Lucene search
K

572 matches found

Prion
Prion
added 2021/11/08 3:15 p.m.23 views

Session fixation

Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password, creating a situation in which a device compromised by a third party could not be locked out by those means. As a mitigation for older releases the user account...

7.5CVSS9.2AI score0.01103EPSS
Exploits0References1Affected Software1
Code423n4
Code423n4
added 2021/10/25 12:0 a.m.9 views

registerAsset would change asset class of existing asset

Handle jonah1005 Vulnerability details Impact The permissionless function registerAsset only checks current liquidity. There's no sanity check whether the asset has registered as another asset class. An attacker can set an asset into AssetClass.Sigma. Unexpected liquidation would happen if an Alp...

6.8AI score
Exploits0
Huntr
Huntr
added 2021/10/14 4:24 p.m.9 views

Cross-site Scripting (XSS) - Stored in ampache/ampache

Description ampache has a stored XSS in the View Existing User , an attacker could exploit with the Website attribute to steal the other users' cookie Proof of Concept 1 Visit http://ampache//index.phppreferences.php?tab=account set the Website attribut toe: foo" onmouseover=alertdocument.cookie ...

0.2AI score
Exploits0References2
Huntr
Huntr
added 2021/10/05 2:26 p.m.13 views

Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy

Description MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity...

0.2AI score
Exploits0References2
Code423n4
Code423n4
added 2021/10/05 12:0 a.m.10 views

MarketPlace.sol: createMarket should check if market already exists before creating

Handle itsmeSTYJ Vulnerability details Impact createMarket is a privileged function that can only be called by an admin but that doesn't necessarily mean that it is not susceptible to mistakes. Furthermore, it is a function that is called somewhat often so following murphy's law - anything can go...

6.6AI score
Exploits0
OSV
OSV
added 2021/09/29 5:22 p.m.10 views

MGASA-2021-0445 Updated mosquitto packages fix security vulnerability

Mosquitto is updated to 2.0.12 to fix security vulnerability: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client...

5.3CVSS5.9AI score0.01367EPSS
Exploits1References3
OSV
OSV
added 2021/08/25 2:15 a.m.4 views

CVE-2021-40089

An issue was discovered in PrimeKey EJBCA before 7.6.0. The General Purpose Custom Publisher, which is normally run to invoke a local script upon a publishing operation, was still able to run if the System Configuration setting Enable External Script Access was disabled. With this setting disable...

2.3CVSS5.8AI score0.00223EPSS
Exploits0References1
OSV
OSV
added 2021/07/19 6:15 p.m.5 views

CVE-2021-34821

Cross Site Scripting XSS vulnerability exists in AAT Novus Management System through 1.51.2. The WebUI has wrong HTTP 404 error handling implemented. A remote, unauthenticated attacker may be able to exploit the issue by sending malicious HTTP requests to non-existing URIs. The value of the URL...

6.1CVSS5.8AI score0.00816EPSS
Exploits0References1
BDU FSTEC
BDU FSTEC
added 2021/07/06 12:0 a.m.10 views

The vulnerability of the `inotify_update_existing_watch()` function in the Linux kernel’s `fs/notify/inotify/inotify_user.c` file, related to a lack of memory release mechanism, allows a malicious actor to trigger a service failure.

The vulnerability of the inotifyupdateexistingwatch function in the fs/notify/inotify/inotifyuser.c file of the Linux operating system’s kernel is related to a lack of memory release mechanism. Exploiting this vulnerability allows an attacker to trigger a service failure...

5.5CVSS6.5AI score0.00417EPSS
Exploits0References17Affected Software2
WPVulnDB
WPVulnDB
added 2021/06/30 12:0 a.m.13 views

BNG Gateway For Woocommerce <= 1.6.10 - CSRF Bypass

The plugin does not properly perform CSRF checks, allowing attackers to make logged in users perform unwanted actions, such as add a new billing method to an existing customer, and delete a payment method...

4.1AI score
Exploits0Affected Software1
Veracode
Veracode
added 2021/06/16 4:31 a.m.17 views

Prototype Pollution

nedb is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

7.3CVSS3.4AI score0.0087EPSS
Exploits1References1Affected Software1
Veracode
Veracode
added 2021/05/27 5:20 a.m.16 views

Prototype Pollution

js-extend is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

9.8CVSS3.5AI score0.02961EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2021/05/17 3:15 p.m.3 views

CVE-2021-27734

Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users...

9.8CVSS7.4AI score0.01264EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2021/03/26 9:34 p.m.27 views

CVE-2021-20206

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the syste...

7.2CVSS6.5AI score0.01525EPSS
Exploits0
Veracode
Veracode
added 2021/03/19 5:35 a.m.12 views

Prototype Pollution

mongoose is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

3.4AI score
Exploits0
OSV
OSV
added 2021/03/17 10:15 a.m.6 views

ALPINE-CVE-2020-17525

Subversion's modauthzsvn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL. This can lead to disruption for users of the service. This issue was fixed in...

7.5CVSS6.8AI score0.40075EPSS
Exploits1References1
Prion
Prion
added 2021/02/12 7:15 a.m.17 views

Directory traversal

Directory traversal vulnerability in ELECOM File Manager all versions allows remote attackers to create an arbitrary file or overwrite an existing file in a directory which can be accessed with the application privileges via unspecified vectors...

6.4CVSS9AI score0.01871EPSS
Exploits0References2
Veracode
Veracode
added 2021/02/09 6:39 a.m.14 views

Prototype Pollution

dynamoose is vulnerable to prototype pollution. The vulnerability exists through lib/utils/object/set.ts where an attacker is able to inject properties into existing construct prototypes and modify attributes such as proto, constructor and prototype...

9.8CVSS3.5AI score0.01894EPSS
Exploits0References5Affected Software1
Prion
Prion
added 2021/02/01 3:15 p.m.28 views

Code injection

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

6.4CVSS9AI score0.07164EPSS
Exploits3References4Affected Software1
FreeBSD
FreeBSD
added 2021/01/29 12:0 a.m.33 views

mod_dav_svn -- server crash

Subversion project reports: Subversion's modauthzsvn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL...

7.5CVSS7.5AI score0.40075EPSS
Exploits1References1
Rows per page
Query Builder