1065 matches found
Cybozu Dezie vulnerable to directory traversal
Overview Cybozu Dezie provided by Cybozu, Inc. contains a directory traversal vulnerability CWE-22 due to a flaw in processing parameter of the HTTP request. Yuji Tounai reported this vulnerability to Cybozu, Inc., and Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its...
Code Injection
Overview Verisons of morgan before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack. Recommendation Update to version 1.9.1 or later. References - HackerOne Report - Node.js security-wg - GitHub Advisory...
Cross-Site Scripting in sanitize-html
Affected versions of sanitize-html are vulnerable to cross-site scripting when allowedTags includes at least one nonTextTag. Proof of Concept js var sanitizeHtml = require'sanitize-html'; var dirty = '!/textarea!'; var clean = sanitizeHtmldirty, allowedTags: 'textarea' ; console.logclean; // !!...
Remote Memory Exposure in request
Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body. Proof of Concept js var request =...
Insecure randomness in socket.io
Affected versions of socket.io depend on Math.random to create socket IDs, and therefore the IDs are predictable. With enough information on prior IDs, an attacker may be able to guess the socket ID and gain access to socket.io servers without authorization. Recommendation Update to v0.9.7 or lat...
DLA-1569-2 libdatetime-timezone-perl - regression update
Bulletin has no description...
DLA-1567-1 gthumb - security update
Bulletin has no description...
DSA-4334-1 mupdf - security update
Bulletin has no description...
DLA-1561-1 phpldapadmin - security update
Bulletin has no description...
GHSA-37Q6-576Q-VGR7 Missing Origin Validation in parcel-bundler
Versions of parcel-bundler before 1.10.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...
DSA-4328-1 xorg-server - security update
Bulletin has no description...
DSA-4326-1 openjdk-8 - security update
Bulletin has no description...
DLA-1541-1 jekyll - security update
Bulletin has no description...
GHSA-F9CM-P3W6-XVR3 Denial-of-Service Extended Event Loop Blocking in qs
Versions prior to 1.0.0 of qs are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string. Recommendation Update to version 1.0.0 or later...
DLA-1539-1 samba - security update
Bulletin has no description...
DLA-1534-1 adplug - security update
Bulletin has no description...
DLA-1533-1 git - security update
Bulletin has no description...
DLA-1532-1 dnsmasq - update
Bulletin has no description...
DLA-1507-1 libapache2-mod-perl2 - security update
Bulletin has no description...
DSA-4282-1 trafficserver - security update
Bulletin has no description...