On November 17, 2022, an email was received from Bitly advising that the new link quota per free token is lowered to 50 per month (from its previous value of 1000 per month). As per the email, this change is effective on December 8, 2022.
The new quota…
[net.sf.mpxj-for-csharp] Temporary File Information Disclosure vulnerability in MPXJ
Impact
On Unix-like operating systems (not Windows or macos), MPXJ’s use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r–r–. This means that any other user on the system can read the contents of this fil…
[decode-uri-component] decode-uri-component vulnerable to Denial of Service (DoS)
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38900
https://github.com/SamVerschueren/decode-uri-component/issues/5
https://github.com/sindresorhus/query-st…
[sweetalert2] sweetalert2 v8.19.1 and above contains hidden functionality
sweetalert2 versions 8.19.1 and up until 9.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in …
[sweetalert2] sweetalert2 v9.17.4 and above contains hidden functionality
sweetalert2 versions 9.17.4 and up until 10.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in…
[sweetalert2] sweetalert2 v10.16.10 and above contains hidden functionality
sweetalert2 versions 10.16.10 and up until 11.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included …
[sweetalert2] sweetalert2 v11.4.9 and above contains hidden functionality
sweetalert2 versions 11.4.9 and above are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions …
[tensorflow] `CHECK` failure in `SobolSample` via missing validation
Impact
Another instance of CVE-2022-35935, where SobolSample is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
import tensorflow as tf
tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=…
[tensorflow-cpu] `CHECK` fail in `TensorListScatter` and `TensorListScatterV2` in eager mode
Impact
Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.
import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16…
[tailscale.com/cmd] Tailscale daemon is vulnerable to information disclosure via CSRF
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.
Affected platforms: All
Patched Tailscale client versions: v1.32.3 or later, v1.33.2…