CVE-2022-23554 Authentication bypass in Alpine

Alpine is a scaffolding library in Java. Alpine prior to version 1.10.4 allows Authentication Filter bypass. The AuthenticationFilter relies on the request URI to evaluate if the user is accessing the swagger endpoint. By accessing a URL with a path such as /api/foo;%2fapi%2fswagger the contains...

Authentication Bypass

Alpine is vulnerable to authentication bypass.The vulnerability exists in filter function of AuthenticationFilter.java because of by accessing a URL with a path without aborting the request which allows an attacker to bypass administrative restrictions via swagger endpoint...

Security Bulletin: A vulnerability in Python affects IBM Elastic Storage System (CVE-2022-0391)

Summary Security vulnerability has been discovered in Python used by Elastic Storage System. Vulnerability Details CVEID:CVE-2022-0391 DESCRIPTION: Python could provide weaker than expected security, cause by a improper input validation by the urllib.parse module. By sending a specially-crafted...

Information Disclosure

concrete5/concrete5 is vulnerable to information disclosure. The vulnerability allows an attacker to inject a crafted payload into the URL path folder and and access sensitive XML data...

Withdrawn: ConcreteCMS vulnerable to Xpath injection attacks

Withdrawn This advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD here for more information. This link is maintained to preserve external references. Original Description ConcreteCMS v9.1.3 was discovered to b...

GHSA-7VX2-5349-QJ99 Withdrawn: ConcreteCMS vulnerable to Xpath injection attacks

Withdrawn This advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD here for more information. This link is maintained to preserve external references. Original Description ConcreteCMS v9.1.3 was discovered to b...

Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2022-2586)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2022-26121

An exposure of resource to wrong sphere vulnerability CWE-668 in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via...

CVE-2022-26121

An exposure of resource to wrong sphere vulnerability CWE-668 in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via...

CVE-2022-26121

An exposure of resource to wrong sphere vulnerability CWE-668 in FortiAnalyzer and FortiManager GUI 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11, 5.6.0 through 5.6.11 may allow an unauthenticated and remote attacker to access report template images via...

PT-2022-5022 · Fortinet · Fortimanager +1

Name of the Vulnerable Software and Affected Versions: FortiAnalyzer and FortiManager GUI versions 5.6.0 through 5.6.11 FortiAnalyzer and FortiManager GUI versions 6.0.0 through 6.0.11 FortiAnalyzer and FortiManager GUI versions 6.2.0 through 6.2.9 FortiAnalyzer and FortiManager GUI versions 6.4....

FortiAnalyzer & FortiManager - improper authorization to template image

An exposure of resource to wrong sphere vulnerability CWE-668 in FortiAnalyzer and FortiManager GUI may allow an unauthenticated and remote attacker to access report template images via referencing the name in the URL path...

Amazon Linux 2022 : golang, golang-bin, golang-misc (ALAS2022-2022-144)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-144 advisory. In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal erro...

SUSE-SU-2022:3326-1 Security update for go1.19

This update for go1.19 fixes the following issues: Update to go version 1.19.1 bsc1200441: - CVE-2022-27664: Fixed DoS in net/http caused by mishandled server errors after sending GOAWAY bsc1203185. - CVE-2022-32190: Fixed missing stripping of relative path components in net/url JoinPath bsc12031...

Information Disclosure

mangadex-downloader is vulnerable to information disclosure. The vulnerability exists due to the improper url path validation in the validateurl function of validator.py, allowing an attacker to open and read files from the local disk through the commands such as file: and...

Cross-site Scripting (XSS)

gollum is vulnerable to cross-site scripting. The vulnerability exists because the breadcrumb function of overview.rb and page.rb does not properly escape the element.tos and title.tos parameters before being rendered on the page, allowing an attacker to inject and execute malicious javascript...

GHSA-GM5X-HPMW-XPXG Silverstripe CMS information disclosure

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to...

Silverstripe CMS information disclosure

In SilverStripe through 4.5.0, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to...

GHSA-C735-G9F2-2MVP Cross-Site Request Forgery in Jenkins

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...

Cross-Site Request Forgery in Jenkins

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...