PT-2022-8904 · Unknown · Ion-Parser

Name of the Vulnerable Software and Affected Versions: ion-parser versions all Description: The issue affects the ion-parser package, where an attacker can submit a malicious INI file to an application that uses the parse function, leading to prototype pollution on the application. This can be...

UBUNTU-CVE-2022-1925

DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gstmatroskadecompressdata function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however t...

Fedora: Security Advisory for httpdump (FEDORA-2022-3969b64d4b)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 35 Update: httpdump-0-0.6.20200714gite6fa868.fc35

Capture and parse HTTP traffic...

[SECURITY] Fedora 35 Update: golang-github-andybalholm-cascadia-1.2.0-6.fc35

The Cascadia package implements CSS selectors for use with the parse trees produced by the html package...

Updated golang packages fix security vulnerability

net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to...

Regular Expression Denial Of Service (ReDoS)

jquery-validation is vulnerable to regular expression denial of service. The vulnerability exists in the url parse function in src/core.js, and due to insufficient regular expression complexity checks an attacker can cause a ReDoS when supplying input to the url parse function. This CVE exists du...

parse-url cross-site scripting vulnerability

parse-url is an advanced url parser with git url support. A cross-site scripting vulnerability exists in parse-url versions prior to 7.0.0, which stems from the ability to run malicious JS code using ASCII characters starting with and all special escape characters starting with Unicode, which can...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @peterpme/parse-server-mailgun (>=2.4.8 <=2.5.11) +19 more potentially affected by CVE-2022-31112 via parse-server (>=2.0.8 <=3.10.0)

parse-server NPM version =2.0.8, =1.0.5, =2.4.8, =1.0.0, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.0, =1.0.0, =1.0.0, =1.4.0 and more Source cves: CVE-2022-31112 Source advisory: OSV:GHSA-CRRQ-VR9J-FXXH...

Protected fields exposed via LiveQuery

Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...

GHSA-CRRQ-VR9J-FXXH Protected fields exposed via LiveQuery

Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...

Regular Expression Denial of Service (ReDoS)

Description I would like to report a Regular Expression Denial of Service ReDoS vulnerability in parse-url. It allows cause a denial of service when calling function parse-url. The ReDoS vulnerability is mainly due to the regex /git@|https?://\w.@+/|:,\w,-,,/+.git0,1/0,1/ and can be...

CVE-2022-0722

A flaw was found in the parse-url package. Affected versions of this package are vulnerable to information exposure due to an improper validation issue...

[SECURITY] Fedora 36 Update: golang-github-andybalholm-cascadia-1.2.0-6.fc36

The Cascadia package implements CSS selectors for use with the parse trees produced by the html package...

Cross Site Scripting via Improper Input Validation (parser differential)

Description I find that parse-url parses the following URL incorrectly and identifies protocol as ssh: javascript://n.com:-4294967297/?ab=--2509999973799371216494http://user:passser:[email protected]:-4294967297/?a /parseurlfuzz$ node -e 'const parseUrl = require"parse-url";...

PT-2022-3915 · Linux +8 · Linux Kernel +8

Name of the Vulnerable Software and Affected Versions: Linux kernel versions through 5.18.9 Description: A type confusion bug in nft set elem init leading to a buffer overflow could be used by a local attacker to escalate privileges. The attacker can obtain root access, but must start with an...

GO-2022-0197 Panic when parsing certain inputs in golang.org/x/net/html

The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input ""...

GO-2022-0192 Incorrect parsing of nested templates in golang.org/x/net/html

The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input ""...

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

...

Information Disclosure

parse-server is vulnerable to information disclosure. A remote unauthenticated attacker is able to gain access to sensitive user information because the library does not remove protected fields in classes and passes them to the client...