1605 matches found
Nextcloud Temporary files lock 授权问题漏洞
NextCloud Temporary Files Lock is an open-source tool developed by NextCloud for locking temporary files, preventing others from editing them. In versions 32.0.0 to 32.0.2 and 33.0.0 to 33.0.1 of NextCloud Temporary Files Lock, there were authorization-related vulnerabilities. These vulnerabiliti...
CVE-2026-45058
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured...
CVE-2026-8360 Gladinet Triofox Unchecked Return Value to NULL Pointer Dereference DOS
Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface in various DLLs i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll can return a NULL pointer i.e., when no user is logged into the Triofox Server Agent Management Console. The returned NULL pointer is not checked before being...
GHSA-WC7J-G8WX-M2QX Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
CLSA-2026-1779893247 Fix of 5 CVEs
SECURITY UPDATE: add case sensitive attribute to LockOutRealm - debian/patches/CVE-2026-43513.patch: add case sensitive attribute to LockOutRealm - CVE-2026-43513 SECURITY UPDATE: fix the handling of invalid users with DIGEST authentication - debian/patches/CVE-2026-43512.patch: fix the handling ...
PT-2026-44148
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
tomcat6: Fix of CVE-2026-41284
CVE-2026-41284: tomcat6: WebDAV LOCK/PROPFIND unbounded request body DoS...
CLSA-2026-1779374454 Fix of 7 CVEs
SECURITY UPDATE: multiple security fixes - debian/patches/CVE-2026-41284.patch: add a configurable maxRequestBodySize init-param to the WebDAV servlet to bound LOCK/PROPFIND XML request bodies; reject oversized bodies with 413 Request Entity Too Long. Includes the upstream...
zrok copy writes attacker-controlled WebDAV paths outside the destination root
Summary Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root...
GHSA-C656-JCX2-7PQJ zrok copy writes attacker-controlled WebDAV paths outside the destination root
Summary Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root...
PT-2026-41960
Name of the Vulnerable Software and Affected Versions zrok affected versions not specified Description A path traversal issue exists when using the zrok2 copy command to move files from a WebDAV or zrok drive to a local filesystem. An attacker can provide a malicious DAV href containing directory...
Path Traversal
zrok is vulnerable to Path Traversal. The vulnerability is due to failure to prevent symlink traversal in the WebDAV drive backend, which allows a remote attacker to access symbolic links pointing outside the shared root and read or, where permitted, modify arbitrary files on the host filesystem...
Updated tomcat packages fix security vulnerability
Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...
MGASA-2026-0139 Updated tomcat packages fix security vulnerability
Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...
BIT-TOMCAT-2026-41284 Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0 through 11.0.21, from 10.1.0 through 10.1.54, from 9.0.0 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to versio...
Bypass of second factor authentication on DAV endpoints by reusing a pre-2FA session ID
None...
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests which were available to...
GHSA-GX5V-XP9W-J4CG Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests which were available to...
Allocation of Resources Without Limits or Throttling
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause...