Cross-site Scripting (XSS)

github.com/argoproj/argo-cd is vulnerable to cross-site scripting. The vulnerability exists due to a lack of sanitization allowing an attacker to inject maliciously crafted script via input in the /auth/callback page...

Denial Of Service (DoS)

github.com/ipld/go-car is vulnerable to denial of service. The vulnerability exists in LdRead function in util.go because the decoding of CAR data is not properly handled which leads to an excessive memory usage causing an application crash...

Directory Traversal

github.com/beego/beego is vulnerable to directory traversal vulnerability. The vulnerability exists due to the insecure use of path.join to deal with wildcardValues in leafInfo.match function, allowing an attacker to exploit directories outside of the intended scope...

GO-2022-0386 Import token permissions checking not enforced in github.com/nats-io/jwt

Import tokens valid for one account may be used for any other account. Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account...

GO-2022-0391 Exposure of unencrypted plaintext hash in github.com/aws/aws-sdk-go

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it...

Cross-site Scripting (XSS)

github.com/zalando/skipper is vulnerable to cross-site scripting. The vulnerability exists due to a lack of sanitization allowing an attacker to bypass a query predicate via a maliciously crafted request...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in github.com/argoproj/argo-cd/v2...

Denial Of Service (DoS)

github.com/cri-o/cri-o is vulnerable to denial of service. The vulnerability exists when the output of the command is large causing a memory exhaust causing an application crash...

Arbitrary File Upload

github.com/mindoc-org/mindoc is vulnerable to arbitrary file upload. The vulnerability exists in Unzip function in ziptil.go due to file upload permissions and validations are not properly handled which allows an attacker to upload malicious files...

Directory Traversal

github.com/gphper/ginadmin is vulnerable to directory traversal. The vulnerability exists in the View function in adminSystemController.go due to lack of sanitization in path value which allows an attacker to gain access outside of the intended directory...

Authentication Bypass

github.com/pingcap/tidb is vulnerable to Authentication Bypass. The vulnerability exists because the library does not properly restrict the access path, allowing an attacker to bypass the authentication process by providing malicious authentication requests, resulting in privilege escalation or...

Path Traversal

github.com/hashicorp/go-getter is vulnerable to path traversal. An attacker can access files outside the expected directory and download files or directories from various sources using malicious URLs by providing malicious inputs...

Path Traversal

github.com/hashicorp/go-getter is vulnerable to path traversal. An attacker can access files outside the expected directory and download files or directories from various sources using malicious URLs by providing malicious inputs...

LXD vulnerable to Race Condition

LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer has an unsafe Chmod call that races against the stat in the Filepath.Walk function. A symbolic link created in that window could cause any file on the system to have any mode of the attacker's choice. Specific Go Packages Affected...

Buffer Overflow

github.com/pion/dtls is vulnerable to buffer overflow. The vulnerability exists in fragmentbuffer.go because no upper limit of fragmentBuffer of network traffic is not defined which allows an attacker to cause an excessive memory usage which then leads to an application crash...

Denial Of Service (DoS)

github.com/pion/dtls is vulnerable to denial of service. The vulnerability exists because the pop function of fragmentbuffer.go does not properly check the length of the fragments buffer, allowing an attacker to crash the application through the infinite loop by providing zero-length fragments...

Remote Code Execution (RCE)

github.com/go-gitea/gitea is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of the newPullRequest function in the giteauploader.go file allowing an attacker to inject maliciously crafted script into the system...

Privilege Escalation

github.com/coreos/ignition is vulnerable to Privilege Escalation. The vulnerability exists due to the main function of main.go does not properly set the ignition-apply and ignition-rmcfg parameters according to the filepath.base arguments, allowing an attacker to access unprivileged containers in...

Privilege Escalation

github.com/argoproj/argo-workflows is vulnerable to privilege escalation. An attacker can create a workflow through the newHTTPServer function of argoserver.go that produces an HTML artifact and makes XRL calls to the Argo Server API by using a script, allowing the attacker to send malicious emai...

GHSA-5HJH-C26M-XW8W ProxyScotch is vulnerable to a server-side Request Forgery (SSRF)

ProxyScotch is a simple proxy server created for hoppscotch.io. The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery SSRF when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL...