Allocation of Resources Without Limits or Throttling

Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of...

PYSEC-2022-248

Streamlit is a data oriented application development framework for python. Users hosting Streamlit apps that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially othe...

CVE-2022-31192 Cross Site Scripting possible in DSpace JSPUI "Request a Copy" feature

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item...

CVE-2022-31178 Improper Authorization in eLabFTW

eLabFTW is an electronic lab notebook manager for research teams. A vulnerability was discovered which allows a logged in user to read a template without being authorized to do so. This vulnerability has been patched in 4.3.4. Users are advised to upgrade. There are no known workarounds for this...

CVE-2022-35919 Authenticated requests for server update admin API allows path traversal in minio

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. In affected versions all 'admin' users authorized for admin:ServerUpdate can selectively trigger an error that in response, returns the content of the path requested. Any normal OS system would allow...

OpenZeppelin 资源管理错误漏洞

OpenZeppelin is a software application. A standard for secure blockchain applications. A resource management error vulnerability exists in versions prior to OpenZeppelin Contracts v4.7.2, which stems from the fact that this is a library for secure smart contract development, and the target contra...

OpenZeppelin 安全漏洞

OpenZeppelin is a software application. A standard for secure blockchain applications. A security vulnerability exists in OpenZeppelin Contracts prior to version v4.7.2, which stems from the fact that this is a library for secure smart contract development, and that contracts using Arbitrum L2's...

Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings

An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and...

Malicious code in ablofmyskjtnzdxk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 78d108caf6f4289818d0fbca94e791fc5d1f14c0f5855f88c30338866d276895 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-31029 Authenticated XSS in Pi-hole AdminLTE

AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like alert"XSS" in the field marked with "Domain to look for" and hitting enter or clicking on any of the buttons will execute the script. The user must be logged in to use this vulnerability. Usually...

CVE-2022-31136 Cross-site Scripting in BookWyrm

Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as...

CVE-2022-31135 Maliciously crafted evidence packet may cause denial of service

Akashi is an open source server implementation of the Attorney Online video game based on the Ace Attorney universe. Affected versions of Akashi are subject to a denial of service attack. An attacker can use a specially crafted evidence packet to make an illegal modification, causing a server...

jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based o...

CVE-2022-31126 Unauthenticated Remote Code Execution in Roxy-wi

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before...

EUVD-2022-52756

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This affects Roxywi version...

Malicious Package

Overview dropbox-internal-sdk is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

CVE-2022-31068 Sensitive Data Exposure on Refused Inventory Files in GLPI

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated...

CVE-2022-31057 Authenticated Stored XSS in Shopware Administration

Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an authenticated Stored XSS in Administration. Users are advised to upgrade. There are no known workarounds for this issue...

Malicious Package

Overview en-conduit-plugin-in-app-purchasing is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerab...

Malicious code in lwc-modules-foo (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 46d862b5923de09847e190714fa9981eb4f6d65f46e1c7cddbf6f840663d8534 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...