975 matches found
Authentication flaw
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. An authentication mechanism added in version 0.7.0 enables some malicious user to obtain secrets utilizing the injected credentials within the /.netrc file. Refer to the referenced GitHub Security...
GitHub Security Lab: [Java] CWE-016: Query to detect insecure configuration of Spring Boot Actuator
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: Query for detecting unsafe deserialization with Spring exporters
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java : Add query for detecting Log Injection vulenrabilities
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: CWE-346 Queries to detect remote source flow to CORS Headers
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-297: Insecure LDAP endpoint configuration
This bug was reported directly to GitHub Security Lab...
PYSEC-2021-432
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free or realloc calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and ...
CVE-2021-21401 Invalid free() call in Nanopb
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free or realloc calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and ...
CVE-2021-21384
shescape is a simple shell escape package for JavaScript. In shescape before version 1.1.3, anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a into the payload. For an example see the referenced GitHub Securi...
CVE-2021-21383 XSS in Wiki.js
Wiki.js an open-source wiki app built on Node.js. Wiki.js before version 2.5.191 is vulnerable to stored cross-site scripting through mustache expressions in code blocks. This vulnerability exists due to mustache expressions being parsed by Vue during content injection even though it is contained...
GitHub Security Lab: ihsinme: CPP add query for: CPP Add query for CWE-20 Improper Input Validation
This bug was reported directly to GitHub Security Lab...
CVE-2021-21368 Prototype poisoning
msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map containing a key "proto", it assigns the decoded value to proto. Object.prototype.proto is an access...
GitHub Security Lab: [Java] CWE-327: Add more broken crypto algorithms
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-598: Use of GET Request Method with Sensitive Query Strings
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: Fix NashornScriptEngine detection in ScriptEngine query
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [codeql-go]: Add query to find use of constant state parameter in Oauth2 flow
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java: Query for detecting JEXL injections
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Java : Add query to detect Apache Struts enabled Development mode
This bug was reported directly to GitHub Security Lab...