CVE-2023-25659 TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter indices for DynamicStitch does not match the shape of the parameter data, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1...

Design/Logic Flaw

Discourse is an open-source discussion platform. Prior to version 3.1.0.beta3 of the beta and tests-passed branches, some user provided URLs were being passed to FastImage without SSRF protection. Insufficient protections could enable attackers to trigger outbound network connections from the...

Design/Logic Flaw

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the stable branch and version 3.1.0.beta3 of the beta and tests-passed branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a...

Design/Logic Flaw

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or...

CVE-2023-26040 Discourse chat messages susceptible to Cross-site Scripting through chat excerpts

Discourse is an open-source discussion platform. Between versions 3.1.0.beta2 and 3.1.0.beta3 of the tests-passed branch, editing or responding to a chat message containing malicious content could lead to a cross-site scripting attack. This issue is patched in version 3.1.0.beta3 of the...

CVE-2023-23622 Discourse: Presence of read restricted topics may be leaked if tagged with a tag that is visible to all users

Discourse is an open-source discussion platform. Prior to version 3.0.1 of the stable branch and version 3.1.0.beta2 of the beta and tests-passed branches, the count of topics displayed for a tag is a count of all regular topics regardless of whether the topic is in a read restricted category or...

CVE-2023-25819 Discourse tags with no visibility are leaking into og:article:tag

Discourse is an open source platform for community discussion. Tags that are normally private are showing in metadata. This affects any site running the tests-passed or beta branches = 3.1.0.beta2. The issue is patched in the latest beta and tests-passed version of Discourse...

Apache Airflow Sqoop Provider Input Validation Error Vulnerability

Apache Airflow is the United States Apache Apache Foundation's set of open source platform for creating, managing and monitoring workflow. The platform is scalable and dynamic monitoring and other characteristics. An input validation error vulnerability exists in Apache Airflow Sqoop Provider...

Cerebrate 安全漏洞

Cerebrate is an open source platform. Designed to act as an interconnection coordinator between trusted contact information providers and other security tools. A security vulnerability exists in Cerebrate version 1.12 that stems from not properly considering the organizationid when creating API...

Session fixation

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the...

Discourse 访问控制错误漏洞

Discourse is an open source community discussion platform. The platform includes community, email, and chat room features. Discourse suffers from an access control error vulnerability, which can be exploited by an attacker to create new threads as any user with embeddable comments...

CVE-2023-23621

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0....

CVE-2023-23621 Discourse vulnerable to ReDoS in user agent parsing

Discourse is an open-source discussion platform. Prior to version 3.0.1 on the stable branch and version 3.1.0.beta2 on the beta and tests-passed branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0....

Discourse 安全漏洞

Discourse is an open source community discussion platform. The platform includes features such as communities, email and chat rooms. A security vulnerability exists in versions prior to Discourse 3.1.0.beta1, which stems from improper resource allocation restrictions...

The Era of Cyber Threat Intelligence Sharing

We spent forty years defending ourselves as individuals. Trying to outsmart cybercriminals, outpower them, and when all our efforts failed, only then we considered banding together with our peers to outnumber them. Cybercriminals don't reinvent themselves each time. Their resources are limited, a...

CVE-2022-23512 Metersphere is vulnerable to Path Injection.

MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value testId in new...

Design/Logic Flaw

Discourse is an open-source discussion platform. Prior to version 2.9.0.beta13, users can post chat messages of an unlimited length, which can cause a denial of service for other users when posting huge amounts of text. Users should upgrade to version 2.9.0.beta13, where a limit has been...

Design/Logic Flaw

TensorFlow is an open source platform for machine learning. When printing a tensor, we get it's data as a const char array since that's the underlying storage and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so...

Apache Airflow code injection vulnerability

Apache Airflow is an open source platform for creating, managing, and monitoring workflows from the Apache Foundation. The platform is scalable and dynamic monitoring features. Apache Airflow has a code injection vulnerability, the vulnerability stems from the user input structure during the...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab CE/EE that stems from its incorrect...