Request logging bypass in Jenkins Audit Trail Plugin

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlie...

PT-2022-6524 · Icinga · Icinga Web 2

Name of the Vulnerable Software and Affected Versions: Icinga Web 2 versions prior to 2.9.6 and 2.10 Description: The issue allows unauthenticated users to leak the contents of files on the local system accessible to the web-server user, including icingaweb2 configuration files with database...

Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability

A code execution vulnerability exists in the Stapler web framework used by Jenkins...

CVE-2022-21659

CVE-2022-21659 refers to a timing-based user enumeration vulnerability in Flask-AppBuilder (pre-3.4.4). The issue allows an unauthenticated user to infer account existence by measuring login response timing, indicating a partial confidentiality impact. Affected software is Flask-AppBuilder built ...

CVE-2022-21659 Observable Response Discrepancy in Flask-AppBuilder

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server...

CVE-2022-21715 Cross-site Scripting Vulnerability in CodeIgniter4

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting XSS vulnerability was found in API\ResponseTrait in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using API\ResponseTrait. Version 4.1.8 contains a...

CVE-2022-21715

CodeIgniter4 4.x contains an XSS vulnerability in API\ResponseTrait present before 4.1.8. The issue allows cross-site scripting if a victim uses API\ResponseTrait; a patch is available in 4.1.8. Mitigations/workarounds in the sources include upgrading to 4.1.8 or later, not using API\ResponseTrai...

Crow Cross-Site Scripting Vulnerability

Crow is a C micro-framework for running Web services, and a security vulnerability exists in Crow that could be exploited to allow an attacker to manipulate input to introduce additional properties to potentially execute arbitrary code...

Crow 跨站脚本漏洞

Crow is a C micro-framework for running Web services, and a security vulnerability exists in Crow that could be exploited to allow an attacker to manipulate input to introduce additional properties to potentially execute arbitrary code...

CVE-2021-23772

A flaw was found in the Iris Web Framework, where the UploadFormFiles method unsafely handles file names during upload. This flaw allows an attacker to write in arbitrary locations outside the designated target folder...

Mozilla Rust actix-web crate memory corruption vulnerability

Rust actix-web crate is a Rust web framework. mozilla Rust actix-web crate memory corruption vulnerability can be exploited by attackers to cause memory corruption...

CVE-2021-41267

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trustedheaders" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2,...

Design/Logic Flaw

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trustedheaders" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2,...

CVE-2021-41267

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trustedheaders" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2,...

Jfinal cmsS cross-site scripting vulnerability

Jfinal CMS is a powerful information consulting website developed in java that uses JFinal as the web framework, beetl for the template engine, mysql for the database, and bootstrap framework for the front end. cross-site scripting vulnerability exists in Jfinal CMS 4.7.1 and earlier versions. An...

Ulfius Web Framework Remote Memory Corruption Exploit

Ulfius Web Framework suffers from a remote memory corruption vulnerability. When parsing malformed HTTP requests, a heap-related initialization bug is triggered resulting in a crash in the server or potentially remote code execution with privileges of the running process. !/usr/bin/python3 guul.p...

Ulfius Web Framework Remote Memory Corruption

!/usr/bin/python3 guul.py Ulfius Web Framework Remote Memory Corruption Vulnerability Jeremy Brown Sept 2021 Intro Ulfius Web Framework is used by a number of different projects to build web services. Some of the projects tested and confirmed vulnerable are Glewlwyd SSO Server, Taliesin Audio...

Beego 跨站脚本漏洞

Beego is an open source web framework based on the Go language. Beego 2.0.1 suffers from a cross-site scripting vulnerability that stems from the lack of proper validation of client-side data by the WEB application. An attacker can exploit this vulnerability to execute client-side code...

[SECURITY] Fedora 34 Update: python-django-3.1.13-1.fc34

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY Don't Repeat Yourself principle...

CVE-2021-32742

Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the Data.initbase32Encoded: function opens up the potential for exposing server memory and/or crashing the server Denial of Service for applications where untrusted data can end up in said function. Vapor does not currently...