Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-25936PUBLISHED: 2023-01-30Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of the filePath variable.
CVE-2022-25967PUBLISHED: 2023-01-30Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
CVE-2023-24622PUBLISHED: 2023-01-30isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF.
CVE-2023-24623PUBLISHED: 2023-01-30Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.
CVE-2022-48303PUBLISHED: 2023-01-30
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace c...
User Rank: Apprentice
3/27/2014 | 7:12:18 AM
Furthermore, she argues, assessors shouldn't be allowed to also sell security services to their clients: "Gartner has long argued that PCI qualified security assessors like Trustwave should not be allowed to sell remediation and ongoing security services as Trustwave did for Target, according to the lawsuit. This has the effect of potentially destroying the integrity and independence of the assessment process," she says in a blog post.