GHSA-RCJV-MGP8-QVMR OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

Summary This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.goL63-L65 out of the box adds labels - http.useragent - http.method that have unbound cardinality. It leads to the server...

Piwigo < 14.0.0.beta4 XSS Vulnerability

Piwigo is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:piwigo:piwigo"; if...

Zope XSS Vulnerability (GHSA-wm8q-9975-xh5v)

Zope is prone to a cross-site scripting XSS vulnerability with SVG images. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

NodeBB 2.x < 2.8.13, 3.x < 3.1.3 Information Disclosure Vulnerability

NodeBB is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nodebb:nodebb";...

CUPS < 2.4.7 Buffer Overflow Vulnerability

CUPS is prone to a heap-based buffer overflow vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:openprinting:cups"; ...

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Impact A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query. Patches The...

XWiki 4.0-milestone-2 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.1 XSS Vulnerability (GHSA-44h9-xxvx-pg6x)

Xwiki is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

CVE-2023-40013

creationtimestamp| type| source ---|---|--- 2023-08-14 10:51:32+00:00| published-proof-of-concept| https://github.com/shubhamjain/svg-loader/security/advisories/GHSA-xc2r-jf2x-gjr8...

CUPS < 2.4.3 DoS Vulnerability

CUPS is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:openprinting:cups"; if...

CUPS 2.2.0 < 2.4.6 Use After Free Vulnerability

CUPS is prone to an use after free vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:openprinting:cups"; if...

CVE-2023-39965

creationtimestamp| type| source ---|---|--- 2023-08-10 06:47:11+00:00| published-proof-of-concept| https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-85cf-gj29-f555...

Intelliants Subrion CMS 4.2.1 Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE', 'Description' = %q This module exploits an authenticated file upload...

CVE-2023-32302

Rejected reason: Authoritative user requested CVE rejection https://github.com/github/advisory-database/pull/2575issuecomment-1745811653...

Cross site scripting in widgets with units

Date : 2023-07-25 CVE ID : CVE-2023-36806 Authenticated users can inject malicious code in widgets with units, which is then executed both in the element preview back end and on the website front end. Thanks to Christian Pöschl and Fabian Brenner from usd AG for reporting this vulnerability...

Redis < 6.0.20, 6.2.x < 6.2.13, 7.x < 7.0.12 Heap Overflow Vulnerability

Redis is prone to a heap overflow vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:redis:redis"; if description...

Piwigo < 13.8.0 SQLi Vulnerability

Piwigo is prone to an SQL injection SQLi vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:piwigo:piwigo"; if...

Openfire 3.10 < 4.6.8 / 4.7 < 4.7.5 Authentication Bypass

The remote host is running a version of Openfire that is affected by an authentication bypass vulnerability. Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack...

CVE-2023-35925

creationtimestamp| type| source ---|---|--- 2023-06-22 10:47:22+00:00| published-proof-of-concept| https://github.com/IntellectualSites/FastAsyncWorldEdit/security/advisories/GHSA-whj9-m24x-qhhp...

CVE-2023-35169

creationtimestamp| type| source ---|---|--- 2023-06-21 18:58:05+00:00| published-proof-of-concept| https://github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9...

Discourse < 3.0.4 Multiple Vulnerabilities

Discourse is prone to multiple vulnerabilities SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:discourse:discourse"; ifdescriptio...