Server-Side Request Forgery (SSRF)

Gradio is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to SSRF in the /queue/join endpoint, allowing attackers to exploit the asyncsaveurltocache function to make HTTP requests to user-controlled URLs. This can enable attackers to target internal servers, exfiltrate...

SUSE CVE-2024-47167

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to Server-Side Request Forgery SSRF in the /queue/join endpoint. Gradio's asyncsaveurltocache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This...

CVE-2024-47167 SSRF in the path parameter of /queue/join in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to Server-Side Request Forgery SSRF in the /queue/join endpoint. Gradio’s asyncsaveurltocache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This...

CVE-2024-43789

CVE-2024-43789 affects Discourse. The issue arises when a user creates a post with many replies and then fetches them all at once, potentially reducing availability. Technical details across sources confirm the vulnerability in Discourse with a denial-of-service impact and that patches have been ...

Discourse 资源管理错误漏洞

Discourse is an open source community discussion platform from Discourse Open Source. The platform includes features such as communities, email, and chat rooms. Discourse suffers from a Resource Management Error vulnerability that stems from the fact that an attacker can create a post with many...

CLSA-2024-1728056367 Fix CVE(s): CVE-2024-32465

SECURITY UPDATE: Bypass of protections in untrusted repositories - debian/patches/CVE-2024-32465.patch: Disable lazy-fetching by default in upload-pack to prevent arbitrary command execution during clone/fetch - CVE-2024-32465...

CLSA-2024-1725012457 git: Fix of 2 CVEs

CVE-2024-32004: fetch/clone: detect dubious ownership of local repositories - CVE-2024-32465: upload-pack: disable lazy-fetching by default...

CLSA-2024-1725012440 git: Fix of 2 CVEs

CVE-2024-32004: fetch/clone: detect dubious ownership of local repositories - CVE-2024-32465: upload-pack: disable lazy-fetching by default...

CVE-2024-6449 Arbitrary cross-domain file inclusion in HyperView Geoportal Toolkit

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by t...

GHSA-RH4R-F7F7-R99M gotortc Cross-site Scripting vulnerability

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page index.html shows the available streams by fetching the API in the client side. Then, it uses Object.entries to iterate over the result whose first item name gets...

CLSA-2024-1721929661 git: Fix of 2 CVEs

CVE-2024-32004: add tests for cloning from partial repo, fetch/clone: detect dubious ownership of local repositories - CVE-2024-32465: upload-pack: disable lazy-fetching by default...

PT-2024-24179 · Mintplex · Mintplex-Labs/Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions 1.2.0 through 1.4.1 mintplex-labs/anything-llm web application affected versions not specified Description: A Cross-Site Scripting XSS vulnerability exists in the application, affecting both the desktop and...

RUSTSEC-2024-0351 Refs and paths with reserved Windows device names access the devices

Summary On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that...

PT-2024-4191 · Gitoxide · Gitoxide

Name of the Vulnerable Software and Affected Versions: gitoxide affected versions not specified Description: The issue is related to how gitoxide handles legacy device names on Windows. When fetching refs or checking out paths that clash with these names, it can read from or write to devices,...

CVE-2024-29193

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to DOM-based cross-site scripting. The index page index.html shows the available streams by fetching the API in the client side. Then, it uses Object.entries to iterate over the result whose first item name gets...

BIT-GOLANG-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...

RHEL 9 : golang (RHSA-2024:1131)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1131 advisory. The golang packages provide the Go programming language compiler. Security Fixes: golang: net/http/internal: Denial of Service DoS via...

CVE-2024-23493 Team associated AD/LDAP Groups Leaked due to missing authorization

Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of...

CVE-2024-24558

The CVE-2024-24558 entry concerns the TanStack Query package, specifically the @tanstack/react-query-next-experimental component. The vulnerability is a cross‑site scripting (XSS) flaw that arises from improper handling of untrusted input during server‑side rendering, allowing an attacker to inje...

tRPC vs GraphQL

Deciphering the Cloud Conundrum: An Introduction to tRPC & GraphQL The dynamic domain of cloud technology presents a couple of instrumental methodologies in the arena of APIs: tRPC and GraphQL. Each serves as a potent asset for developers in crafting applications that are resilient, scalable, and...