Cross-site Scripting (XSS)

ajaxnetprofessional is vulnerable to cross-site scripting attacks. The vulnerability exists due to lack of input validation in parse function of AjaxPro/core.js in when parsing json input which allows a malicious attacker to inject and execute arbitrary javascript...

UBUNTU-CVE-2021-44921

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gfisomparsemovieboxesinternal function, which causes a segmentation fault and application crash...

Command Injection in parse-community/parse-server

Description This is a Remote Code Execution vulnerability in the Parse Server. This vulnerability affects the Parse Server in the default configuration with MongoDB, probably a similar attack can affect the PostgreSQL storage as well. The main weakness that leads to RCE is the Prototype Pollution...

Regular Expression Denial of Service (ReDoS)

Overview parse-link-header is a package that parses a link header and returns paging information for each contained link. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the checkHeader function. PoC var parse = require'parse-link-header'; const...

nodejs-ini: Prototype pollution via malicious INI file

A flaw was found in nodejs-ini. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context...

An issue was discovered in ZZIPlib through 0.13.69. There is a memory leak triggered in the function __zzip_parse_root_directory in zip.c which will lead to a denial of service attack.

...

Denial Of Service (DoS)

radare2 is vulnerable to denial of service. The vulnerability exists due to a double free vulnerability in the pyc parse which allows an attacker to crash the application via malicious input...

Rizin 缓冲区错误漏洞

Rizin is a free open source reverse engineering framework from the Rizin organization. It is used to analyze binaries, disassemble code, debug programs, as a forensic tool, as a command-line hex editor that can open disk files that can be scripted, etc. Rizin 0.3.1 and earlier versions have a...

CVE-2021-23433

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters.parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the...

Regular Expression Denial Of Service (ReDoS)

date is vulnerable to regular expression denial of service ReDoS attacks. An attacker is able to insert a specifically crafted input through the dateparse method via the str parameter resulting in denial of service conditions...

Regular Expression Denial of Service (ReDoS)

Overview date is a subclass of Object includes Comparable module for handling dates. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. Date’s parsing methods including Date.parse are using regular expressions internally, some of which are vulnerable...

Buffer overflow

Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity...

GHSA-J86V-P27C-73FM Unitialized access in `EinsumHelper::ParseEquation`

Impact During execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However, the code only changes these flags to true and never assigns false. cc f...

python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters

The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request...

python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters

The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request...

graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c

A flaw was found in graphviz. A wrong assumption in recordinit function leads to an off-by-one write in parsereclbl function, allowing an attacker who can provide graph input to potentially execute code when the label of a node is invalid and shorter than two characters. The highest threat from...

zlog 1.2.15 - Buffer Overflow Exploit

Exploit Title: zlog 1.2.15 - Buffer Overflow Exploit Author: LIWEI Vendor Homepage: https://github.com/HardySimpson/zlog Software Link: https://github.com/HardySimpson/zlog Version: v1.2.15 Tested on: ubuntu 18.04.2 1.- compile the zlogv1.2.15 code to a library. 2.- Use the "zloginit" API to pars...

PYSEC-2021-809

TensorFlow is an open source platform for machine learning. In affeced versions during execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However...

CVE-2021-41201

TensorFlow is an open source platform for machine learning. In affeced versions during execution, EinsumHelper::ParseEquation is supposed to set the flags in inputhasellipsis vector and outputhasellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However...

CVE-2021-22960

The parse function in llhttp 2.1.4 and 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling HRS under certain conditions...