In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. (CVSS:6.4) (Last Update:2019-09-27)
Read more...In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This[…]
Read more...In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be[…]
Read more...In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVSS:5.8) (Last Update:2019-10-09)
Read more...HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not[…]
Read more...A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the[…]
Read more...A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects[…]
Read more...In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the[…]
Read more...In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. (CVSS:6.0) (Last Update:2019-05-13)
Read more...In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVSS:6.0) (Last Update:2019-05-13)
Read more...Red Hat Security Advisory 2021-0736-01 - IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP25. Issues addressed include buffer overflow[…]
Read more...Red Hat Security Advisory 2021-0734-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.
Read more...Red Hat Security Advisory 2021-0735-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include denial of service and resource exhaustion vulnerabilities.
Read more...Red Hat Security Advisory 2021-0733-01 - IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP80. Issues addressed include[…]
Read more...Red Hat Security Advisory 2021-0717-01 - IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP25. Issues addressed include buffer overflow[…]
Read more...Red Hat Security Advisory 2021-0719-01 - Red Hat Advanced Cluster Management for Kubernetes 2.0.8 images. Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across[…]
Read more...Red Hat Security Advisory 2021-0727-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating[…]
Read more...Red Hat Security Advisory 2021-0711-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide[…]
Read more...Red Hat Security Advisory 2021-0710-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Read more...Red Hat Security Advisory 2021-0637-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include XML injection and information leakage vulnerabilities.
Read more...Red Hat Product Security has joined forces with other security teams inside Red Hat to publish our content in a common venue using the Security channel of the Red Hat Blog.This move provides a wider variety of important Security topics,[…]
Read more...FORTIFY_SOURCE provides lightweight compile and runtime protection to some memory and string functions (original patch to gcc was submitted by Red Hat). It is supposed to have no or a very small runtime overhead and can be enabled for all[…]
Read more...Red Hat Product Security has transitioned from using its old 1024-bit DSA OpenPGP key to a new 4096-bit RSA OpenPGP key.This was done to improve the long-term security of our communications with our customers and also to meet current key[…]
Read more...
In our previous blog, we saw how arbitrary code execution resulting from stack-buffer overflows can be partly mitigated by marking segments of memory as non-executable, a technology known as Execshield. However stack-buffer overflow exploits can still effectively overwrite the function[…]
Things can be pretty scary out there today. There are a lot of things that could occur that make even the calmest amongst us take pause. Everything we do is a series of risk-based decisions that we hope leads to[…]
Many of our customers are required to meet a variety of regulatory requirements. Red Hat Enterprise Linux includes security technologies that help meet these requirements. Improving Linux security also benefits our layered products, such as Red Hat OpenShift Container Platform[…]
Read more...
The world of computer security has changed dramatically in the last few years. Keeping your operating system updated with the latest security patches is no longer sufficient. Operating system providers need to be more proactive in combating security problems. A[…]
As part of Red Hat's commitment to product security we have developed a tool internally that can be used to scan for variant 1 SPECTRE vulnerabilities. As part of our commitment to the wider user community, we are introducing this[…]
Read more...Many users of Red Hat Insights are familiar with the security rules we create to alert them about security vulnerabilities on their system, especially concerning high-profile issues such as Spectre/Meltdown or Heartbleed. In this post, I'd like to talk about[…]
Read more...Last week, a vulnerability (CVE-2018-10892) that affected CRI-O, Buildah, Podman, and Docker was made public before some affected upstream projects were notified. We regret that this was not handled in a way that lives up to our own standards around[…]
Read more...Cisco UCS Manager version 2.2(1d) remote command execution exploit. An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote[…]
Read more...This Metasploit module exploits an unauthenticated command injection vulnerability found in ZeroShell version 3.9.0 in the "/cgi-bin/kerbynet" url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the "checkpoint" tar[…]
Read more...This Metasploit module exploits a code execution vulnerability within the ASUS TM-AC1900 router as an authenticated user. The vulnerability is due to a failure filter out percent encoded newline characters within the HTTP argument SystemCmd when invoking /apply.cgi which bypasses[…]
Read more...RedTeam Pentesting discovered a denial of service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script that reboots the device. Version 3.12 is confirmed affected.
Read more...Ubuntu Security Notice 4569-1 - It was discovered that Yaws did not properly sanitize XML input. A remote attacker could use this vulnerability to execute an XML External Entity injection attack. It was discovered that Yaws mishandled certain input when[…]
Read more...Sony IPELA Network Camera SNC-DH120T version 1.82.01 suffers from a remote stack buffer overflow vulnerability. The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be[…]
Read more...TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place[…]
Read more...The CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content. In contrast to the documented behavior, they may return non-HTML data as HTML. This may lead to cross site scripting[…]
Read more...This Metasploit module exploits an authenticated arbitrary command execution vulnerability within the 'server' GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions
Read more...This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to[…]
Read more...snaplitics made a real revolution in the industry.
Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-14372
Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.For the stable distribution (buster), these problems have been fixed in
Multiple security issues were discovered in Docker, a Linux container runtime, which could result in denial of service, an information leak or privilege escalation.
Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async HTTP client/server framework, is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.
Two vulnerabilities were discovered in Node.js, which could result in denial of service or DNS rebinding attacks. For the stable distribution (buster), these problems have been fixed in
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.
Felix Weinmann reported a flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation, which can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character[…]
A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon[…]
It was discovered that zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions.
Ubuntu Security Notice 4530-1 - Wolfgang Schweer discovered that Debian-LAN did not properly handle ACLs for the Kerberos admin server. A local attacker could possibly use this issue to change the passwords of other users, leading to root privilege escalation.
Read more...Debian Linux Security Advisory 4633-1 - Multiple vulnerabilities were discovered in cURL, an URL transfer library.
Read more...Debian Linux Security Advisory 4629-1 - Simon Charette discovered that Django, a high-level Python web development framework, did not properly handle input in its PostgreSQL module. A remote attacker could leverage this to perform SQL injection attacks.
Read more...Debian Linux Security Advisory 4628-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names.
Read more...Debian Linux Security Advisory 4626-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names.
Read more...Debian Linux Security Advisory 4627-1 - Cross site scripting, denial of service, and various other vulnerabilities have been discovered in the webkit2gtk web engine.
Read more...Debian Linux Security Advisory 4625-1 - Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.
Read more...Debian Linux Security Advisory 4624-1 - Several vulnerabilities were discovered in evince, a simple multi-page document viewer.
Read more...Debian Linux Security Advisory 4620-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.
Read more...Debian Linux Security Advisory 4621-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.
Read more...netkit-telnet version 0.17 telnetd on Fedora 31 BraveStarr remote code execution exploit.
Read more...This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and[…]
Read more...Grub2 has grub2-set-bootflag setuid in the new Fedora release and has the ability to corrupt the environment.
Read more...This Metasploit module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be[…]
Read more...This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user[…]
Read more...Linux kernels prior to version 4.13.9 (Ubuntu 16.04/Fedora 27) local privilege escalation exploit.
Read more...This Metasploit module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or[…]
Read more...This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This Metasploit module has been tested successfully on Fedora 13 (i686) with kernel version[…]
Read more...This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit[…]
Read more...This Metasploit module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable[…]
Read more...Read more...
Read more...
Read more...
Read more...
Read more...
Read more...
Dazu zählen z.B. Web Application Firewalls (WAF), die auch kostenlos erhältlich sind und durchaus einen sinnvollen, zusätzlichen Schutz bieten können. Zumindest kann sogenannten 'Script-Kiddies' der Spass deutlich erschwert werden.
Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 1.6.0 - 3.9.24Exploit type: ACL ViolationReported Date: 2021-01-31Fixed Date: 2021-03-02CVE Number: CVE-2021-26029DescriptionInadequate filtering of form contents could allow to overwrite the author field. The affected core components are com_fields, com_categories, com_banners, com_contact, com_newsfeeds and com_tags. Affected InstallsJoomla![…]
Read more...Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 3.0.0 - 3.9.24Exploit type: ACL violationReported Date: 2020-10-25Fixed Date: 2021-03-02CVE Number: CVE-2021-26027DescriptionIncorrect ACL checks could allow unauthorized change of the category for an article.Affected InstallsJoomla! CMS versions 3.0.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST at[…]
Read more...Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 3.0.0 - 3.9.24Exploit type: Improper Input ValidationReported Date: 2020-02-17Fixed Date: 2021-03-02CVE Number: CVE-2021-23132Descriptioncom_media allowed paths that are not intended for image uploads.Affected InstallsJoomla! CMS versions 3.0.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST at the Joomla![…]
Read more...Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 2.5.0 - 3.9.24Exploit type: XSSReported Date: 2020-05-05Fixed Date: 2021-03-02CVE Number: CVE-2021-23130DescriptionMissing filtering of feed fields could lead to xss issues.Affected InstallsJoomla! CMS versions 2.5.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST at the Joomla! Security Centre.Reported By: Bui[…]
Read more...Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 3.0.0 - 3.9.24Exploit type: Path TraversalReported Date: 2020-09-08Fixed Date: 2021-03-02CVE Number: CVE-2021-26028DescriptionExtracting an specifilcy crafted zip package could write files outside of the intended path.Affected InstallsJoomla! CMS versions 3.0.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST[…]
Read more...Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions: 2.5.0 - 3.9.24Exploit type: XSSReported Date: 2020-05-07Fixed Date: 2021-03-02CVE Number: CVE-2021-23129DescriptionMissing filtering of messages showed to users that could lead to xss issues.Affected InstallsJoomla! CMS versions 2.5.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST at the Joomla![…]
Read more...Project: Joomla!SubProject: CMSImpact: LowSeverity: LowVersions: 3.2.0 - 3.9.24Exploit type: Insecure RandomnessReported Date: 2021-01-13Fixed Date: 2021-03-02CVE Number: CVE-2021-23128DescriptionThe core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to[…]
Read more...Project: Joomla!SubProject: CMSImpact: LowSeverity: LowVersions: 3.2.0 - 3.9.24Exploit type: Insecure RandomnessReported Date: 2021-01-12Fixed Date: 2021-03-02CVE Number: CVE-2021-23126, CVE-2021-23127DescriptionUsage of the insecure rand() function within the process of generating the 2FA secret.Usage of an insufficient length for the 2FA secret accoring to[…]
Read more...Project: Joomla!SubProject: CMSImpact: LowSeverity: LowVersions: 3.2.0 - 3.9.24Exploit type: Improper Input ValidationReported Date: 2020-05-07Fixed Date: 2021-03-02CVE Number: CVE-2021-23131DescriptionMissing input validation within the template manager.Affected InstallsJoomla! CMS versions 3.2.0 - 3.9.24SolutionUpgrade to version 3.9.25ContactThe JSST at the Joomla! Security Centre.Reported By:[…]
Read more...
Today we're releasing version 3.8.0 of the Simple RSS Feed Reader module. This new release brings back Joomla 1.5 support (by popular request), it introduces a new sub-template & changes the remote image resizing service from Mobify to Images.weserv.nl.Here's what's been[…]
Adding RSS/Atom syndicated content inside your Joomla website is now super-easy and simple with the 'Simple RSS Feed Reader' module from JoomlaWorks. All you have to do is add a few feeds to the module parameters, publish the module in[…]
Project: Joomla!SubProject: CMSImpact: ModerateSeverity: LowVersions:3.1.0 - 3.9.23Exploit type: XSSReported Date: 2020-09-01Fixed Date: 2021-01-12CVE Number: CVE-2021-23125DescriptionLack of escaping of image-related parameters in multiple com_tags views cause lead to XSS attack vectors.Affected InstallsJoomla! CMS versions 3.1.0 - 3.9.23SolutionUpgrade to version 3.9.24ContactThe JSST[…]
Read more...
The performance of the default article system in Joomla really sucks big time, that's a well know fact.It''s actually one of the reasons we built K2 in the first place.And as we venture into Joomla 4 territory, instead of seeing[…]
publisher, 3.0.19, 3rd party extension, XSS (Cross Site Scripting)
Read more...paGO Commerce, 2.5.9.0, 3rd party extension, SQL Injection
Read more...
The K2 Plugin for sh404SEF version 1.6.0 is now available to download for subscribers. This is a bug fix release that addresses compatibility with K2 v2.10.3+ and improves support for PHP 7.x in general.Here's what's been added or changed in the K2 Plugin[…]
A plugin for supporting K2 in sh404SEF.Use the plugin to configure K2 URLs when using sh404SEF in a multitude of options.Unlike the previous built-in implementation for sh404SEF, this new plugin provides new URL manipulation options and it has dual compatibility[…]
Social Chat, 1.5 and Below, 3rd party extension, SQL Injection Iacopo Guarneri
Read more...
SocialConnect is the only Joomla extension that allows you to integrate your Joomla site with social networks and identity providers for user authentication, posting content directly to social networks and 3rd-party comment system integration.FeaturesLet your users register to your website[…]
NEW VERSION 3.8 released in June 2020!Adding image galleries inside your Joomla articles has never been easier! Using the "Simple Image Gallery PRO" extension from JoomlaWorks you can quickly display a folder of images on your server as a stylish[…]
Simple Image Gallery Pro v3.8.0 is now available to download for subscribers. This new release improves upon existing features, extends Flickr support to galleries (beyond albums/sets) and adds PHP 7.4 & Postgres compatibility.Here's what's been added or changed in Simple Image[…]
AllVideos (by JoomlaWorks) is the universal media player for Joomla and a classic must-have extension for any Joomla based website.Use the plugin to easily embed video & audio content from all major 3rd party media providers (YouTube, Vimeo, Dailymotion, Twitch,[…]
Version 6.1.0 of AllVideos is now available. This new release introduces support for Mixcloud embeds and improves support for PHP 7.4.Here's what's been added or changed in this new release of AllVideos:Added support for Mixcloud embeds. Just use the pattern[…]
K2 is the popular powerful content extension for Joomla with CCK-like features. It provides an out-of-the box integrated solution featuring rich content forms for items (think of Joomla articles with additional fields for article images, videos, image galleries and attachments),[…]
K2 v2.10.3 is now available to download for Joomla versions 1.5 to 3.x. This is a maintenance & bugfix release, which refines the backend user interface (building upon the changes that were introduced with v2.10.0 to v2.10.2), improves client-size (frontend) caching & resolves broken auto-generated feeds[…]
hwdplayer,4.2,SQL InjectionPossible abandonware also
Read more...
I don't usually write similar blog posts, but I've been really enjoying Snowflake recently. What's Snowflake you ask? Well, it's a new open source graphical SSH/SFTP client which makes working with remote servers a breeze. It works like Panic's Coda when[…]
Adding image galleries inside your Joomla articles is now super-easy and simple, using the magical "Simple Image Gallery" plugin for Joomla. The plugin can turn any folder of images located inside your Joomla website into a grid-style image gallery with[…]
Simple Image Gallery (free) version 4.1.0 is now available to download. This is a maintenance release.Here's what's been added or changed in Simple Image Gallery (free) with the release of v4.1.0:Allow the plugin to accept WEBP images as source images[…]
Version 6.0.0 of AllVideos is now available. This is a feature release, which also introduces full support with the upcoming Joomla version 4 release.Here's what's been added or changed in this new release of AllVideos:Fully compatible with the upcoming Joomla[…]
Simple Image Gallery (free) version 4.0.0 is now available to download. This marks our first extension update that supports the upcoming Joomla version 4 (currently in "beta").Here's what's been added or changed in Simple Image Gallery (free) with the release[…]
RadioWave v1.2.0 has just been released. This is a bugfix and feature-improvement release.Here's what's been added or changed in RadioWave with the release of v1.2.0:Fixed time parsing for the OnAir template override (K2 Content module) which caused the module's output[…]
K2 v2.10.2 is now available to download for Joomla versions 1.5 to 3.x. This is a maintenance & security release: it concludes the backend user interface changes that were introduced with v2.10.0 and is now 100% mobile-friendly and it also addresses[…]
As we're preparing to launch a new website for getk2.org, we have decided to make an important change in the K2 Extensions Directory (KED).We stopped accepting new entries for templates in the KED about 2 weeks ago and this week[…]
Now fully responsive & Joomla 1.5 - 3.x compatible! Frontpage SlideShow is the easiest & most eye-catching way to display your featured articles or products in your Joomla website. It creates an uber cool slideshow with text snippets laying on[…]
K2 v2.10.1 is now available to download for Joomla versions 1.5 to 3.x. This is a maintenance release that addresses a few bugs that were introduced with v2.10.0 released a couple weeks ago and we urge everyone using v2.10.0 to[…]
K2 v2.10.0 is now available to download for Joomla versions 1.5 to 3.x. This release introduces a refreshed backend design as well as feature improvements or additions (like Google Structured Data) and as always, performance improvements everywhere.To install K2 for[…]
K2 v2.9.0 is now available to download for Joomla 1.5 to 3.x. In short, this release improves compatibility with the latest releases of Joomla 3.8.x & improves frontend performance overall.To install K2 for the first time or update your existing[…]
Disqus Comments (for Joomla) integrates the Disqus comments system & service into any Joomla based website. Disqus (pronounced 'discuss') is a service and tool for web comments and discussions - currently the most popular comments-as-a-service provider worldwide. It makes commenting[…]
Rapicode, nultiple extensions, current versions, back doorExtensions affected are:-Rapi Content TickerRapi Content CarouselRapi Cookie ConsentRapi CountdownRapi PreloaderRapi Loading Progress BarRapi Page AnimateAt the moment the back door seems to be loading mining code, it can be used to load arbitrary[…]
Read more...Google Map Landkarten from joomla-24.de, versions 4.2.3 and previous, SQL Injection
Read more...Fastball by Fastball Productions, versions yet to be determined but probably all, SQL Injection
Read more...File Download Tracker by techsolsystem.com, 3.0, SQL Injection
Read more...SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection
Read more...JMS Music by Joomasters, versions 1.1.1 and previous, SQL Injection
Read more...
K2 v2.8.0 is now available to download for Joomla 1.5 to 3.x. This release improves the content management workflow and UI, is fully compatible with PHP 7.x and the latest Joomla 3.7.x, while at the same time addressing various issues from[…]
K2 v2.7.1 is now available to download for Joomla 1.5 to 3.x. This is a minor release addressing various issues from performance to UI, to bug fixes and security.To install K2 for the first time or update your existing K2[…]
Start your update engines! K2 v2.7.0 is now available to download for Joomla 1.5 to 3.x. With a new improved user interface for the component in the Joomla backend, updated and now responsive-friendly default HTML overrides, Joomla 3.5 support, PHP[…]
(originally posted in the JoomlaWorks blog) It's been a while, I know. You see, Joomla is not the only organization undergoing changes. So are we :)We are happy to announce that K2 Next will be officially presented in the upcoming JoomlaDay[…]
njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an njs_parser_lexer_error call and then an njs_parser_scope_error call. (CVSS:4.3) (Last Update:2019-07-18)
Read more...njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. This issue occurs after the fix for CVE-2019-12207 is in place. (CVSS:7.5) (Last Update:2019-07-05)
Read more...njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c. (CVSS:7.5) (Last Update:2019-05-20)
Read more...njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. (CVSS:7.5) (Last Update:2019-05-20)
Read more...njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c. (CVSS:7.5) (Last Update:2019-05-20)
Read more...njs through 0.3.1, used in NGINX, has a segmentation fault in String.prototype.toBytes for negative arguments, related to nxt_utf8_next in nxt/nxt_utf8.h and njs_string_offset in njs/njs_string.c. (CVSS:5.0) (Last Update:2019-05-09)
Read more...njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.splice after a resize, related to njs_array_prototype_splice in njs/njs_array.c, because of njs_array_expand size mishandling. (CVSS:7.5) (Last Update:2019-05-09)
Read more...njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in Array.prototype.push after a resize, related to njs_array_prototype_push in njs/njs_array.c, because of njs_array_expand size mishandling. (CVSS:7.5) (Last Update:2019-05-10)
Read more...nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen'[…]
Read more...nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a[…]
Read more...