CVE-2023-43617

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name...

PT-2023-28486 · Ipswitch · Moveit Transfer

Name of the Vulnerable Software and Affected Versions: MOVEit Transfer versions prior to 2021.1.8 13.1.8 MOVEit Transfer versions prior to 2022.0.8 14.0.8 MOVEit Transfer versions prior to 2022.1.9 14.1.9 MOVEit Transfer versions prior to 2023.0.6 15.0.6 Description: A reflected cross-site...

Qualys Is the Outperformer in the New GigaOm Radar Report for Continuous Vulnerability Management

GigaOm has unveiled its third-annual Radar for Continuous Vulnerability Management featuring Qualys. In this Report, GigaOm provides a detailed analysis of the value and progression of vulnerability management VM capabilities to help organizations build the best security and vulnerability...

CVE-2023-40024

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

Cross site scripting

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

CVE-2023-40024 Reflected Cross-Site Scripting (XSS) in scancode.io license endpoint

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

CVE-2023-39523

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

Command injection

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

CVE-2023-39523

CVE-2023-39523 affects ScanCode.io prior to 32.5.1. The vulnerability is a command injection in fetch_docker_image: docker_reference is user-controlled and passed to get_docker_image_platform, which builds a shell command that is executed without sanitization. A malicious user could inject comman...

CVE-2023-39523 ScanCode.io command injection in docker image fetch process

ScanCode.io is a server to script and automate software composition analysis with ScanPipe pipelines. Prior to version 32.5.1, the software has a possible command injection vulnerability in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. In the...

[SECURITY] Fedora 38 Update: rubygem-actionmailer-7.0.4.3-1.fc38

Email on Rails. Compose, deliver, and test emails using the familiar controller/view pattern. First-class support for multipart email and attachments...

CVE-2023-27484 Unchecked fieldpath index in Composition's patches can lead to arbitrary memory allocation in crossplane

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's ToFieldPath, which could lead to...

SUSE CVE-2009-0386

Heap-based buffer overflow in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11 might allow remote attackers to execute arbitrary code via crafted Composition Time To Sample ctts atom data in a malformed QuickTime medi...

SUSE CVE-2018-19199

An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an integer overflow via a uriComposeQuery or uriComposeQueryEx function because of an unchecked multiplication...

SUSE CVE-2018-19198

An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an out-of-bounds write via a uriComposeQuery or uriComposeQueryEx function because the '&' character is mishandled in certain contexts...

SUSE CVE-2021-43528

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird...

CVE-2022-46148 Discourse allows self-XSS through malicious composer message

Discourse is an open-source messaging platform. In versions 2.8.10 and prior on the stable branch and versions 2.9.0.beta11 and prior on the beta and tests-passed branches, users composing malicious messages and navigating to drafts page could self-XSS. This vulnerability can lead to a full XSS o...

The vulnerability of the component allows for the creation, design, configuration, and display of information panels within the Self Service Composition Environment (SSCE) of the SAP Manufacturing Integration and Intelligence platform. This vulnerability enables a perpetrator to execute arbitrary code or escalate their privileges.

The vulnerability of the component responsible for creating, designing, configuring, and displaying information panels of the Self Service Composition Environment SSCE platform for SAP Manufacturing Integration and Intelligence is related to deficiencies in access control and improper management ...

Application Security in 2022: Where Are We Now?

It’s always a good thing to take a step back every once in a while to take the lay of the land. Like you, we are always working at a breakneck pace to help secure the web applications being built today and ready ourselves to secure the innovations of the future. When Forrester put out The State o...

Mozilla: JavaScript unexpectedly enabled for the composition area

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities. This vulnerability affects Thunderbird...