13 matches found
EUVD-2022-7208
Malicious code in bioql PyPI...
Cross-Site Request Forgery (CSRF)
aim is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the lack of CSRF and CORS protection in the aim dashboard, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent...
CVE-2024-2196
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...
CVE-2024-2196 CSRF Vulnerability in aimhubio/aim
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...
CVE-2024-2196
The aimhubio/aim Cross-Site Request Forgery (CSRF) vulnerability is caused by missing CSRF and CORS protections in the aim dashboard. An attacker can lure a logged-in user into issuing unauthorized requests, enabling actions such as deleting runs, updating data, and exfiltrating log records or no...
CVE-2022-41919
A Cross-site request forgery CSRF vulnerability was found in fastify due to improper handling of incorrect Content-Types. This flaw allows an attacker to use an incorrect 'Content-Type' to bypass checks to allow fetch requests that could be used to invoke routes that only accept application/json...
Cross site request forgery (csrf)
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
CVE-2022-41919 Fastify vulnerable to Cross-Site Request Forgery (CSRF) attack via incorrect content type
Fastify is a web framework with minimal overhead and plugin architecture. The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could...
GHSA-3FJJ-P79J-C9HH Fastify: Incorrect Content-Type parsing can lead to CSRF attack
Impact The attacker can use the incorrect Content-Type to bypass the Pre-Flight checking of fetch. fetch requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts application/js...
SUSE: Security Advisory (SUSE-SU-2022:3666-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
SUSE-SU-2022:3666-1 Security update for helm
This update for helm fixes the following issues: helm was updated to version 3.9.4: CVE-2022-36055: Fixed denial of service through string value parsing bsc1203054. Updating the certificates used for testing Updating index handling helm was updated to version 3.9.3: - CVE-2022-1996: Updated...
Grammarly: Account takeover through the combination of cookie manipulation and XSS
Summary: A cookie based XSS on www.grammarly.com exists due to reflection of a cookie called gnarcontainerId in DOM without any sanitization. Normally, gnarcontainerId is being set by the server however a vulnerable endpoint at gnar.grammarly.com called "/cookies" allows us to manipulate cookies...
CVE-2019-9580
CVE-2019-9580 affects StackStorm’s Web UI (st2web) prior to versions 2.9.3 and 2.10.x prior to 2.10.3. The root cause is improper handling of CORS headers, where an unknown/null origin could be accepted, potentially enabling XSS and related cross-domain actions via a crafted link. Exploitation de...