Denial Of Service (DoS)

github.com/revel/revel is vulnerable to denial of service attacks. Unsanitized input in the query parser in bindSlice function allows remote attackers to cause resource exhaustion via unbounded memory allocation resulting in denial of service...

Authentication Bypass

github.com/mellium/sasl is vulnerable to authentication bypass. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated instead, the nonce is empty causing authentication to fail in the best case, which may lead to...

GO-2022-1213 Insecure generation of cookies in github.com/go-macaron/csrf

The Options.Secure value is ignored, and cookies created by Generate never have the secure attribute...

Path Traversal

github.com/jfrazelle/pastebinit is vulnerable to path traversal. The vulnerability exists due to the improper path handling in the pasteHandler function of server.go, allowing an attacker to access files outside the restricted directory...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to stored cross-site scriptingXSS attacks. An attacker is able to inject and execute malicious javascript via the create post functionality...

Cross-Site Request Forgery (CSRF)

github.com/usememos/memos is vulnerable to cross-site request forgery. The vulnerability exists in an incorrectly specified destination in a communication channel which allows an attacker to change the language for other users, via usersetting API forcing a change of password and/or other persona...

Denial Of Service (DoS)

github.com/usememos/memos is vulnerable to denial of service attacks. A malicious user is able to pass a huge number of characters through the Nickname parameter, causing the application to crash through the POST request...

Improper Authentication

github.com/usememos/memos is vulnerable to improper authentication. The vulnerability allows a remote attacker to use the Reset API on any user without consent via IDOR...

Improper Access Control

github.com/usememos/memos is vulnerable to improper access control. The vulnerability allows authenticated remote attackers to edit and delete all other user shortcuts via the ID parameter...

Information Disclosure

github.com/usememos/memos is vulnerable to information disclosure. A remote authenticated attacker is able to view any content from private memos from other users via the API...

Insecure Direct Object References(IDOR)

github.com/usememos/memos is vulnerable to insecure direct object references. The vulnerability allows an attacker to delete all the available memos Public/Private in the entire application since the memos id is numeric & is sequentially incremented which is easy to guess and perform the attack...

Denial Of Service (DoS)

github.com/go-yaml/yaml is vulnerable to denial of service.The vulnerability exists in multiple functions of decode.go due to unbounded alias chasing which allows an attacker to cause an application crash via malicious input...

Directory Traversal

github.com/go-aah/aah is vulnerable to directory traversal. The vulnerability exists in the Serve function in static.go due to improper santization of user input through HTTPEngine.Handle, which allows an attacker to read files outside of the target directory that the server has permission to rea...

Cross-site Request Forgery (CSRF)

github.com/usememos/memos is vulnerable to cross site request forgery. The vulnerability exists in the NewServer function in server.go, which allows an attacker to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website whil...

Log Injection

github.com/gin-gonic/gin is vulnerable to log injection. The vulnerability exists in logger.go due to the lack of validation in library logs, which allows an attacker to inject malicious code into the system...

golang-nanoauth authentication bypass vulnerability

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token...

CVE-2019-25073

Improper path sanitization in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory...

CVE-2022-3347 Incorrect validation of root DNSSEC public keys in github.com/peterzen/goresolver

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain...

CVE-2022-3346 Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for...

CVE-2022-3346 Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for...