1314 matches found
Improper Authentication
Overview The Utils.readChallengeTx function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying that the serverAccountID has signed the transaction. The function does not verify that the server ha...
Resource exhaustion in socket.io-parser
Overview The socket.io-parser npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service memory consumption via a large packet because a concatenation approach is used. Recommendation Upgrade to versions 3.3.2, 3.4.1 or later References - CVE - GitHub Advisory...
Opencast < 9.6 DoS Vulnerability
Opencast is prone to a denial of service DoS vulnerability. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...
Uncontrolled Resource Consumption in locutus
Overview locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service ReDoS via the gopherparsedir function. Recommendation Upgrade to version 2.0.15 or later References - CVE - GitHub Advisory...
Regular Expression Denial of Service
Overview normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 has a ReDoS regular expression denial of service issue because it has exponential performance for data: URLs. Recommendation Upgrade to versions 4.5.1, 5.3.1, 6.0.1 or later References - CVE - GitHub Advisory...
Denial of Service
Overview css-what from version 4.0.0 and before version 5.0.1 does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input. Recommendation Upgrade to version 5.0.1 or later References - CVE - GitHub Advisory...
Regular Expression Denial of Service
Overview trim-newlines before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method. Recommendation Upgrade to versions 3.0.1 or 4.0.1 or later References - CVE - GitHub Advisory...
Regular expression denial of service
Overview glob-parent before 5.1.2 has a regular expression denial of service vulnerability. The enclosure regex used to check for strings ending in enclosure containing path separator. Recommendation Upgrade to version 5.1.2 or later References - CVE - GitHub Advisory...
Products.PluggableAuthService 2.6.0 - Open Redirect
Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect Exploit Author: Piyush Patil Affected Component: Pluggable Zope authentication/authorization framework Component Link: https://pypi.org/project/Products.PluggableAuthService/ Version: =2.6.1"...
Improper Verification of Cryptographic Signature
Overview The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever...
Uncontrolled Resource Consumption
Overview This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. Recommendation Upgrade to version 0.3....
Credential leak in react-native-fast-image
Overview This affects all versions before version 8.3.0 of package react-native-fast-image. When an image with source=uri: "...", headers: host: "somehost.com", authorization: "..." is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other...
Path traversal in rollup-plugin-serve
Overview Path traversal in rollup-plugin-serve before version 1.0.2. There is no path sanitization in readFile operation. Recommendation Upgrade to version 1.0.2 or later References - CVE - GitHub Advisory...
Injection and Command Injection in devcert
Overview A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function. Recommendation Upgrade to version 1.1.2 or later References - CVE - GitHub Advisory...
Cross-site scripting in jspdf
Overview In jspdf before version 2.0.0 it is possible to inject JavaScript code via the html method. Recommendation Upgrade to version 2.0.0 or later References - CVE - GitHub Advisory...
CVE-2020-7679
creationtimestamp| type| source ---|---|--- 2021-05-17 21:00:52+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-vrr3-5r3v-7xfw...
cookie tossing attack
Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...
Command Injection
Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...
Prototype Pollution
Overview "The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition." Recommendation Upgrade to version 1.1.8 or later References - CVE - GitHub Advisory...
Regular Expression Denial of Service
Overview npm-user-validate before 1.0.1 is vulnerable to regular expression denial of service. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Recommendation Upgrade to version 1.0.1 or later References - CVE - GitHub Advis...