Malicious code in ac-shared-instance (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25b7af9d106463b8924808d5fee450cebfb97597573f764e76939e297a483174 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking

Impact Instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can secret access tokens across requests. This can allow users to access restricted querysets and restricted data. Patches The problem has been patched in version 8.4.1 and all following...

GHSA-WJRH-HJ83-3WH7 Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking

Impact Instances of HeavySelect2Mixin subclasses like the ModelSelect2MultipleWidget and ModelSelect2Widget can secret access tokens across requests. This can allow users to access restricted querysets and restricted data. Patches The problem has been patched in version 8.4.1 and all following...

ABB M2M Gateway TLS Handshake bypass in embedded Python (CVE-2023-40217)

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is...

CVE-2025-3580

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator...

CVE-2025-3580

An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint. The vulnerability can be exploited when: 1. An Organization administrator...

CVE-2023-30624

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 6.0.2, 7.0.1, and 8.0.1, Wasmtime's implementation of managing per-instance state, such as tables and memories, contains LLVM-level undefined behavior. This undefined behavior was found to cause runtime-level issues when compiled...

CVE-2023-33947

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.60, and Liferay DXP 7.4 before update 61 does not segment object definition by virtual instance in search which allows remote authenticated users in one virtual instance to view object definition from a second virtual instance by searching...

CVE-2023-33946

The Object module in Liferay Portal 7.4.3.4 through 7.4.3.48, and Liferay DXP 7.4 before update 49 does properly isolate objects in difference virtual instances, which allows remote authenticated users in one virtual instance to view objects in a different virtual instance via OAuth 2 scope...

CVE-2023-21638

Memory corruption in Video while calling APIs with different instance ID than the one received in initialization...

CVE-2023-5982

The UpdraftPlus: WordPress Backup & Migration Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23.10. This is due to a lack of nonce validation and insufficient validation of the instanceid on the 'updraftmethod-googledrive-auth' acti...

CVE-2023-42781

Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs. This is a different issue than CVE-2023-42663 but leading to similar outcome. Users of Apache Airflow are...

CVE-2022-29171

Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a callsignCommand, which is used to obtain...

CVE-2022-45462

Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher...

📄 ABB Cylon Aspect 3.08.03 logMixDownload.php Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the logMixDownload.php script and dependant on SELECTED=ALL case. Version...

📄 ABB Cylon Aspect 3.08.03 productRemovalUpdate.php Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the productRemovalUpdate.php script. The token key POST param needs to be se...

CVE-2021-20077

Nessus Agent versions 7.2.0 through 8.2.2 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. This could allow a privileged attacker to obtain the token...

CVE-2020-2186

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.50.1 and earlier allows attackers to provision instances...

CVE-2019-10569

Stack buffer overflow due to instance id is misplaced inside definition of hardware accelerated effects in makefile in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Mobile in APQ8053, APQ8098, MDM9607, MDM9640, MSM8998, QCS605, SC8180X, SDM439, SDM630, SDM636, SDM660,...

CVE-2019-16767

The admin sys mode is now conditional and dedicated for the special case. By default, since [email protected] no instance container is launched with advanced capabilities not launched as root...