726 matches found
GHSA-2M34-JCJV-45XF XSS in Django
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...
Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Django vulnerabilities (USN-4381-1)
The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4381-1 advisory. Dan Palmer discovered that Django incorrectly validated memcached cache keys. A remote attacker could possibly use this issue to...
DEBIAN-CVE-2020-13596
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...
Design/Logic Flaw
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...
PYSEC-2020-32
An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...
USN-4381-1 python-django vulnerabilities
Dan Palmer discovered that Django incorrectly validated memcached cache keys. A remote attacker could possibly use this issue to cause a denial of service and obtain sensitive information. CVE-2020-13254 Jon Dufresne discovered that Django incorrectly encoded query parameters for the admin...
PT-2020-5464 · Django +3 · Django +3
Name of the Vulnerable Software and Affected Versions: Django versions 2.2 before 2.2.13 Django versions 3.0 before 3.0.7 Description: An issue in the Django admin ForeignKeyRawIdWidget allows for a possibility of an XSS attack due to query parameters not being properly URL encoded. This could...
CVE-2020-11928
In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the taxquery, metaquery, or datequery parameter in mlagallery via an admin...
CVE-2020-1760
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. Mitigation Mitigation provided by DigitalOcean: Mitigation relies on the HAProx...
CVE-2019-11292
Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...
Authentication flaw
Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...
CVE-2019-11292 Pivotal Ops Manager logs query parameters in tomcat access file
Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...
CVE-2019-11292
CVE-2019-11292 affects Pivotal Ops Manager: versions 2.4.x before 2.4.27, 2.5.x before 2.5.24, 2.6.x before 2.6.16, and 2.7.x before 2.7.5 log all query parameters to Tomcat’s access log; if params serve authentication, credentials may be logged. Root cause: parameter logging leakage into logs. I...
CVE-2019-11293
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...
CVE-2019-11293
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...
Authentication flaw
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...
CVE-2019-11293 UAA logs all query parameters with debug logging level
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...
CVE-2019-11290 Cloud Foundry UAA logs query parameters in tomcat access file
Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...
CVE-2019-11290: UAA logs query parameters in tomcat access file | Cloud Foundry
Severity High Vendor Cloud Foundry Foundation Description Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, they will be logged as well. Affected Cloud Foundry...
Arbitrary Variants Via Query Parameters
Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. If an application treats variants as trusted, this can lead to potential vulnerabilities like SQL injection or cross-site scripting XSS. For instance: landingpage = fieldtest:landingpage Page.where"key =...