Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

Impact PROXY protocol support for Puma was added in version 5.5.0. When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes...

Tornado is vulnerable to DoS due to too many multipart parts

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart...

Use of Externally-Controlled Format String

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

Use of Externally-Controlled Format String

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

Use of Externally-Controlled Format String

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

Use of Externally-Controlled Format String

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Use of Externally-Controlled Format String

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Use of Externally-Controlled Format String

Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Format String via the InterpretImageFilename function, where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can execute arbitrary code or cause a heap-based buff...

PT-2025-2743 · Elspec Engineering · Elspec Engineering G5 Digital Fault Recorder Firmware

Name of the Vulnerable Software and Affected Versions: Elspec Engineering G5 Digital Fault Recorder Firmware version 1.2.1.12 Description: The issue is related to an XML External Entity XXE vulnerability, which allows attackers to cause a Denial of Service DoS via a crafted XML payload. This...

PT-2024-36709 · Unknown +1 · Markdown-To-Jsx +1

Name of the Vulnerable Software and Affected Versions: Lumos versions prior to 1.0.17 Description: The issue arises from the ChatBar.tsx component in Lumos, which parses raw HTML in Markdown. This occurs because the markdown-to-jsx package is used without setting disableParsingRawHTML to true...

PT-2024-8060 · Foxit · Foxit Pdf Editor +1

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader affected versions not specified Foxit PDF Editor affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the...

PT-2024-19062 · Biosig +1 · Libbiosig +1

Name of the Vulnerable Software and Affected Versions: The Biosig Project libbiosig versions 2.5.0 through Master Branch ab0ee111 Description: A heap-based buffer overflow vulnerability exists in the .egi parsing functionality. A specially crafted .egi file can lead to arbitrary code execution. A...

PT-2023-7288 · Unknown · Weston Embedded Uc-Http

Name of the Vulnerable Software and Affected Versions: Weston Embedded uC-HTTP version 3.01.01 Description: A memory corruption issue exists in the HTTP Server header parsing functionality. This can be exploited by sending specially crafted network packets, potentially leading to code execution. ...

PT-2023-6724 · Unknown +1 · Open Babel +1

Name of the Vulnerable Software and Affected Versions: Open Babel versions 3.1.1 and master commit 530dbfa3 Description: The issue is related to out-of-bounds write vulnerabilities in the translationVectors parsing functionality. This can be triggered by a specially-crafted malformed file,...

CakePHP vulnerable to Denial of Service attack through XML payloads

RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML...

GHSA-Q79M-C546-2G63 CakePHP vulnerable to Denial of Service attack through XML payloads

RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML...

PT-2022-18940 · Bentley · Microstation Connect

Name of the Vulnerable Software and Affected Versions: Bentley MicroStation CONNECT version 10.16.02.34 Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a malicio...

PT-2022-18942 · Bentley · Bentley Microstation Connect

Name of the Vulnerable Software and Affected Versions: Bentley MicroStation CONNECT version 10.16.02.034 Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a...

PT-2022-18955 · Bentley · Microstation Connect

Name of the Vulnerable Software and Affected Versions: Bentley MicroStation CONNECT version 10.16.02.34 Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a malicio...

PT-2022-17522 · Autodesk · Autodesk Fbx Review

Name of the Vulnerable Software and Affected Versions: Autodesk FBX Review versions 1.5.2 and prior Description: An Out-Of-Bounds Read issue may lead to code execution or information disclosure through maliciously crafted ActionScript Byte Code ABC files. These ABC files, created by the Flash...