Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versio…
[consoleme] Use of Externally-Controlled Format String in consoleme
A Python format string issue leading to information disclosure and potentially remote code execution in ConsoleMe for all versions prior to 1.2.2
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27177
https://github.com/Netflix/security-bulletins/…
[Simple-Wayland-HotKey-Daemon] Data Loss/Denial of Service in SWHKD
SWHKD 1.1.5 unsafely uses the /tmp/swhks.pid pathname. There can be data loss or a denial of service. A patch is available on the 1.1.0 branch of the repository.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27816
https://github.com/waycrate/sw…
[Simple-Wayland-HotKey-Daemon] Insecure Temporary File in SWHKD
SWHKD is a display protocol-independent hotkey daemon made in Rust. In SWHKD versions 1.1.5 and prior, SWHKD uses the /tmp/swhkd.pid pathname. As /tmp is accessible to all users, there can be an information leak or denial of service. No known workaroun…
[C1CMS.Assemblies] Server side request forgery in C1 CMS
C1 CMS is an open-source, .NET based Content Management System (CMS). Versions prior to 6.12 allow an authenticated user to exploit Server Side Request Forgery (SSRF) by causing the server to make arbitrary GET requests to other servers in the local ne…
[poetry] Untrusted Search Path in Poetry
Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the appli…
[mitmproxy] Insufficient Protection against HTTP Request Smuggling in mitmproxy
Impact
In mitmproxy 7.0.4 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another reque…
[golang.org/x/crypto/ssh] Use of a Broken or Risky Cryptographic Algorithm in golang.org/x/crypto/ssh
golang.org/x/crypto/ssh versions 0.0.0-20220214200702-86341886e292 and prior in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey. Version 0.0.0-20220315160706-3147a52a75dd i…
[ansible] Insertion of Sensitive Information into Log File in ansible
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline crede…
[openssl-src] Infinite loop in `BN_mod_sqrt()` reachable when parsing certificates
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed fo…