Month: April 2022

兵庫県姫路市の清元秀泰市長が、3月16日に開かれた姫路独協大学の卒業式で、「自分を三流大学出身と思っ…

There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 – 4.0.56, which allows remote attackers to read files in arbitrary directories via a ; in a pathname within an HTTP request.
References

https://nvd.nist.gov/v…

Subrion is an open source php content management system. A Remiote Code Execution (RCE) vulnerability exiss in Subrion CMS 4.2.1 via modified code in a background field; when the information is modified, the data in it will be executed through eval().
…

When parsing a URL without a scheme and with excessive slashes, like ///www.example.com, URI.js will parse the hostname as null and the path as /www.example.com.
Such behaviour is different from that exhibited by browsers, which will parse ///www.examp…

Impact
bytestrings can have dirty bytes in them, resulting in the word-for-word comparison to give incorrect results, e.g.
b1: Bytes[32] = b”abcdef”
b1 = slice(b1, 0, 1)
b2: Bytes[32] = b”abcdef”
t: bool = b1 == b2 # incorrectly evaluates to True

eve…

The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230:

The Content-Length header value could have a + or – prefix.
Illegal characters were permitted in…

Impact
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
Patches
This problem is patched in 2.29.2, and the patch can be applied to all affected versio…

Impact
Allows admin API access to the IPFS node.
Who ?
This affects people running the docker-compose.yaml service in an environment where the docker host is directly attached to a public or untrusted IP. In the vulnerable version, the private API en…