SAP Commerce Cloud 信息泄露漏洞

SAP Commerce Cloud is a cloud-based e-commerce platform from Germany's SAP. It supports sales management, marketing management, order management, and operations management. An information disclosure vulnerability exists in SAP Commerce Cloud that stems from certain OCC API endpoints that allow...

Command Injection in sequenceserver gem

Impact Several HTTP endpoints did not properly sanitize user input and/or query parameters. This could be exploited to inject and run unwanted shell commands Patches Fixed in 3.1.2 Workarounds No known workarounds...

The vulnerability of the Git-based software platform for collaborative code development on GitLab, related to insufficient protection of sensitive data, allows attackers to disclose confidential information.

The vulnerability of the Git-based software platform for collaborative code development on GitLab is related to insufficient protection of operational data when processing query parameters. Exploiting this vulnerability allows a malicious actor to disclose sensitive information by sending special...

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters

A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an...

Exploit for CVE-2024-29895

PoC exploit for CVE-2024-29895 is not present in the provided co...

CVE-2023-24203

Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameters...

CVE-2024-34698

FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the /public/js/main.js source file. The Prototype Pollution arises because the getQueryParam Function recursively merges an object containing...

Deserialization Of Untrusted Data

org.apache.inlong: manager-pojo is vulnerable to Deserialization of Untrusted Data. The vulnerability is caused by improper query parameters sanitization within the filterSensitive method, which allows an attackers to bypass JDBC security checks...

Reflected Cross-Site Scripting (Reflected XSS)

nautobot is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to improper handling and escaping of user-provided query parameters, allowing a maliciously crafted Nautobot URL to potentially execute malicious scripts against users...

GHSA-JXGR-GCJ5-CQQG nautobot has reflected Cross-site Scripting potential in all object list views

Impact It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting Reflected XSS attack against users. All filterable object-list views in Nautobot are...

CVE-2024-32028 Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of OpenTelemetry.Instrumentation.Http and OpenTelemetry.Instrumentation.AspNetCore the url.full writes attribute/tag on spans Activity when tracing is enabled for outgoing http requests and...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview OpenTelemetry.Instrumentation.Http is a Http instrumentation for OpenTelemetry .NET Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the logging of sensitive query parameters by default. This behavior occurs...

Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore

Impact OpenTelemetry.Instrumentation.Http writes the url.full attribute/tag on spans Activity when tracing is enabled for outgoing http requests and OpenTelemetry.Instrumentation.AspNetCore writes the url.query attribute/tag on spans Activity when tracing is enabled for incoming http requests...

SAP Business Connector Cross-Site Scripting Vulnerability (CNVD-2024-20439)

SAP Business Connector is a middleware from SAP, Germany. A cross-site scripting vulnerability exists in SAP Business Connector version 4.8, which can be exploited by an attacker to add malicious GET query parameters to a service call to conduct a reflective cross-site scripting attack...

Prometheus 安全漏洞

Prometheus is open source software written in the Go language for recording real-time metrics from time series databases built using the HTTP pull model. A security vulnerability exists in versions prior to Swift Prometheus 2.0.0-alpha.2 that stems from applying uncleaned string values to the cod...

GoCD: XSS in new.loading.page.html

A cross-site scripting vulnerability was found in new.loading.page.html due to inadequate handling of query parameters. This allowed attackers to insert javascript URIs as redirectors, leading to unauthorized script execution...

BIT-MEDIAWIKI-2021-31551

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages...

BIT-JENKINS-2021-21607

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors...

BIT-GOLANG-2022-2880 Incorrect sanitization of forwarded query parameters in net/http/httputil

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the quer...