973 matches found
GitHub Security Lab: Java: Regex injection
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Java] CWE-089: MyBatis Mapper XML SQL Injection
This bug was reported directly to GitHub Security Lab...
Cross site scripting
jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting XSS vulnerability. The code for XSS payload is always visible, but an attacker can use other techniques to hide the code...
CVE-2021-43862 Self XSS on user input
jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. Versions prior to 2.31.1 contain a low impact and limited cross-site scripting XSS vulnerability. The code for XSS payload is always visible, but an attacker can use other techniques to hide the code...
Cross site request forgery (csrf)
solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...
CVE-2021-43846 CSRF forgery protection bypass for Spree::OrdersController#populate
solidusfrontend is the cart and storefront for the Solidus e-commerce project. Versions of solidusfrontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. Versions...
CVE-2021-43846
CVE-2021-43846 (solidus_frontend CSRF) affects all solidus_frontend versions before 3.1.5, 3.0.5, and 2.11.14, enabling a malicious site to add items to a user’s cart via CSRF. A patch was introduced in those versions that adds CSRF token verification to the Add to cart action. Connected advisori...
CVE-2021-43798
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 except for patched versions iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: /public/plugins//, where is the plugin ID for any installe...
Directory traversal
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 except for patched versions iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: /public/plugins//, where is the plugin ID for any installe...
CVE-2021-43798 Grafana path traversal
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 except for patched versions iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: /public/plugins//, where is the plugin ID for any installe...
CVE-2021-43805
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...
Design/Logic Flaw
Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential...
Cross-Site Scripting Vulnerability in @joeattardi/emoji-button
Impact There are two vectors for XSS attacks with versions of @joeattardi/emoji-button before 4.6.2: - A URL for a custom emoji - An i18n string In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute malicious code. Patches This vulnerability...
GitHub Security Lab: [Java] CWE-400: Query to detect uncontrolled thread resource consumption
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [porcupiney.hairs]: [Python] Add Flask Path injection sinks
This bug was reported directly to GitHub Security Lab...
Design/Logic Flaw
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASHCOOKIESECRET or REDASHSECRETKEY environment variables, a default value is used for both that is the same across all installations. In such cases, th...
GitHub Security Lab: [Python]: JWT security-related queries
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: [Python]: CWE-079: HTTP Header injection
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Yet another SSRF query for Go
This bug was reported directly to GitHub Security Lab...
GitHub Security Lab: Yet another SSRF query for Go
This bug was reported directly to GitHub Security Lab...