CVE-2021-43798

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 except for patched versions iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: /public/plugins//, where is the plugin ID for any installe...

CVE-2021-43798

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 except for patched versions iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: /public/plugins//, where is the plugin ID for any installe...

CVE-2021-41188

Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the .htaccess file will protect against...

CVE-2021-3436

CVE-2021-3436 affects Zephyr RTOS. The vulnerability allows overwriting an existing bond during the keys distribution phase if the identity address of the bond is known. Affected releases include Zephyr versions >= 1.14.2, >= 2.4.0, and >= 2.5.0, with the issue categorized under CWE-694 ...

Discourse 2.8.0.beta6 < 2.9.0.beta5 XSS Vulnerability

Discourse is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Type confusion

Overview In mpath before 0.8.4 a type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOfpartsi !== -1 returns -1 if partsi is 'proto'. This is because the method that has been called if the input is an array is...

CVE-2021-39227

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using merge and clone helper methods in the src/core/util.ts module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports...

CVE-2021-39227 Fix prototype pollution in the zrender merge and clone helper methods

ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using merge and clone helper methods in the src/core/util.ts module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports...

Pillow -- Regular Expression Denial of Service (ReDoS)

GitHub Advisory Database reports: Uncontrolled Resource Consumption in pillow. The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23437...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Overview Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks...

CVE-2021-37700

@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string , a div is dynamically created, and the clipboard content is copied into its...

CVE-2021-37700

@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string , a div is dynamically created, and the clipboard content is copied into its...

Regular Expression Denial of Service in path-parse

Overview Affected versions of path-parse are vulnerable to Regular Expression Denial of Service ReDoS via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity. Recommendation Upgrade to version 1.0.7 or later References - CVE - GitH...

CVE-2021-32804

The npm package "tar" aka node-tar before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when th...

Design/Logic Flaw

The npm package "tar" aka node-tar before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when th...

CVE-2021-32804

The npm package "tar" aka node-tar before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when th...

CVE-2021-32804

The npm package "tar" aka node-tar before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when th...

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Overview The tar package has a high severity vulnerability before versions 3.2.3, 4.4.15, 5.0.7, and 6.1.2. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Overview The tar package has a high severity vulnerability before versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1. Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths...

Misinterpretation of malicious XML input

Overview Impact xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to 0.7.0 see issue 271 for the stat...