Xurshidbek Sobirjonov

**Name of the Vulnerable Software and Affected Versions** Linux-PAM versions prior to 1.7.3 **Description** A timing discrepancy exists in the `pam userdb` module's plaintext-password comparison path within `modules/pam userdb/pam userdb.c`. A local or network-adjacent attacker can recover the plaintext password of a target account by measuring response-timing differences when repeatedly driving authentication through a calling service. The issue occurs because the comparison uses `strncmp()` (or `strncasecmp()` when `PAM ICASE ARG` is set) after a length-equality check, causing the rejection time to depend on the password length and the index of the first differing byte. This path is triggered when the administrator configures `pam userdb` with `crypt=none`, an unrecognized crypt method, or without a `crypt=` argument, leading the module to store and compare credentials in plaintext. **Recommendations** Update to a version later than 1.7.2. Avoid configuring `pam userdb` with `crypt=none`, an unrecognized crypt method, or without a `crypt=` argument to prevent the use of plaintext password comparisons.

**Name of the Vulnerable Software and Affected Versions** Spatie Laravel Media Library versions prior to 11.23.0 **Description** An issue exists that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests. This occurs when user-controlled URLs are passed to the `addMediaFromUrl()` function within the InteractsWithMedia.php file. This is a server-side request forgery, which is a flaw where an attacker can force a server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. **Recommendations** Update to version 11.23.0 or later. As a temporary workaround, restrict or validate user-controlled URLs passed to the `addMediaFromUrl()` function.

**Name of the Vulnerable Software and Affected Versions** Spatie Laravel Media Library versions prior to 11.23.0 **Description** A file upload restriction bypass exists in the `defaultSanitizer()` function of the `FileAdder` class. The sanitizer only validates the final filename suffix, which allows files with double extensions, such as shell.php.jpg, to bypass the blocklist because `pathinfo()` preserves inner stems in the saved filenames. Additionally, the blocklist fails to include several executable extensions, such as `.php6`, `.shtml`, and `.htaccess`. While the double-extension bypass requires a legacy Apache AddHandler configuration to execute PHP, the bypass involving the incomplete blocklist does not. **Recommendations** Update to version 11.23.0 or later.