CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take.

Hyperledger Fabric through 2.5.9 does not verify that a request has a timestamp within the expected time window.

An unauthenticated remote attacker may use a reflected XSS vulnerability to obtain information from a user or reboot the affected device once.

An unauthenticated remote attacker may use stored XSS vulnerability to obtain information from a user or reboot the affected device once.

An unauthenticated remote attacker may use a HTML injection vulnerability with limited length to inject malicious HTML code and gain low-privileged access on the affected device.

An unauthenticated remote attacker can manipulate the device via Telnet, stop processes, read, delete and change data.

An unauthenticated remote attacker can read out sensitive device information through a incorrectly configured FTP service.

Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue.