EUVD-2022-33583

Malicious code in bioql PyPI...

Cache Deception

better-call is vulnerable to cache deception. The vulnerability is due to insufficient path sanitization during request processing, which allows an attacker to craft deceptive URLs that mimic static assets and bypass CDN cache exclusion rules...

CVE-2025-27415

Nuxt is an open-source web development framework for Vue.js. Prior to 3.16.0, by sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly impacts the availability of a site. It is possible to craft a request, such as...

Acceptance of Extraneous Untrusted Data With Trusted Data

Overview org.webjars.npm:nuxt is a Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data. An attacker can disrupt the availability of a site by sending a crafted HTTP request such as https://mysite.com/?/payload.json that results in a poison...

Nuxt 安全漏洞

Nuxt is a free open source framework from Nuxt Open Source. A security vulnerability exists in Nuxt versions prior to 3.16.0 that originates from a specially crafted HTTP request sent to a server behind a CDN, which may poison the CDN cache in some cases, severely impacting site availability...

CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers

A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network CDN cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat actor...

Suspected CoralRaider continues to expand victimology using three information stealers

By Joey Chen, Chetan Raghuprasad and Alex Karkins. Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. Talos also discovered a new PowerShell command-lin...

CVE-2022-29218

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems with platforms ending in numbers, like arm64-darwin-21 to be temporarily replaced in the CDN cache by a malicious package. The bug has...

Design/Logic Flaw

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems with platforms ending in numbers, like arm64-darwin-21 to be temporarily replaced in the CDN cache by a malicious package. The bug has...

RubyGems 安全漏洞

RubyGems is a Ruby package manager from the Rubygems organization. The product is primarily used to distribute and manage Ruby packages. RubyGems suffers from a security vulnerability that stems from a sorting error in gem upload code, where certain gems are temporarily replaced by malicious...

CVE-2022-29218 Unauthorized takeover for new versions of some platform-specific gems

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems with platforms ending in numbers, like arm64-darwin-21 to be temporarily replaced in the CDN cache by a malicious package. The bug has...

CVE-2022-29218

CVE-2022-29218 affects RubyGems, the Ruby package registry. An ordering mistake in the gem-upload code allowed some gems (platforms ending with numbers, e.g., arm64-darwin-21) to be temporarily replaced in the CDN cache by a malicious package. The issue has been patched, and a broad review of log...

Incorrect Permission Assignment for Critical Resource

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are...

CVE-2020-17522

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are...

CVE-2020-17522

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are...

Code injection

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are...

CVE-2020-17522

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are...

Incorrect Permission Assignment for Critical Resource

When ORT now via atstccfg generates ipallow.config files in Apache Traffic Control to to, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP...