33 matches found
PT-2024-10237 · Ibm · Ibm Devops Velocity +1
The affected software is IBM DevOps Velocity and IBM UrbanCode Velocity. The versions of IBM DevOps Velocity that are affected are 5.0.0, and the versions of IBM UrbanCode Velocity that are affected are 4.0.0 through 4.0.25. These versions allow web pages to be stored locally, which can then be...
PT-2024-10238 · Ibm · Ibm Devops Velocity +1
Name of the Vulnerable Software and Affected Versions: IBM DevOps Velocity version 5.0.0 IBM UrbanCode Velocity versions 4.0.0 through 4.0.25 Description: The issue is related to the use of weaker than expected cryptographic algorithms, which could allow an attacker to decrypt highly sensitive...
PT-2024-10239 · Ibm · Ibm Devops Velocity +1
Name of the Vulnerable Software and Affected Versions: IBM DevOps Velocity version 5.0.0 IBM UrbanCode Velocity versions 4.0.0 through 4.0.25 Description: The issue is related to the use of an untrusted cross-domain policy file, which could allow a remote attacker to gain unauthorized access to...
Security Bulletin: Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322
Summary WS-2022-0322 The d3-color module prior to 3.1.0 which Velocity was using is susceptible to a regular expression denial of service attack. Vulnerability Details IBM X-Force ID: 212233 DESCRIPTION: d3-color is vulnerable to a denial of service, caused by improper input validation. By sendin...
Security Bulletin: CVE-2022-24434 An issue was discovered in the npm package dicer
Summary This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. An attacker could sent the payload again and again so that the service continuously crashes. Vulnerability Details CVEID:CVE-2022-24434 DESCRIPTION: Node.js...
Security Bulletin: CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0
Summary CVE-2022-41713 deep-object-diff version 1.1.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the 'proto' property to be edited. Vulnerability Details...
Security Bulletin: CVE-2020-7774
Summary This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true Vulnerability Details CVEID: CVE-2020-7774 DESCRIPTION: Node.js y18n module could allow a remote...
Security Bulletin: CVE-2021-23369
Summary The package handlebars before 4.7.7 are vulnerable to Remote Code Execution RCE when selecting certain compiling options to compile templates coming from an untrusted source. Vulnerability Details CVEID: CVE-2021-23369 DESCRIPTION: Node.js handlebars module could allow a remote attacker t...
Security Bulletin: CVE-2020-28500
Summary Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service ReDoS via the toNumber, trim and trimEnd functions. Vulnerability Details CVEID: CVE-2020-28500 DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused by a regular expression...
Security Bulletin: CVE-2021-23337
Summary Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Vulnerability Details CVEID: CVE-2021-23337 DESCRIPTION: Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command...
Security Bulletin: CVE-2020-8203
Summary Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution attack. A remote attacker could exploit this vulnerability using the merge, mergeWith, and defaultsDeep functions to inject properties onto Object.prototype to crash the server and possibly execute...
Security Bulletin: IBM UrbanCode Velocity CVE-2021-44228, Apache Log4j
Summary IBM UrbanCode Velocity is vulnerable to CVE-2021-44228, Apache Log4j in the web client. The other IBM UrbanCode Velocity services are built upon JavaScript which use Log4js and based on current knowledge and analysis, we believe are not affected. Vulnerability Details CVEID: CVE-2021-4422...
Security Bulletin: CVE-2020-15366 An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2.
Summary CVE-2020-15366 An issue was discovered in ajv.validate in Ajv aka Another JSON Schema Validator 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an...