CVE-2021-29434 Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could...

CVE-2021-29449

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details. Recent assessments: h00die at May 31, 2021 11:59am UTC...

CVE-2021-21394

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party...

CVE-2021-21394

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party...

CVE-2021-21394

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party...

Improper Certificate Validation

Overview Version 1.2.0 of mongodb-client-encryption does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node.js driver and the KMS service...

CVE-2021-23348

creationtimestamp| type| source ---|---|--- 2021-03-31 03:49:43+00:00| published-proof-of-concept| https://github.com/rrainn/PortProcesses/security/advisories/GHSA-vm67-7vmg-66vm...

Squid 2.0 < 4.14, 5.0.1 < 5.0.5 HTTP Request Smuggling Vulnerability

Squid is prone to an HTTP request smuggling vulnerability. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; yo...

CVE-2021-23344

creationtimestamp| type| source ---|---|--- 2021-03-19 21:32:20+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-3wj8-vp9h-rm6m...

Prototype Pollution

Overview Prototype pollution vulnerability in set-in versions 1.0.0 through 2.0.0 allows attacker to cause a denial of service and may lead to remote code execution. Recommendation Upgrade to version 2.0.1 or later. References - GitHub Advisory - CVE...

Prototype Pollution

Overview In mquery before version 3.2.3 there is a prototype pollution vulnerability because a special property e.g., proto can be copied during a merge or clone operation. Recommendation Upgrade to version 3.2.3 or later References - CVE - GitHub Advisory...

Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin

Impact The com.bmuschko:gradle-vagrant-plugin Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. Patch...

Sandbox Breakout

Overview In matrix-react-sdk before version 3.15.0 the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a blob origin that cannot access Matrix user data, so messages and secrets are not at risk. Recommendation Upgrade to version 3.15...

Remote Code Execution

Overview Impact In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remot...

Hostname spoofing via backslashes in URL

Overview Impact urijs before version 1.19.6 is affected by hostname spoofing issue. If using urijs to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, th...

Regular Expression Denial of Service

Overview three before version 0.125.0 is vulnerable to Regular Expression Denial of Service ReDoS. This can happen when handling rgb or hsl colors. POC var three = require'three' function buildblank n var ret = "rgb" for var i = 0; i n; i++ ret += " " return ret + ""; var Color = three.Color var...

Regular Expression Denial of Service

Overview prismjs versions before 1.23.0 are vulnerable to Regular Expression Denial of Service ReDoS via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. Recommendation Upgrade to version 1.23.0 or later References - Snyk Advisory - GitHub Advisory - CVE...

Prototype Pollution

Overview Impact Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. Workarounds A workaround is to...

Command Injection

Overview The systeminformation package is an open source collection of functions to retrieve detailed hardware, system and OS information. In affected versions of systeminformation there is a command injection vulnerability. As a workaround instead of upgrading, be sure to check or sanitize servi...

Command Injection

Overview Affected versions of the samba-client package allow command injection because of the use of process.exec. Recommendation Upgrade to version 4.0.0 or later References - CVE - GitHub Advisory...