CVE-2020-36567

Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines...

CVE-2022-2583 Race condition in github.com/ntbosscher/gobase

A race condition can cause incorrect HTTP request routing...

CVE-2020-36563 Weak hash (SHA-1) in github.com/RobotsAndPencils/go-saml

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input...

CVE-2016-15005 Cryptographically weak random number generation in github.com/dinever/golf

CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests...

CVE-2020-36562 Uncontrolled Resource Consumption in github.com/shiyanhui/dht

Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector...

CVE-2019-25072 Uncontrolled resource consumption in github.com/tendermint/tendermint

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector...

CVE-2019-25073 Path traversal in github.com/goadesign/goa

Improper path sanitization in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory...

CVE-2014-125026 Out-of-bounds write in github.com/cloudflare/golz4

LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input...

CVE-2020-36568

Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation...

Cross-Site Scripting (XSS)

github.com/usememos/memos is vulnerability to Cross-Site Scripting XSS. The vulnerability exists in server.go because when a svg file containing malicious data is uploaded it will not filter the content of the uploaded files and will be triggered when the user accesses...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to cross site scripting. The vulnerability exists in the NewServer function of server.go because of a image direct link due to improper user-input sanitization by uploading a malicious svg file...

Authorization Bypass

github.com/openfga/openfga is vulnerable to authorization bypass. The vulnerability exists in the readUserTuple function in checkutils.go due to the lack of validation in authorization mechanism which allows an attacker to bypass the authorization mechanism under certain conditions...

Cross-site Scripting (XSS)

github.com/alist-org/alist is vulnerable to cross-site scripting. The vulnerability exists due to lack of sanitization in useradmin page which allows a remote attacker to inject and execute malicious javascript on the system...

CVE-2022-23495

go-merkledag implements the 'DAGService' interface and adds two ipld node types, Protobuf and Raw for the ipfs project. A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. A ProtoNode...

GO-2022-1114 ZipSlip when unzipping files in github.com/duke-git/lancet

A ZipSlip vulnerability exists when using the fileutil package to unzip files...

Information Disclosure

github.com/grafana/synthetic-monitoring-agent is vulnerable to information disclosure.The vulnerability exists in multiple functions due to default installation of synthetic-monitoring-agent which allows an attacker to communicate with the Synthetic Monitoring API via a debugging endpoint...

Authentication Bypass

github.com/prometheus/exporter-toolkit is vulnerable to authentication bypass. It is possible to bypass the security mechanisms by poisoning the built-in authentication cache when an attacker has access to the web.yml file and user's hashed bcrypted passwords...

Oracle Linux 9 : buildah (ELSA-2022-8008)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-8008 advisory. - fix CVE-2022-2990 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has not...

AlmaLinux 9 : skopeo (ALSA-2022:7955)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7955 advisory. - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is...

Information Disclosure

github.com/hashicorp/consul is vulnerable to information disclosure. The vulnerability exists in Filter function of filter.go because the data imported from peers is not properly filtered by ACLs at the UI Nodes which allows an attacker to gain access to the ACL tokens and view sensitive...