117 matches found
CVE-2024-34698 Prototype Pollution in getQueryParam Function (URL Query Parser)
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the /public/js/main.js source file. The Prototype Pollution arises because the getQueryParam Function recursively merges an object containing...
CVE-2024-34698 Prototype Pollution in getQueryParam Function (URL Query Parser)
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the /public/js/main.js source file. The Prototype Pollution arises because the getQueryParam Function recursively merges an object containing...
Improper Removal of Sensitive Information Before Storage or Transfer
Overview OpenTelemetry.Instrumentation.Http is a Http instrumentation for OpenTelemetry .NET Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to the logging of sensitive query parameters by default. This behavior occurs...
Rapid7 InsightVM 安全漏洞
Rapid7 InsightVM is a vulnerability scanning and management application from Rapid7 USA. A security vulnerability exists in Rapid7 InsightVM versions prior to 6.6.244. The vulnerability stems from a sensitive information exposure vulnerability on the login page in maintenance mode, whereby when...
IBM PowerSC Information Disclosure Vulnerability (CNVD-2024-09949)
IBM PowerSC is an International Business Machines IBM security and compliance solution for IBM Power Systems servers. An information disclosure vulnerability exists in IBM PowerSC, which can be exploited by an attacker to view session identifiers passed via URL query strings...
Code injection
IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110...
CVE-2023-50328 IBM PowerSC information disclosure
IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings. IBM X-Force ID: 275110...
GHSA-92R3-M2MG-PJ97 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...
Improper access control
Improper access control in Report log filters feature in Devolutions Server 2023.2.10.0 and earlier allows attackers to retrieve logs from vaults or entries they are not allowed to access via the report request url query parameters...
Denial Of Service
faktory package is vulnerable to Denial of Service. The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web dashboard which is used without any validation. If a huge value is provided, the backend service could consume significant amount of memory and...
GHSA-X4HH-VJM7-G2JV Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input
Summary Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days. Details The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string...
Sql injection
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days. The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web...
CVE-2023-37279 Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input
Faktory is a language-agnostic persistent background job server. Prior to version 1.8.0, the Faktory web dashboard can suffer from denial of service by a crafted malicious url query param days. The vulnerability is related to how the backend reads the days URL query parameter in the Faktory web...
CVE-2023-1387
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the "urllogin" configuration option disabled by default, a...
CVE-2023-1387
Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the "urllogin" configuration option disabled by default, a...
Prototype Pollution
firefox is vulnerable to Prototype Pollution. The vulnerability exists due to the URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code...
K82679059: BIG-IP APM SSO vulnerability CVE-2016-3686
Security Advisory Description Cleartext SessionID is visible in URL query parameters under some conditions. CVE-2016-3686 Impact There is a theoretical risk that a user could obtain unauthorized access to the system, causing a security breach. Security Advisory Status F5 Product Development has...
SUSE CVE-2022-29810
The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...
Denial Of Service (DoS)
qs is vulnerable to denial of service. The vulnerability exists in the parseObject function of parse.js due to lack of checks for attributes like proto in the query string of the URL, which allows an attacker to cause an application crash by providing malicious payload...
GHSA-5JP2-VWRJ-99RF Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution
Impact For some Post/Put Concourse endpoint containing :teamname in the URL, a Concourse user can send a request with body including :teamname=team2 to bypass team scope check to gain access to certain resources belong to any other team. The user only needs a valid user session and belongs to...