] SSRF in repository migration
[GHSA-32gv-6cf3-wcmq] HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods
[GHSA-4vvg-x86p-mvqc] Leaking of user information on Cross-Domain communication in sysend
[GHSA-4qrp-27r3-66fj] Improper sanitize of SVG files during content upload (‘Cross-site Scripting’) in sylius/sylius
[GHSA-mf3v-f2qq-pf9g] Insufficient Session Expiration in Sylius
[GHSA-7563-75j9-6h5p] Sensitive Information Exposure in Sylius
[GHSA-cfhh-xgwq-5r67] Sudden swap of user auth tokens
[GHSA-4jp3-q2qm-9fmw] Improper Restriction of Rendered UI Layers or Frames in Sylius
[GHSA-p6h4-93qp-jhcm] Command Injection in Parse server
[GHSA-mcg6-h362-cmq5] Improper Authorization in cobbler
[GHSA-6h3m-36w8-hv68] Arbitrary file write in nats-server
[GHSA-4cx6-fj7j-pjx9] Code injection in Stripe CLI on windows
[GHSA-83vp-6jqg-6cmr] Incorrect Authentication in shopware
[GHSA-6wrh-279j-6hvw] HTTP caching is marking private HTTP headers as public in Shopware
[GHSA-952p-fqcp-g8pc] HTML injection possibility in voucher code form in Shopware
[GHSA-w267-m9c4-8555] Shopware user session is not logged out if the password is reset via password recovery
[GHSA-jp6h-mxhx-pgqh] Shopware guest session is shared between customers
[GHSA-75p7-527p-w8wp] Server-Side Request Forgery and Open Redirect in AllTube Download
[GHSA-m5pq-gvj9-9vr8] Regular expression denial of service in Rust’s regex crate
[GHSA-9w4w-cpc8-h2fq] Exposure of Sensitive Information to an Unauthorized Actor in httpie
[GHSA-5jgq-x857-p8xw] Account compromise in Evmos
[GHSA-6cp7-g972-w9m9] Use of a Key Past its Expiration Date in Maddy Mail Server
[GHSA-fmx4-26r3-wxpf] Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption
[GHSA-446w-rrm4-r47f] Exposure of home directory through shescape on Unix with Bash
[GHSA-gmv4-r438-p67f] Leading white space bypasses protocol validation
[GHSA-rv6r-3f5q-9rgx] Twisted SSH client and server deny of service during SSH handshake.
[GHSA-cm9w-c4rj-r2cf] Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) in view_component
[GHSA-crp2-qrr5-8pq7] containerd CRI plugin: Insecure handling of image volumes
[GHSA-xvm2-9xvc-hx7f] Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer
[GHSA-cxf7-qrc5-9446] Remote shell execution vulnerability when applying commands from user input
[GHSA-32×6-qvw6-mxj4] Forwarding of confidentials headers to third parties in fluture-node
[GHSA-mfjm-vh54-3f96] Cookie-setting is not restricted based on the public suffix list
[GHSA-cjvr-mfj7-j4j8] User-set cookies are kept on redirect requests regardless of the target domain
[GHSA-7f63-h6g3-7cwm] Cross Site Scripting (XSS) in @finastra/ssr-pages
[GHSA-w6cx-qg2q-rvq8] Path Traversal in @finastra/ssr-pages
[GHSA-mj6m-246h-9w56] Improper regex in htaccess file
[GHSA-j34v-3552-5r7j] Multiple security issues in Pomerium’s embedded envoy
[GHSA-r5hc-wm3g-hjw6] Server-Side Request Forgery (SSRF) in rudloff/alltube
[GHSA-4v37-24gm-h554] Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability in CodeIgniter4
[GHSA-xjp4-6w75-qrj7] Remote CLI Command Execution Vulnerability in CodeIgniter4
[GHSA-p93v-m2r2-4387] Denial of service via insufficient metadata validation
[GHSA-w4f8-fxq2-j35v] Possible privilege escalation via bash completion script
[GHSA-chxf-fjcf-7fwp] Possible filesystem space exhaustion by local users
[GHSA-gv9j-4w24-q7vx] Improper random number generation in github.com/coredns/coredns
[GHSA-2j6v-xpf3-xvrv] Use of Externally-Controlled Format String in wire-avs

Node.js Security Advisories

OpenSSL security releases may require Node.js security releases

Amazon AWS Security Advisories

CVE-2022-0778 awareness

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.