Impact
Reader::read_from_container can cause an infinite loop when a crafted PNG file is given.
Patches
Version 0.5.3 includes the fix.
Workarounds
No workaround is available.
Applications that do not pass files with the PNG signature to Reader::read_f…
[tecnickcom/tcpdf] TCPDF vulnerable to attackers triggering deserialization of arbitrary data
An issue was discovered in TCPDF before 6.2.22. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-17057
https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b31…
[org.hsqldb:hsqldb] HyperSQL DataBase vulnerable to remote code execution when processing untrusted input
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the class…
[commons-jxpath:commons-jxpath] JXPath vulnerable to remote code execution when interpreting untrusted XPath expressions
Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expressio…
[commons-jxpath:commons-jxpath] JXPath Out-of-bounds Write vulnerability
Those using JXPath to interpret XPath may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a deni…
[rdiffweb] rdiffweb Path Traversal vulnerability
rdiffweb prior to 2.4.10 is vulnerable to Path Traversal. Version 2.4.10 contains a patch.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3389
https://github.com/ikus060/rdiffweb/commit/323383d1db656f1b1291be529947bd943a6b0e99
https://huntr.dev/…
[rdiffweb] rdiffweb allows a new password to be the same as the previous password
rdiffweb prior to 2.5.0a4 allows users to set their new password to be the same as the old password during a password reset. Version 2.5.0a4 enforces a password policy in which a new password cannot be the same as the old one.
References
https://nvd.n…
[commons-jxpath:commons-jxpath] JXPath Out-of-bounds Write vulnerability
Those using JXPath to interpret XPath may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a deni…
[commons-jxpath:commons-jxpath] JXPath Out-of-bounds Write vulnerability
Those using JXPath to interpret XPath may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a deni…
[commons-jxpath:commons-jxpath] JXPath Out-of-bounds Write vulnerability
Those using JXPath to interpret XPath may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a deni…