3969 matches found
CVE-2022-24858 Default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already...
CVE-2022-24858
The CVE-2022-24858 entry involves NextAuth.js open redirect vulnerability in the default redirect callback. Affected: next-auth before 3.29.2 and before 4.3.2. Root cause: lack of proper URL validation in the redirect callback, enabling malicious redirects. Impact: open redirects as described in ...
CVE-2022-24858 Default redirect callback vulnerable to open redirects
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already...
CVE-2022-1020
The Product Table for WooCommerce wooproducttable WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing...
Duplicate NFTs Can Be Minted if payableToken Has a Callback Attached to it
Lines of code Vulnerability details Impact The mintToken function is called to mint unique tokens from an ERC721 collection. This function will either require users to provide a merkle proof to claim an airdropped token or pay a fee in the form of a payableToken. However, because the payableToken...
No reentrancy guard on mint() function that has a callback
Lines of code Vulnerability details Impact the mint function calls mint which has a callback to the "to" address argument. Functions with callbacks should have reentrancy guards in place for protection against possible malicious actors both from inside and outside the protocol. Proof of Concept...
CVE-2022-28133
Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create BitBucket Server consumers...
Jenkins Bitbucket Server Integration Plugin č·Øē«čę¬ę¼ę“
Jenkins and Jenkins Plugin are both Jenkins open source products. jenkins is an application. Jenkins Plugin is an application that provides hundreds of plugins to support building, deploying, and automating any project. Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier versions are...
PT-2022-18831 Ā· Jenkins Ā· Jenkins Bitbucket Server Integration PluginĀ +1
Name of the Vulnerable Software and Affected Versions: Jenkins Bitbucket Server Integration Plugin versions 3.1.0 and earlier Description: The issue results from the plugin not limiting URL schemes for callback URLs on OAuth consumers, leading to a stored cross-site scripting XSS vulnerability...
SUSE-SU-2022:0857-1 Security update for openssl-1_0_0
This update for openssl-100 fixes the following issues: - CVE-2022-0778: Infinite loop in BNmodsqrt reachable when parsing certificates bsc1196877. - Allow CRYPTOTHREADIDsetcallback to be called with NULL parameter bsc1196249...
Users Can Frontrun Token Distributions Using Flashloans
Lines of code Vulnerability details Impact The collector suite of contracts will actively send ANC token distributions to staked ANC token holders. However, because it is known beforehand that a distribution will be made to the governance contract, users can abuse this to frontrun distributions b...
GSD-2022-1000556 net/smc: Avoid overwriting the copies of clcsock callback functions
net/smc: Avoid overwriting the copies of clcsock callback functions This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.16.11 by commit...
Reentrancy allows commenter to overwrite own comments
Lines of code Vulnerability details Since the Lens platform is a blockchain-based social media platform, it's important that information relevant to users be emitted so that light clients need not continually refer to the blockchain, which can be expensive. From the docs: Events are emitted at...
CVE-2022-0212
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...
CVE-2022-0212
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...
CVE-2022-21724 Unchecked Class Instantiation when providing Plugin Classes
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based o...
Mageia: Security Advisory (MGASA-2014-0291)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Possible Re-entrancy in _sendSherRewardsToOwner
Handle static Vulnerability details Vulnerability details Impact If the SHER token performs a callback, such as in ERC-777 tokens, when performing transfers, the sendSherRewardsToOwner function can be run multiple times to extract more rewards than should be available for a single NFT. Proof of...
memory contents disclosure in cli_feat_read_cb
...
SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...