jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin

A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with...

Unchecked constructor arguments can make a contract unworkable

Lines of code Vulnerability details Impact In the NextGenCore contract constructor, there is no check that a valid admin contract is set using NextGenAdmins::isAdminContract. If the contract address in the adminsContract constructor is set incorrectly, it is not possible to call admin functions i...

Minting nft with Index 0 is not allowed

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. The constructor of the NextGenCore.sol contract includes an increment operation for the newCollectionIndex variable, ensuring that the newCollectionIndex start from 1. While adding or modifying addition...

Rocky Linux 8 : nodejs:10 (RLSA-2020:2848)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2020:2848 advisory. - In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a...

SUSE CVE-2019-10747

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads...

safeTransferFrom Does Not Check for Code at the Token Address

Lines of code Vulnerability details Impact The solady safeTransferFrom does not check for code at a token address before transferring. This can result in a deposit being made in a selfdestructed token or an embryonic token such as one that can be created from another chain's bridge without the us...

Prototype Pollution

deobfuscator is vulnerable to Prototype Pollution. This vulnerability allows an attacker to modify the prototype of the Object constructor via the LiteralMap transformer, which could then be used to execute arbitrary code on the victim's system...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...

Array Mismatch in RdpxV2Core.sol

Lines of code Vulnerability details Impact reserveTokens and reserveAsset are not synced because reserveTokens was not initialized in the constructor. Proof of Concept The RdpxV2Core.sol contract stores the reserve token information and also uses another array to only track the reserve token...

Improper Access Control

nodejs is vulnerable to Improper Access Control. This vulnerability exists due to a flaw in the way the module.constructor.createRequire API can be used to bypass the policy mechanism. An attacker can exploit this vulnerability to load modules outside of the policy...

Arbitrary Code Execution

com.alibaba.nacos:nacos-spring-context is vulnerable to Arbitrary Code Execution. The vulnerability exists in the SnakeYamls Constructor, which is used to parse YAML files. An attacker who is able to modify a yaml file thats defined in the NacosPropertySource is able to execute arbitrary code...

GHSA-V6C8-PWHQ-288M Nacos Spring vulnerable to Unsafe Deserialization

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

CVE-2023-39106

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

CVE-2023-39106

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

CVE-2023-39106

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

Design/Logic Flaw

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

CVE-2023-39106

An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor component...

Nacos Spring Project 代码问题漏洞

Nacos Spring Project is a Nacos Group open source project for discovering, configuring and managing cloud-native applications. A security vulnerability exists in Nacos Spring Project v.1.1.1 and earlier versions, which stems from a vulnerability that allows an attacker to execute arbitrary code v...

Malicious code in f0-data-constructor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 9133720bff10d051149c2acb0dcab98768e9badae42fe211352aa258afd49c28 The OpenSSF Package Analysis project identified 'f0-data-constructor' @ 1.0.0 npm as malicious. It is considered malicious because: - The packag...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...