CVE-2024-12718

CVE-2024-12718: The tarfile extraction filter bypass allows modification of metadata or arbitrary file writes outside the extraction directory when using TarFile.extractall()/extract() with filter="data" or "tar" in Python 3.12+ (default filter may assign data in 3.14+). Affected components are P...

CVE-2024-12718

Allows modifying some file metadata e.g. last modified with filter="data" or file permissions chmod with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or...

PT-2025-23607

Name of the Vulnerable Software and Affected Versions Python versions 3.12 and later Description This vulnerability allows modification of file metadata e.g., last modified or file permissions of files outside the intended extraction directory when using the tarfile module to extract untrusted ta...

PT-2025-23608

Name of the Vulnerable Software and Affected Versions Python versions 3.12 and later Description The issue allows the extraction filter to be ignored, enabling symlink targets to point outside the destination directory and the modification of some file metadata. This affects users who extract...

CVE-2024-0790

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8.1. This is due to missing or incorrect nonce validation on the wpbecreatenewterm, wpbeupdatetaxterm, and wpbedeletetaxterm...

CVE-2023-2030

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2017-15694

When an Apache Geode server versions 1.0.0 to 1.8.0 is operating in secure mode, a user with write permissions for specific data regions can modify internal cluster metadata. A malicious user could modify this data in a way that affects the operation of the cluster...

CVE-2025-27893

In Archer Platform 6 through 6.14.00202.10024, an authenticated user with record creation privileges can manipulate immutable fields, such as the creation date, by intercepting and modifying a Copy request via a GenericContent/Record.aspx?id= URI. NOTE: the Supplier analyzed the reported...

CVE-2025-26623

CVE-2025-26623 affects Exiv2 (C++ library/CLI) and is caused by a heap buffer overflow in the encoding/writing path. Affected versions are v0.28.0 through v0.28.4; v0.27.7 and earlier are not affected. The overflow occurs when Exiv2 is used to write metadata into a crafted image file, potentially...

Digital Guardian Agent 安全漏洞

Digital Guardian Agent is a widely used data protection platform for cloud environments from US-based Digital Guardian, Inc. It can discover, categorize and control the movement of data across endpoints, networks and clouds. A security vulnerability exists in Digital Guardian Agent versions prior...

Hyperledger Indy's update process of a DID does not check who signs the request

Name Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. Description A malicious DID with no particular role can ask an update for another DID but cannot modify its verkey or role. This is bad because: 1. Any DID c...

CVE-2024-1747

The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack o...

Apache Superset Security Bypass Vulnerability (CNVD-2024-26536)

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. Apache Superset suffers from an information disclosure vulnerability that is caused by incorrect authorization validation on dashboard and chart imports. An attacker could use this vulnerability ...

PT-2024-21277 · Apache · Apache Superset

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 3.0.4 Apache Superset versions 3.1.0 through 3.1.0 Description: A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata,...

PYSEC-2024-107

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function,...

Design/Logic Flaw

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2023-2030 Improper Verification of Cryptographic Signature in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2023-2030

Removed by vendor...

CVE-2023-2030

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...

CVE-2023-6158

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evoeventpostupdatemeta function in all versions up to, and including, 4.5.4 for Pro and 2.2.7 for free. This make...