26 matches found
PT-2026-33304
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files...
EUVD-2019-0289
Malware in sbrugna...
EUVD-2018-0262
Malware in sbrugna...
EUVD-2018-0250
Malware in sbrugna...
EUVD-2019-0350
Malware in sbrugna...
EUVD-2019-0343
Malware in sbrugna...
EUVD-2022-2343
Malicious code in bioql PyPI...
CVE-2024-50342
CVE-2024-50342 concerns Symfony’s http-client NoPrivateNetworkHttpClient leaking host resolution information, enabling possible IP/port enumeration. Affected versions before the fix include 5.4.46, 6.4.14, and 7.1.7. The underlying issue was mitigated by updating NoPrivateNetworkHttpClient to fil...
CVE-2024-50342 Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port...
MAL-2023-509 Malicious code in http-resources (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware db39987d6a5793a748c90045d86f1464d80c1542227b575b2e57e78fc95a1ee1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
get-token-user10 (=0.10.1) potentially affected by unknown CVE via http-resources (=0.0.1-security)
http-resources NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on http-resources and may be impacted: - get-token-user10 =0.10.1 Source cves: unknown CVE Source advisory: OSV:MAL-2023-509...
SUSE CVE-2017-7835
Mixed content blocking of insecure HTTP sub-resources in a secure HTTPS document was not correctly applied for resources that redirect from HTTPS to HTTP, allowing content that should be blocked, such as scripts, to be loaded on a page. This vulnerability affects Firefox 57...
Exposure of Resource to Wrong Sphere in Spring Data REST
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...
Spring Data Commons < 1.13.11 / 2.x < 2.0.6 RCE
The version of Spring Data Commons installed on the remote host is affected by a remote code execution vulnerability. Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of...
Security Restriction Bypass
spring-boot-actuator is vulnerable to security restriction bypass. Lack of secure handling of HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping causes the exposure of those resources and request mapping, leading to...
Design/Logic Flaw
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...
CVE-2021-22047
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...
CVE-2021-22047
CVE-2021-22047 affects Spring Data REST: HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are exposed under URIs that may be accessible without authorization, depending on Spring Security configuration.impact is describe...
CVE-2021-29431 SSRF in Sydent due to missing validation of hostnames
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perfor...
CVE-2018-1273
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user or attacker can supply specially crafted request parameters...