A denial of service vulnerability exists in Event Logging Service when an authenticated attacker connects to the target system and sends specially crafted requests.

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

This update contains a minor fix in the exploit time out.

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

This exploit leverages an information disclosure vulnerability in Microsoft WordPad. By using a malicious file, unauthorized access can be obtained, allowing for the theft of NTLM hashes.

Oracle WebLogic Server is prone to a remote vulnerability due to deserialization of untrusted inputs, allowing attackers to instantiate arbitrary Java objects leading to remote code execution. This update avoids a very long attack sequence when first try fails.

An OGNL injection vulnerability in Atlassian Confluence allows unauthenticated remote attackers to execute OS system commands.

Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

The Ancillary Function Driver (AFD.sys) present in Microsoft Windows is vulnerable to a double-fetch that causes an integer overflow, which can result in out-of-bounds memory write to non-paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by calling to the WSASendMsg function with crafted parameters.

The vulnerability allows to an unauthenticated attacker to register as an administrator and take full control of the website. The problem occurs with the plugin registration form. In this form it's possible to change certain values for the account to be registered. This includes the "wp_capabilities" value, which determines the user's role on the website. This update adds a print in the module output window.