Pandora Media, Inc. Security Vulnerabilities

NodeBB XML-RPC Request xmlrpc.php - XML Injection

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC...

Moderate: gstreamer1-plugins-bad-free security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): gstreamer-plugins-bad: Integer overflow leading to heap overwrite in MXF file handling with...

CVE-2017-20183

A vulnerability was found in External Media without Import Plugin up to 1.0.0 on WordPress. It has been declared as problematic. This vulnerability affects the function print_media_new_panel of the file external-media-without-import.php. The manipulation of the argument...

CVE-2022-44667 Windows Media Remote Code Execution Vulnerability

...

CVE-2024-32936

In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: Fix races while restarting DMA After the frame is submitted to DMA, it may happen that the submitted list is not updated soon enough, and the DMA callback is triggered before that. This can lead to kernel.....

CVE-2024-32936

In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: Fix races while restarting DMA After the frame is submitted to DMA, it may happen that the submitted list is not updated soon enough, and the DMA callback is triggered before that. This can lead to...

CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability

...

CVE-2020-1339 Windows Media Remote Code Execution Vulnerability

...

CVE-2022-44668 Windows Media Remote Code Execution Vulnerability

...

CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability

...

TIBCO JasperReports Library - Directory Traversal

The default server implementation of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library Community Edition, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for...

Bare Metal Recovery Fails With "The requested security package does not exist."

This issue is caused by the WinRE.wim packaged in some early distributions of Server 2022. New Recovery Media must be created using Server 2019 or a newer version of Server...

CVE-2024-26875 media: pvrusb2: fix uaf in pvr2_context_set_notify

In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix uaf in pvr2_context_set_notify [Syzbot reported] BUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35 Read of size 4 at addr ffff888113aeb0d8 by.....

CVE-2023-23402 Windows Media Remote Code Execution Vulnerability

...

CVE-2023-49279

Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a...

CVE-2023-23401 Windows Media Remote Code Execution Vulnerability

...

CVE-2023-21802 Windows Media Remote Code Execution Vulnerability

...

XWiki < 4.10.15 - Information Disclosure

The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected...

CVE-2023-21740 Windows Media Remote Code Execution Vulnerability

...

CVE-2024-32656 Ant Media Server vulnerable to local privilege escalation

Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media...

gstreamer1-plugins-good security update

An update is available for gstreamer1-plugins-good. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list GStreamer is a streaming media framework based on graphs of.....

CVE-2023-29370 Windows Media Remote Code Execution Vulnerability

...

CVE-2024-32547 WordPress Code Insert Manager (Q2W3 Inc Manager) plugin <= 2.5.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Max Bond Code Insert Manager (Q2W3 Inc Manager) allows Reflected XSS.This issue affects Code Insert Manager (Q2W3 Inc Manager): from n/a through...

Exploit for Race Condition in Solarwinds Solarwinds Platform

CVE-2024-28999 Exploit for CVE-2024-28999 SolarWinds Platform...

CVE-2023-51443

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service...

CVE-2023-4220

Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS &lt;= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web...

Magento Mass Importer <0.7.24 - Remote Auth Bypass

Magento Mass Importer (aka MAGMI) versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection...

CVE-2024-32547 WordPress Code Insert Manager (Q2W3 Inc Manager) plugin <= 2.5.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Max Bond Code Insert Manager (Q2W3 Inc Manager) allows Reflected XSS.This issue affects Code Insert Manager (Q2W3 Inc Manager): from n/a through...

Exploit for CVE-2023-4634

CVE-2023-4634 RCE Exploit for Wordpress Plugin Media-Library...

CVE-2023-52847 media: bttv: fix use after free error due to btv->timeout timer

In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv-&gt;timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in...

CVE-2023-52847 media: bttv: fix use after free error due to btv->timeout timer

In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv-&gt;timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in...

CVE-2024-38619

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba()....

CVE-2024-38619

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0 if alauda_init_media() fails, potentially causing divide errors in alauda_read_data() and alauda_write_lba(). -....

CVE-2022-23491

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust...

2 Click Socialmedia Buttons < 0.34 - Cross-Site Scripting

A cross-site scripting vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url...

gstreamer1-plugins-bad-free security update

An update is available for gstreamer1-plugins-bad-free. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list GStreamer is a streaming media framework based on graphs....

CVE-2024-25126

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and...

CVE-2023-40672 WordPress Sticky Social Media Icons plugin <= 2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Hardik Chavada Sticky Social Media Icons.This issue affects Sticky Social Media Icons: from n/a through...

CVE-2024-39464

In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix notifier list entry init struct v4l2_async_notifier has several list_head members, but only waiting_list and done_list are initialized. notifier_entry was kept 'zeroed' leading to an uninitialized...

CVE-2024-5851

A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It....

CVE-2023-35936

Pandoc is a Haskell library for converting from one markup format to another, and a command-line tool that uses this library. Starting in version 1.13 and prior to version 3.1.4, Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted....

CVE-2023-28439

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed packages. The vulnerability may trigger a JavaScript code after fulfilling special conditions: using one of the affected packages...

CVE-2023-52841 media: vidtv: mux: Add check and kfree for kstrdup

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: mux: Add check and kfree for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Moreover, use kfree() in the later error handling in order....

Weaver E-Office 9.5 - Remote Code Execution

A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit...

CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability

...

CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability

...

CVE-2023-52841 media: vidtv: mux: Add check and kfree for kstrdup

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: mux: Add check and kfree for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. Moreover, use kfree() in the later error handling in order....

CVE-2021-47288 media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()

In the Linux kernel, the following vulnerability has been resolved: media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() Fix an 11-year old bug in ngene_command_config_free_buf() while addressing the following warnings caught with -Warray-bounds:...

NeDi 1.9C - Cross-Site Scripting

NeDi 1.9C is vulnerable to cross-site scripting because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a...

CVE-2021-47043 media: venus: core: Fix some resource leaks in the error path of 'venus_probe()'

In the Linux kernel, the following vulnerability has been resolved: media: venus: core: Fix some resource leaks in the error path of 'venus_probe()' If an error occurs after a successful 'of_icc_get()' call, it must be undone. Use 'devm_of_icc_get()' instead of 'of_icc_get()' to avoid the leak....