11 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via host resolution in the CLI authentication layer. An attacker can obtain authentication tokens intended for GitHub or GitHub Enterprise by causing authenticated requests to be sent to external hosts, as the ho...
Authorization Bypass Through User-Controlled Key
Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the checkout endpoint. An attacker can access and retrieve address information belonging to other users by modifying the address identifier in the order...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization during the SSH certificate revocation when the SSHPOP provisioner is configured. An attacker can revoke SSH certificates without proper authorization by exploiting insufficient checks during the revocation proces...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/v4/teams/teamid/channels/ids endpoint. An attacker can access sensitive channel metadata by sending requests as a guest user. Remediation Upgrade...
EUVD-2022-52758
Malicious code in bioql PyPI...
CVE-2020-13925
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all...
Possible DoS by memory exhaustion in net-imap
Summary There is a possibility for denial of service by memory exhaustion in net-imap's response parser. At any time while the client is connected, a malicious server can send can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser...
PT-2024-39072 · Wavelog · Wavelog
Name of the Vulnerable Software and Affected Versions: Wavelog versions 1.8.0 and earlier Description: A problem was found in the function index of the file /qso of the component Live QSO. The manipulation of the manual argument leads to cross site scripting. It is possible to launch the attack...
CVE-2023-41899 Partial Server-Side Request Forgery in Home Assistant Core
Home assistant is an open source home automation. In affected versions the hassio.addonstdin is vulnerable to a partial Server-Side Request Forgery where an attacker capable of calling this service e.g.: through GHSA-h2jp-7grc-9xpp may be able to invoke any Supervisor REST API endpoints with a PO...
CVE-2022-41917 Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a...
CVE-2022-39230 Security issue in fhir-works-on-aws-authz-smart
fhir-works-on-aws-authz-smart is an implementation of the authorization interface from the FHIR Works interface. Versions 3.1.1 and 3.1.2 are subject to Exposure of Sensitive Information to an Unauthorized Actor. This issue allows a client of the API to retrieve more information than the client’s...