Cross-Site Scripting (XSS)

Overview In affected versions of hellojs hello.js there is a cross-site scripting bug. The code get the param oauthredirect from url and pass it to location.assign without any check and sanitisation. It is possible to simply pass some XSS payloads into the url param oauthredirect, such as...

Prototype Pollution

Overview Overview Affected versions of immer are vulnerable to Prototype Pollution. Proof of exploit const applyPatches, enablePatches = require"immer"; enablePatches; let obj = ; console.log"Before : " + obj.polluted; applyPatches, op: 'add', path: "proto", "polluted" , value: "yes" ; //...

CVE-2021-21294

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

Design/Logic Flaw

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

Design/Logic Flaw

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

CVE-2021-21294 Unbounded connection acceptance in http4s-blaze-server

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

SRC-2021-0009 : Smarty Template Engine template_object Sandbox Escape Remote Code Execution Vulnerability

Vulnerability Details: This vulnerability allows remote attackers execute arbitrary code on affected installations of Smarty Template Engine. Authentication is context dependant and may not be required to exploit this vulnerability. The specific flaw exists within the...

Sonatype Nexus 3.21.1 Remote Code Execution

Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution Authenticated Exploit Author: 1F98D Original Author: Alvaro Muñoz Date: 27 May 2020 Vendor Hompage: https://www.sonatype.com/ CVE: CVE-2020-10199 Tested on: Windows 10 x64 References:...

Design/Logic Flaw

CairoSVG is a Python pypi package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service REDoS vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regula...

CVE-2021-21236

CairoSVG is a Python pypi package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service REDoS vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regula...

CVE-2021-21236

CairoSVG is a Python pypi package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service REDoS vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regula...

Password stored in plain text

Overview parse-server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication ...

Cross-Site Scripting

Overview Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements. Recommendation Upgrade to version 2.0.17 or...

[SECURITY] [DSA 4811-1] libxstream-java security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4811-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff December 15, 2020 https://www.debian.org/security/faq -...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

@ist-group/skolid-client-components (>=0.7.0 <=0.10.2) potentially affected by unknown CVE via personnummer (=2.1.1)

personnummer NPM version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on personnummer and may be impacted: - @ist-group/skolid-client-components =0.7.0, =0.10.2 Source cves: unknown CVE Source advisory: OSV:GHSA-VPGC-7H78-GX8F...

fleek-response (>=0.4.2 <=0.4.3), fleek-router (>=0.4.2 <=1.2.3) potentially affected by unknown CVE via swagger-injector (>=1.2.0 <=2.0.9)

swagger-injector NPM version =1.2.0, =0.4.2, =0.4.2, =1.2.3 Source cves: unknown CVE Source advisory: OSV:GHSA-V4X8-GW49-7HV4...

fd-dcc (>=1.0.0 <=2.1.4), test_sdk_aki (>=1.0.3 <=1.0.4) +1 more potentially affected by unknown CVE via axioss (=0.0.1-security)

axioss NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on axioss and may be impacted: - fd-dcc =1.0.0, =1.0.3, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-8W9J-6WG6-QV4F...

CVE-2017-1000219

creationtimestamp| type| source ---|---|--- 2020-09-01 16:43:55+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-63m4-fhf2-cmf7...

CVE-2016-1000249

creationtimestamp| type| source ---|---|--- 2020-09-01 16:38:33+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-2r7f-4h2c-5x73...