PYSEC-2021-400

TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service via dereferencing nullptrs or via CHECK-failures as well as abuse undefined behavior binding...

PYSEC-2021-635

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...

CVE-2021-41226

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseBinCount is vulnerable to a heap OOB access. This is because of missing validation between the elements of the values argument and the shape of the sparse output. The fix will be included ...

PT-2021-5314 · Foxit · Foxit Pdf Reader +1

Name of the Vulnerable Software and Affected Versions: Foxit PDF Editor affected versions not specified Foxit PDF Reader affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the...

Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms

Description 1 Missing CSRF token in delete posts and delete folder in the frontend 2 Missing backend CSRF validation in 1 removing and enabling fix status and 2 deleting posts, and 3 delete folder and 4 delexclude in the indexing page see Permalinks 3 Delete cache Proof of Concept Open in...

Rob The Bank 数据伪造问题漏洞

Rob The Bank is a music website. Rob The Bank suffers from a data forgery issue vulnerability that stems from the lack of destination address validation in the BurnMe function in Rob The Bank version 1.0, which allows an attacker to steal tokens from victimized users via a carefully crafted scrip...

GHSA-7GHQ-FVR3-PJ2X Incomplete validation in `MaxPoolGrad`

Impact An attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation: python import tensorflow as tf tf.rawops.MaxPoolGrad originput = tf.constant, shape=3, 0, 0, 2, dtype=tf.float32, origoutput = tf.constant, shape=3, 0, 0, 2,...

Buffer overflow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation. The implementation misses some validation for the originput and origoutput tensor...

CVE-2021-29500 Missing validation of JWT signature

bubble fireworks is an open source java package relating to Spring Framework. In bubble fireworks before version 2021.BUILD-SNAPSHOT there is a vulnerability in which the package did not properly verify the signature of JSON Web Tokens. This allows to forgery of valid JWTs...

PYSEC-2021-169

TensorFlow is an end-to-end open source platform for machine learning. An attacker can force accesses outside the bounds of heap allocated arrays by passing in invalid tensor values to tf.rawops.RaggedCross. This is because the...

PYSEC-2021-692

TensorFlow is an end-to-end open source platform for machine learning. An attacker can write outside the bounds of heap allocated arrays by passing invalid arguments to tf.rawops.Dilation2DBackpropInput. This is because the...

CVE-2021-29548

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a runtime division by zero error and denial of service in tf.rawops.QuantizedBatchNormWithGlobalNormalization. This is because the...

PT-2021-18316 · Google · Tensorflow

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.5.0 TensorFlow versions 2.4.2 and earlier TensorFlow versions 2.3.3 and earlier TensorFlow versions 2.2.3 and earlier TensorFlow versions 2.1.4 and earlier Description: An attacker can trigger a null pointer...

Injection Vulnerability

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation...

CVE-2021-29431 SSRF in Sydent due to missing validation of hostnames

Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perfor...

Matrix Sydent 代码问题漏洞

Matrix Sydent is an implementation of the Matrix Authentication Server API from the Matrix.org Foundation in the UK. Sydent suffers from a security vulnerability that stems from a lack of parameter validation or IP address blacklisting, which could cause Sydent to send HTTP GET requests to intern...

CVE-2021-22879

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation...

Important: Red Hat Security Advisory: openvswitch2.11 and ovn2.11 security update

An update for openvswitch2.11 and ovn2.11 is now available for Red Hat OpenStack Platform 13 Queens. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

Askey RTF8115VW Cross-Site Scripting Vulnerability

Askey RTF8115VW is an application from Askey China. Provides the most stable broadband connection source to bring super-fast speeds to all types of users. A cross-site scripting vulnerability exists in Askey RTF8115VW. The vulnerability stems from cgi-bin/teaccesorouter.cgi curWebPage missing...

Nextcloud: Take over a mail account due missing validation of account id

A validation is missing to make sure the account id belongs to the logged in user. To reproduce: 1. Login as user 2. Add a mail account to mail 3. Go to account settings 4. Update the account again See a request like below: curl 'http://localhost:50001/index.php/apps/mail/api/accounts/%7Bid%7D' ...