CVE-2020-21066

An issue was discovered in Bento4 v1.5.1.0. There is a heap-buffer-overflow in AP4Dec3Atom::AP4Dec3Atom at Ap4Dec3Atom.cpp, leading to a denial of service program crash, as demonstrated by mp42aac...

CVE-2021-23419 Prototype Pollution

This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload...

PT-2021-15507 · Unknown · Open-Graph

Name of the Vulnerable Software and Affected Versions: open-graph versions prior to 0.2.6 Description: The issue affects the parse function, which can be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload. This could potentially lead to unintended...

CVE-2021-23408

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

Design/Logic Flaw

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

CVE-2021-23408 Prototype Pollution

This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...

Prototype Pollution

Overview com.graphhopper:graphhopper-web-bundle is a GraphHopper routing engine as a web-service Affected versions of this package are vulnerable to Prototype Pollution. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload. P...

Lending Pair initialize function can be front run.

Handle jonah1005 Vulnerability details Impact LendingPair does not initialize tokenMaster, controller, tokens. A hacker can listen the deployer address and front run the initialize transaction. The initialized contract would look almost exactly the same if the hacker only replace lpTokenMaster wi...

No support for token with decimals > 18

Handle s1m0 Vulnerability details Impact The smart contract doesn't behave correctly if deployed with token that have decimals 18. Proof of Concept The functions tokenToWad and wadToToken revert if the tokenDecimals is 18. These functions are called in critical places like deposit and withdraw...

Constructor.Win32.Bifrose.asc Buffer Overflow / Heap Corruption

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/9e1ef166901534c276b5eeeee511fe22.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Constructor.Win32.Bifrose.asc Vulnerability: Local Stack Buffer Overflow Heap Corruption Description...

Prototype Pollution

nedb is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

CVE-2021-23395

This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload...

PT-2021-15488 · Nedb · Nedb

Name of the Vulnerable Software and Affected Versions: nedb versions all Description: The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload. This issue affects all versions of the package. Recommendations: For all...

Prototype Pollution

set-getter is vulnerable to prototype pollution. An attacker is able to exploit the vulnerability to inject arbitrary properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

CVE-2021-30180

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary...

CVE-2021-30180

CVE-2021-30180 — Apache Dubbo : Affects Dubbo versions prior to 2.7.9. The vulnerability arises when parsing YAML tag routing rules, which may allow a client to trigger calling arbitrary constructors on the server. This is the underlying root cause described in the initial details. Potential impa...

CVE-2021-32647 Post-authentication Remote Code Execution (RCE) in emissary:emissary

Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication Remote Code Execution RCE. The CreatePlace REST endpoint accepts an sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a...

Prototype Pollution

nconf-toml is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

PYSEC-2021-451

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.AddManySparseToTensorsMap. This is because the...

PYSEC-2021-649

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.AddManySparseToTensorsMap. This is because the...