For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". A malicious environment variable value can exploit this behavior to set a value for a different environment variable. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. As of this release, the inputted strings are properly escaped when rendered.ĭue to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In particular, the end-user could enter javascript or similar and this would be executed. Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. Go-admin (aka GO Admin) 2.0.12 uses the string go-admin as a production JWT key.Īn exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the om_string method The affected version of d8s-htm is 0.1.0. A potential code execution backdoor inserted by third parties is the democritus-uuids package. The d8s-strings for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
IP-COM EW9 V15.11.0.14(9732) was discovered to contain a buffer overflow in the formSetDebugCfg function.
0 kommentar(er)
