Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

Impact OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans Activity when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans Activity when tracing is enabled for incoming http requests...

SAP Business Connector Cross-Site Scripting Vulnerability (CNVD-2024-20439)

SAP Business Connector is a middleware from SAP, Germany. A cross-site scripting vulnerability exists in SAP Business Connector version 4.8, which can be exploited by an attacker to add malicious GET query parameters to a service call to conduct a reflective cross-site scripting attack...

Prometheus 安全漏洞

Prometheus is open source software written in the Go language for recording real-time metrics from time series databases built using the HTTP pull model. A security vulnerability exists in versions prior to Swift Prometheus 2.0.0-alpha.2 that stems from applying uncleaned string values to the cod...

GoCD: XSS in new.loading.page.html

A cross-site scripting vulnerability was found in new.loading.page.html due to inadequate handling of query parameters. This allowed attackers to insert javascript URIs as redirectors, leading to unauthorized script execution...

BIT-MEDIAWIKI-2021-31551

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages...

BIT-JENKINS-2021-21607

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors...

BIT-GOLANG-2022-2880 Incorrect sanitization of forwarded query parameters in net/http/httputil

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...

BIT-DJANGO-2020-13596

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...

Improper Authorization

github.com/stacklok/minder is vulnerable to Improper Authorization. The vulnerability due to improper input validation and insufficient access controls in handlersrepositories.go file by using GetRepository function, allowing users to manipulate the query parameters to access or delete repositori...

Zyxel NAS326 Operating System Command Injection Vulnerability

Zyxel NAS326 is a cloud storage NAS from China Hopkins Zyxel. An operating system command injection vulnerability exists in Zyxel NAS326 firmware version V5.21AAZF.15C0 and earlier versions, and NAS542 firmware version V5.21ABAG.12C0 and earlier versions. An attacker could exploit this...

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

ALSA-2024:0121 Moderate: container-tools:4.0 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputil: ReverseProxy should not forward unparseable query...

Porch-Pirate - The Most Comprehensive Postman Recon / OSINT Client And Framework That Facilitates The Automated Discovery And Exploitation Of API Endpoints And Secrets Committed To Workspaces, Collections, Requests, Users And Teams

Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very...

CVE-2023-48655

An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters...

CVE-2023-48655

An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters...

Design/Logic Flaw

An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters...

MISP Security Vulnerabilities

MISP is an open source software solution. The product is used to collect, store, distribute, and share cybersecurity metrics and has features such as threat cybersecurity event analysis and malware analysis. A security vulnerability exists in MISP versions prior to 2.4.176, which stems from the...

CVE-2023-48655

An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters...

Rocky Linux 9 : go-toolset and golang (RLSA-2023:0328)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:0328 advisory. - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of...

Improper access control

Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters...