Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can...

PYSEC-2024-152 aiocpa 0.1.13 contains credential harvesting code

aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced obfuscated, malicious code targeting Crypto Pay users, forwarding client credentials to a remote Telegram bot. All versions have been removed from PyPI...

CVE-2024-3501 Exposure of Sensitive Information in lunary-ai/lunary

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or...

GO-2022-0490 Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events

Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events...

Uses of deprecated API can be used to cause DoS in user-facing endpoints

Impact Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll. ioutil.ReadAll reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. Eventsources susceptible to an out-of-memor...

NFTXStakingZap and NFTXMarketplaceZap's transferFromERC721 transfer Cryptokitties to the wrong address

Handle hyh Vulnerability details Impact transferFromERC721address assetAddr, uint256 tokenId, address to should transfer from msg.sender to to. It transfers to addressthis instead when ERC721 is Cryptokitties. As there is no additional logic for this case it seems to be a mistake that leads to...

AddLiquidity allows sandwich attacks on direct use within hard coded 5% slippage tolerance

Handle hyh Vulnerability details Impact Liquidity provision can happen at a manipulated price which leads to immediate loss for liquidity provider i.e. IL happens right after liquidity provision in this case. This yields direct loss for an account owner, for example schematically: 0. Suppose...

Nextcloud: SQL injextion via vulnerable doctrine/dbal version

Summary: SQL injection via limit parameter on user facing APIs Steps To Reproduce: Run security scanner: 1. REPORT /remote.php/dav/comments/files/1985 1. XML input oc:filter-comments.oc:limittext was set to 1'" 1. You have an error in your SQL syntax Supporting Material/References: For more detai...

[SECURITY] Fedora 33 Update: yubihsm-shell-2.0.3-1.fc33

This package contains most of the components used to interact with the YubiHSM 2 at both a user-facing and programmatic level...

CVE-2019-16925

Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change th...

PT-2019-14872 · Celery · Flower

Name of the Vulnerable Software and Affected Versions: Flower version 0.9.3 Description: The issue concerns a potential XSS via the name parameter in an @app.task call. However, the project author disputes the validity of this issue, stating that worker and task names are internal backend...