139 matches found
CVE-2024-28255 Authentication Bypass in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...
CVE-2024-28255
OpenMetadata contains a flaw in the JwtFilter authentication check: the code may treat certain requests as excluded endpoints due to path parameters, allowing requests to bypass JWT validation and reach protected endpoints. The issue enables authentication bypass and, in combination with SpEL inj...
CVE-2024-28255 Authentication Bypass in OpenMetadata
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...
Grafana Security Vulnerabilities
Grafana is Grafana open source set of open source monitoring tools that provide a visual monitoring interface . The tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus. Grafana has a security vulnerability that stems from inadequate cleanup of path parameters provided by...
Named path parameters can be overridden in TrieRouter
Impact The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matche...
CVE-2023-50710 Hono's named path parameters can be overridden in TrieRouter
Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources...
Code injection
In Tipask 3.5.9, path parameters entered by the user are not validated when downloading attachments, a registered user can download arbitrary files on the Tipask server such as .env, /etc/passwd, laravel.log, causing infomation leakage...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the cssgen contrib module. An attacker can read arbitrary files by manipulating the geshi-path or geshi-lang-path parameters. Details A Directory Traversal attack also known as path traversal aims to access files...
Hubzilla 跨站脚本漏洞
Hubzilla is a powerful open source platform for creating interconnected websites with a decentralized identity, communication, and permissions framework built using common web server technologies. A cross-site scripting vulnerability exists in Hubzilla 7.0.3 and earlier versions, which can be...
Cross site scripting
A Cross Site Scripting XSS vulnerability exists in Rumble Mail Server 0.51.3135 via the 1 domain and 2 path parameters...
Rumble Mail Server 跨站脚本漏洞
Rumble Mail Server is a mail server suite for SMTP ESMTPSA, HTTP, POP3, and IMAP4v1 from Daniel Gruno's personal developer.Rumble Mail Server version 0.51.3135 is vulnerable to a cross-site scripting vulnerability that stems from the domain and path parameters are missing a data validation filter...
CVE-2021-46230
D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a command injection vulnerability in the function upgradefilter. This vulnerability allows attackers to execute arbitrary commands via the path and time parameters...
Taocms path traversal vulnerability
Taocms is a micro Cms content management system in China. taocms in v3.0.2 version there is an arbitrary file reading vulnerability, the vulnerability stems from the lack of filtering and restrictions on the software's path parameters, an attacker can use the vulnerability to read arbitrary files...
http-server-node 路径遍历漏洞
Http-Server-Node is an Http server by the individual developer Guro Beridze in Georgia. A security vulnerability exists in http-server-node due to a lack of effective restriction and filtering of directory permissions and path parameters. An attacker can exploit this vulnerability to obtain...
Cloudera Manager Cross-Site Scripting Vulnerability (CNVD-2021-103108)
Cloudera Manager is an end-to-end application for managing CDH clusters.Cloudera Manager versions 5., 6., 7.1., 7.2., and 7.3. are vulnerable to a cross-site scripting vulnerability. An attacker can exploit this vulnerability to conduct cross-site scripting attacks via path parameters...
GHSA-6G47-63MV-QPGH Prototype Pollution in dotty
This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays...
Cloudera Manager 跨站脚本漏洞
Cloudera Manager is an end-to-end application for managing CDH clusters.Cloudera Manager versions 5., 6., 7.1., 7.2., and 7.3. are vulnerable to a cross-site scripting vulnerability. An attacker can exploit this vulnerability to conduct cross-site scripting attacks via path parameters...
Code injection
An issue was discovered in the remove function in shenzhim aaptjs 1.3.1, allows attackers to execute arbitrary code via the filePath parameters...
Security Constraint Bypass in Spring Security
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path...
GHSA-V35C-49J6-Q8HQ Security Constraint Bypass in Spring Security
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path...