CVE-2020-13882

CISOfy Lynis before 3.0.0 has Incorrect Access Control because of a TOCTOU race condition. The routine to check the log and report file permissions was not working as intended and could be bypassed locally. Because of the race, an unprivileged attacker can set up a log and report file, and contro...

Cross-site Scripting in moodle

A flaw was found in moodle where ID numbers displayed when bulk allocating markers to assignments required additional sanitizing to prevent a stored XSS risk...

Octopus Server 安全漏洞

Octopus Server is an automated deployment platform. A security vulnerability exists in Octopus Server that stems from the fact that when Octopus Server generates a user invitation code, it can set the validity of that invitation code for a specific number of users. An attacker could use this...

GHSA-PW5C-XQF2-6XC2 Doctrine Security Misconfiguration Vulnerability

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local...

Doctrine Security Misconfiguration Vulnerability

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local...

GHSA-CQQH-94R6-WJRG Symfony SSRF Vulnerability via Form Component

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST data and uploaded files data into one array. This big array forms the data that are then bound to...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +698 more potentially affected by CVE-2012-6073 via org.jenkins-ci.main:jenkins-core (>=1.396 <=1.480)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.9, =1.0, =1.0, =1.0-beta-1, =2.1, =1.0, =1.0, =0.1, =0.1, =0.17 and more Source cves: CVE-2012-6073 Source advisory: SNYK:JAVA-ORGJENKINSCIMAIN-9404543...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +698 more potentially affected by CVE-2012-6072 via org.jenkins-ci.main:jenkins-core (>=1.396 <=1.480)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.9, =1.0, =1.0, =1.0-beta-1, =2.1, =1.0, =1.0, =0.1, =0.1, =0.17 and more Source cves: CVE-2012-6072 Source advisory: SNYK:JAVA-ORGJENKINSCIMAIN-9404603...

com.cloudbees.jenkins.plugins:additional-identities-plugin (=1.1), com.sonyericsson.hudson.plugins.rebuild:rebuild (>=1.15 <=1.27) +30 more potentially affected by CVE-2012-6073 via org.jenkins-ci.main:jenkins-core (>=1.481 <=1.490)

org.jenkins-ci.main:jenkins-core MAVEN version =1.481, =1.15, =1.1, =0.2.0, =0.1.0, =1.0.0, =1.481, =1.481, =1.481, =1.481, =1.0, =1.1 - org.jenkins-ci.modules:slave-installer =1.0 - org.jenkins-ci.modules:upstart-slave-installer =1.0 - org.jenkins-ci.modules:windows-slave-installer =1.0 and more...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +771 more potentially affected by CVE-2013-2033 via org.jenkins-ci.main:jenkins-core (>=1.396 <=1.509)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.9, =1.0, =1.0.0, =1.0, =1.0-beta-1, =2.1, =1.0, =1.0, =1.0, =1.0, =1.2 - com.cloudbees.jenkins.plugins:cloudbees-credentials =3.3 and more Source cves: CVE-2013-2033 Source advisory: OSV:GHSA-826F-32QM-VM3J...

GHSA-MM9Q-3847-M48X Moodle allows attackers to enter additional answer attempts

The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role...

Design/Logic Flaw

Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields� feature is configured, a malicious actor can inject invalidated HTML co...

CVE-2022-29172 HTML injection with additional signup fields

Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...

CVE-2022-29172

Auth0 Lock (auth0-lock) vulnerability CVE-2022-29172 affects versions before 11.33.0 where the “additional signup fields” feature allows HTML injection into the fields, storing invalid HTML in the user metadata payload (name property). This can cause a crafted link to render HTML in the recipient...

Cross site request forgery (csrf)

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

CVE-2022-22434

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with physical access to create an API request modified to create additional objects. IBM X-Force ID: 224159...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +745 more potentially affected by CVE-2013-0328 via org.jenkins-ci.main:jenkins-core (>=1.396 <=1.501)

org.jenkins-ci.main:jenkins-core MAVEN version =1.396, =1.1, =0.9, =1.0, =1.0, =1.0-beta-1, =2.1, =1.0, =1.0, =1.0, =0.1, =0.1, =0.17 and more Source cves: CVE-2013-0328 Source advisory: OSV:GHSA-Q5F8-FXRX-PW6F...

com.cloudbees.jenkins.plugins:additional-identities-plugin (=1.1), com.exxeta.jenkins.plugins:sidebar-update-notification (>=1.0.1 <=1.1.0) +60 more potentially affected by CVE-2013-0330 via org.jenkins-ci.main:jenkins-core (>=1.481 <=1.501)

org.jenkins-ci.main:jenkins-core MAVEN version =1.481, =1.0.1, =1.15, =1.1, =1.0, =1.0.3, =0.2.0, =0.1.0, =1.0.0, =1.0.5, =1.481, =1.501 and more Source cves: CVE-2013-0330 Source advisory: OSV:GHSA-25C5-58XW-HW5Q...

Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434)

Summary IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects Vulnerability Details CVEID: CVE-2022-22434 DESCRIPTION: IBM Robotic Process Automation could allow a user with physical access to create an API request...

GHSA-75P6-52G3-RQC8 Keycloak vulnerable to privilege escalation on Token Exchange feature

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the clientid of the target. This could allow a client to gain unauthorized access to...