Concrete CMS: SSRF mitigation bypass using DNS Rebind attack

We noticed that the upload functionality contains the ability to upload files from remote server, however there are some mitigations against accessing the AWS Instance Metadata service. We've managed to bypass these mitigations using DNS rebinding and we've managed to fetch the AWS IAM keys when...

CVE-2021-41794

ogsfqdnparse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used ...

Buffer overflow

ogsfqdnparse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used ...

Design/Logic Flaw

In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call...

CVE-2021-41100

Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the Authorization header. As the short-lived token is only meant as means of...

Authentication flaw

Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the Authorization header. As the short-lived token is only meant as means of...

CVE-2021-25959

In OpenCRX, versions v4.0.0 through v5.1.0 are vulnerable to reflected Cross-site Scripting XSS, due to unsanitized parameters in the password reset functionality. This allows execution of external javascript files on any user of the openCRX instance...

CVE-2021-39216

Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing externrefs from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple externrefs from the host to a...

Users Can Start Multiple Published Desktops that have Instance Limits

A user is able to start multiple instances of a published application though the Allow only one instance of application for each user option enabled in the Published Application Properties. This might cause multiple disconnected sessions of a limited published application which introduces...

Atlassian Confluence < 6.13.23 Webwork OGNL Injection

According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 6.13.23, 6.14.x prior to 7.4.11, 7.5.x prior to 7.11.6 or 7.12.x prior to 7.12.5. It is, therefore, affected by an OGNL injection vulnerability that would allow an...

com.alibaba.otter:canal.deployer (>=1.1.7 <=1.1.8), com.alibaba.otter:canal.instance.core (>=1.1.7 <=1.1.8) +90 more potentially affected by CVE-2021-37137 via org.jboss.netty:netty (>=3.1.0.BETA1 <=3.2.10.Final)

org.jboss.netty:netty MAVEN version =3.1.0.BETA1, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.6.4 and more Source cves: CVE-2021-37137 Source advisory: OSV:GHSA-9VJP-V76F-G363...

Malicious Password Resetting

laravel/laravel is doing malicious password resetting. The vulnerability exists because an attacker who knows the target's e-mail address can send proxy password reset requests through a running Akaunting instance...

Atlassian Confluence Webwork OGNL Injection

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be access...

Remote Code Execution (RCE)

cachetis vulnerable to Remote Code Execution RCE. The vulnerability exists due to the lack of sanitization of the instance name and also the lack of trusted IP addresses source to access the administration dashboard...

CVE-2021-39173

Cachet is an open source status page system. Prior to version 2.5.1 authenticated users, regardless of their privileges User or Admin, can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving the...

Input validation

Cachet is an open source status page system. Prior to version 2.5.1 authenticated users, regardless of their privileges User or Admin, can trick Cachet and install the instance again, leading to arbitrary code execution on the server. This issue was addressed in version 2.5.1 by improving the...

PT-2021-22431 · Cachet · Cachet

Name of the Vulnerable Software and Affected Versions: Cachet versions prior to 2.5.1 Description: Cachet is an open source status page system. Authenticated users, regardless of their privileges, can trick Cachet and install the instance again, leading to arbitrary code execution on the server...

CVE-2021-38598

OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch c...

Cisco Firepower Threat Defense Software Multi-Instance Container Escape (cisco-sa-ftd-container-esc-FmYqFBQV)

According to its self-reported version, Cisco Firepower Threat Defense Software is affected by a vulnerability in the multi-instance feature that allows an authenticated, local attacker to escape the container for their Cisco FTD instance and execute commands with root privileges in the host...

jszip Vulnerable to Prototype Pollution

This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values e.g proto, toString, etc results in a returned object with a modified prototype instance...