PT-2020-19723 · Phpjs · Phpjs

Name of the Vulnerable Software and Affected Versions: phpjs versions prior to 1.3.2 and possibly later, as all versions are mentioned as vulnerable in one source, but another source specifies up to 1.3.2. Description: The issue concerns Prototype Pollution via the parse str function. This affect...

CVE-2020-11937

In whoopsie, parsereport from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1...

Command Injection

Overview json is a 'json' command tool for massaging and processing JSON on the command line. Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbritary commands using the parseLookup function. PoC const json = require'json'; res =...

Whoopsie Resource Management Error Vulnerability

Whoopsie is a bug reporting program for Ubuntu Linux. A resource management error vulnerability exists in the 'parsereport' function of the whoopsie.c file in Whoopsie. A local attacker could exploit this vulnerability to cause a denial of service memory leak...

USN-4298-2 sqlite3 vulnerabilities

USN-4298-1 fixed several vulnerabilities in SQLite. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a...

PT-2020-5864 · Php +9 · Php +9

Name of the Vulnerable Software and Affected Versions: PHP versions 7.2.x through 7.2.32 PHP versions 7.3.x through 7.3.20 PHP versions 7.4.x through 7.4.8 Description: The issue is related to the phar parse zipfile function in PHP, which can be tricked into accessing freed memory when processing...

PT-2020-19722

Name of the Vulnerable Software and Affected Versions express-fileupload versions prior to 1.1.8 Description The issue allows for denial of service or arbitrary code execution when a corrupt HTTP request is sent and the parseNested option is enabled. Recommendations For express-fileupload version...

Prototype Pollution

Overview express-fileupload is a file upload middleware for express that wraps around busboy. Affected versions of this package are vulnerable to Prototype Pollution. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution...

OSV-2020-1436 Heap-buffer-overflow in dotnet_parse_com

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8901 Crash type: Heap-buffer-overflow READ 4 Crash state: dotnetparsecom dotnetload yrmodulesload...

OSV-2020-1386 Heap-buffer-overflow in parse_relocation_info

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24400 Crash type: Heap-buffer-overflow READ 4 Crash state: parserelocationinfo getrelocs64 relocs...

OpenDMARC Resource Management Error Vulnerability

OpenDMARC is an open source implementation of the DMARC Domain-based Message Authentication, Reporting and Conformance specification from The Trusted Domain project. A resource management error vulnerability exists in the 'opendmarcxmlparse' function in OpenDMARC versions 1.3.2 and earlier and...

PT-2020-4942 · Trustwave +2 · Opendmarc +2

Name of the Vulnerable Software and Affected Versions: OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1 Description: The issue is related to improper null termination in the opendmarc xml parse function, which can result in a one-byte heap overflow in opendmarc xml when parsing a specially...

ots:ots-fuzzer: Use-of-uninitialized-value in ots::OpenTypeGVAR::Parse

Project: https://github.com/khaledhosny/ots.git Detailed Report: https://oss-fuzz.com/testcase?key=5742168799707136 Project: ots Fuzzing Engine: libFuzzer Fuzz Target: ots-fuzzer Job Type: libfuzzermsanots Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...

Information Disclosure

parse is vulnerable to information disclosure. The setPassword function stores the user's password in localStorage as raw text, allowing a user to access the localStorage and obtain the password...

GHSA-WVH7-5P38-2QFC Storing Password in Local Storage

The setPassword method http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.htmlsetPassword stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the...

3vot-salesforce-proxy (>=0.0.1 <=0.1.6), @adncorp/parse-server (>=2.0.0 <=2.10.4) +189 more potentially affected by unknown CVE via parse (>=1.10.1 <=2.0.1)

parse NPM version =1.10.1, =0.0.1, =2.0.0, =2.2.11, =2.8.1, =2.2.7, =0.0.2, =1.0.0, =4.0.1, =2.2.7, =1.0.0, =0.1.0, =0.2.0, =1.0.0, =3.0.0, =3.0.10 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WVH7-5P38-2QFC...

Storing Password in Local Storage

The setPassword method http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.htmlsetPassword stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the...

Authorization Bypass

parse-server is vulnerable to authorization bypass. The vulnerability exists in the GraphQL viewer where an authenticated user can bypass the read security restrictions, and all objects linked through relation, placed on his User object...

GHSA-236H-RQV8-8Q73 GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...

GraphQL: Security breach on Viewer query

Impact An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object. Patches This vulnerability has been patched in Parse Server 4.3.0. Workarounds No References See commit...