Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests

Minder's HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests t...

Improper Origin Validation

github.com/jub0bs/cors is vulnerable to Improper Origin Validation. The vulnerability due to middleware configured with multiple origin patterns that share a similar suffix which mistakenly permits access from some untrusted origins, potentially leading to cross-origin attacks...

buildah bug fix update

1.33.7-1.0.1 - Drop nmap-ncat requirement and skip ignore-socket test case Orabug: 34117178 2:1.33.7-1 - update to the latest content of https://github.com/containers/buildah/tree/release-1.33 https://github.com/containers/buildah/commit/b95e962 - Resolves: RHEL-28230...

Unauthorized File Access

github.com/pterodactyl/wings is vulnerable to Unauthorized File Access. The vulnerability is caused by a leaked Wings token either through inadvertent disclosure of the node configuration or accidental leakage, which allow an attackers arbitrary file read and write access on associated nodes...

CVE-2024-4128

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed cal...

Denial Of Service (DoS)

github.com/onosproject/rimedo-ts is vulnerable to Denial Of Service DoS. The vulnerability is due to an out-of-range panic within reader.go, when accessing elements out of the slice bounds, which could result in Denial of Service...

GitHub: GitHub Apps can access suspended installations via scoped user-to-server tokens

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This vulnerability was only exploitable in public repositories. The vulnerability affected all versions of...

Denial Of Service (DoS)

github.com/argoproj/argo-cd/ is vulnerable to Denial Of Service DoS. The vulnerability is due to inadequate validation of input within the ignoreDifferences configuration, allowing an attacker to craft a jqPathExpressions which consumes excessive memory, leading to a DoS condition...

Arbitrary Systemd Property Injection

github.com/cri-o/cri-o is vulnerable to Arbitrary Systemd Property Injection. The vulnerability is due to improper filtering of systemd property within a Pod annotation, allowing an attacker with the ability to create a pod with arbitrary annotations to perform unauthorized actions on the host...

Exploit for Improper Access Control in Joomla Joomla\!

Installation sh git clone h...

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library. Paragon Initiative Enterprises hard-forked...

Bogus npm Packages Used to Trick Software Developers into Installing Malware

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEVPOPPER, linking it to North Korean threat...

CVE-2024-33851

phpecc, as used in paragonie/phpecc before 2.0.1, has a branch-based timing leak in Point addition. This is related to phpecc/phpecc on GitHub, and the Matyas Danter ECC library...

GO-2024-2744 Access control change may take longer than expected in github.com/authelia/authelia/v4

If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to...

GO-2024-2743 XSS vulnerability via personal website in github.com/apache/incubator-answer

XSS vulnerability via personal website in github.com/apache/incubator-answer...

Privilege Escalation

github.com/glpi-project/glpi-agent is vulnerable to Privilege Escalation. The vulnerability is due to the ability of a local user to modify GLPI-Agent code or used DLLs, which can alter agent logic and potentially grant higher privileges...

Privilege Escalation

github.com/glpi-project/glpi-agent is vulnerable to Privilege Escalation. The vulnerability is due to improper security controls in the MSI package installer that allow a local user to manipulate the GLPI server URL or disable the agent service, and in some cases, configure a malicious server to...

GHSA-PPX5-Q359-PVWJ vyper's range(start, start + N) reverts for negative numbers

Summary When looping over a range of the form rangestart, start + N, if start is negative, the execution will always revert. Details This issue is caused by an incorrect assertion inserted by the code generation of the range stmt.parseForrange:...

Incorrect Permission Assignment

github.com/rancher/rancher is vulnerable to Incorrect Permission Assignment. The vulnerability is due to a flaw where users were granted access to resources regardless of the resource's API group, leading to unauthorized access and modification capabilities across various resources...

mdanter/ecc affected by timing vulnerability in cryptographic side-channels

phpecc, as used in all versions of mdanter/ecc, as well as paragonie/ecc before 2.0.1, has a branch-based timing leak in Point addition. This Composer package is also known as phpecc/phpecc on GitHub, previously known as the Matyas Danter ECC library. Paragon Initiative Enterprises hard-forked...