20 matches found
lodash: lodash: Arbitrary code execution via untrusted input in template imports
A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...
EUVD-2022-4114
Malicious code in bioql PyPI...
Gokapi 安全漏洞
Gokapi is a lightweight, self-hosted Firefox sending alternative from Marc Bulling Personal Developer. A security vulnerability exists in Gokapi versions prior to 2.0.0, which stems from a cross-site scripting attack that may result from the injection of JavaScript code when renaming API key...
BIT-ETCD-2023-32082 etcd key name can be accessed via LeaseTimeToLive API
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...
UBUNTU-CVE-2023-36824
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several...
SUSE CVE-2023-32082
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...
GHSA-3P4G-RCW5-8298 etcd Key name can be accessed via LeaseTimeToLive API
Impact LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth RBAC. Patches v3.4.26 and v3.5.9 are affected. Workarounds No. Reporter Yo...
etcd Key name can be accessed via LeaseTimeToLive API
Impact LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limited to a cluster which enables auth RBAC. Patches v3.4.26 and v3.5.9 are affected. Workarounds No. Reporter Yo...
DEBIAN-CVE-2023-32082
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...
UBUNTU-CVE-2023-32082
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...
CVE-2023-32082 etcd key name can be accessed via LeaseTimeToLive API
etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names not value associated to a lease when Keys parameter is true, even a user doesn't have read permission to the keys. The impact is limit...
Command Injection
rdiffweb is vulnerable to command injection. The vulnerability exists in notification.py due to lack of character sanitisation in SSH key names which allows an attacker to inject a hyperlink that allows an attacker to redirect victim to malicious website...
PT-2022-28035 · Rdiffweb · Rdiffweb
Name of the Vulnerable Software and Affected Versions: rdiffweb versions prior to 2.5.5 Description: The issue is related to a failure to sanitize special elements, which can lead to special element injection. Specifically, in rdiffweb, the lack of sanitization of characters in SSH key names coul...
Improper Neutralization of Input During Web Page Generation in swagger-ui
swagger-ui has XSS in key names...
GHSA-H8WP-WGCQ-QHRF Improper Neutralization of Input During Web Page Generation in swagger-ui
swagger-ui has XSS in key names...
CVE-2016-1000229
swagger-ui has XSS in key names...
CVE-2016-1000229
swagger-ui has XSS in key names...
CVE-2016-1000229
swagger-ui has XSS in key names...
CVE-2016-1000229
Swagger-UI CVE-2016-1000229: Cross-site scripting via key names in the JSON document. Root cause: improper validation of user-supplied input in Swagger UI. Impact: remote attacker could execute script in a victim’s browser within the hosting site’s security context. Remediation (per Red Hat IBM a...
PHP WDDX Serializier Data Injection Vulnerability-vulnerability warning-the black bar safety net
PHP WDDX Serializier Data Injection Vulnerability Taoguang Chen - 2014.11.2 PHP in the array is serialized into a WDDX structure of the process, there is no array key name strictly limited, can lead to falsification of the object WDDX structure. i serialize the object PHP in the object is...