GHSA-QMJF-WC2H-6X3Q Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects

Impact What kind of vulnerability is it? Who is impacted? A user with permissions to view Dynamic Group records extras.viewdynamicgroup permission can use the Dynamic Group detail UI view /extras/dynamic-groups// and/or the members REST API view /api/extras/dynamic-groups//members/ to list the...

GHSA-G6F5-4W43-2X63 ScnSocialAuth Cross-site Scripting vulnerability in login redirect param

ScnSocialAuth version 1.15.2 has been released and includes a security for this vulnerability. Fix has been applied in https://github.com/SocalNick/ScnSocialAuth/commit/4a00966c41bc37251586d007564c5c891eba3700 Affected versions All versions below 1.15.2 are affected. dev-master is fixed starting...

ScnSocialAuth Cross-site Scripting vulnerability in login redirect param

ScnSocialAuth version 1.15.2 has been released and includes a security for this vulnerability. Fix has been applied in https://github.com/SocalNick/ScnSocialAuth/commit/4a00966c41bc37251586d007564c5c891eba3700 Affected versions All versions below 1.15.2 are affected. dev-master is fixed starting...

Denial Of Service (DoS)

github.com/stacklok/minder is vulnerable to a Denial Of Service DoS. The vulnerability is due to the sigstore verifier reading an untrusted response entirely into memory without enforcing a limit on the response body. The vulnerability allows an attacker to crash the Minder server and deny other...

CVE-2024-35238

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

CVE-2024-35238 Denial of service of Minder Server from maliciously crafted GitHub attestations

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

CVE-2024-35238 Denial of service of Minder Server from maliciously crafted GitHub attestations

Minder by Stacklok is an open source software supply chain security platform. Minder prior to version 0.0.51 is vulnerable to a denial-of-service DoS attack which could allow an attacker to crash the Minder server and deny other users access to it. The root cause of the vulnerability is that...

Exploit for Code Injection in Atlassian Confluence_Data_Center

Usage python poc.py -u http://localhost:8090...

Information Disclosure

github.com/dapr/dapr is vulnerable to Information Disclosure. The vulnerability is caused due to the gRPC proxy sending the invoker app's token instead of the invoked app's token. This allows an attacker to gain access to the invoker app's token, compromising security and authentication mechanism...

GO-2024-2879 Dapr API Token Exposure in github.com/dapr/dapr

Dapr API Token Exposure in github.com/dapr/dapr...

CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

CVE-2024-35232 github.com/huandu/facebook may expose access_token in error message

github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. accesstoken can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2...

Directory Traversal

github.com/stakater/forecastle is vulnerable to Directory Traversal. The vulnerability is due to insufficient input validation, allowing attackers to traverse directories by including "../" sequences in requests...

SVGMagic <= 1.1 - Stored XSS via SVG Upload

Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. 1. Create a SVG file with the malicious payload within it; Example SVG file:...

GO-2024-2874 Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability in github.com/cosmos/ibc-go

The ibc-go module is affected by the Inter-Blockchain Communication IBC protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was...

Denial Of Service (DoS)

github.com/stacklok/minder is vulnerable to Denial Of Service DoS. The vulnerability is due to the engines lack of template size limits, which allows an attacker to execute a Denial of Service DoS attack by submitting maliciously crafted large templates...

GitHub Token Leakage

github.com/wolfi-dev/wolfictl is vulnerable to GitHub Token Leakage. The vulnerability is due to a local user's GitHub token being sent to remote servers other than github.com if a user ran wolfictl update with a non github domain...

CVE-2024-4985

An authentication bypass vulnerability was present in the GitHub Enterprise Server GHES when utilizing SAML single sign-on authentication with the optional encrypted assertions feature. This vulnerability allowed an attacker to forge a SAML response to provision and/or gain access to a user with...

GHSA-2J6R-9VV4-6GF5 github.com/bincyber/go-sqlcrypter vulnerable to IV collision

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption...