Medium: glibc

Issue Overview: In the GNU C Library aka glibc or libc6 through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string,...

CVE-2020-27678

An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parseusername in lib/libpam/pamframework.c...

Token Validation Bypass

parse-server is vulnerable to token validation bypass. Lack of checking deleted sessions after the websocket connection was established allows clients with invalid session tokens to still receive subscription object...

CVE-2020-15270

Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...

CVE-2020-15270

Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...

Design/Logic Flaw

Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...

CVE-2020-15270 Improper session expiration in Parse Server

Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...

CVE-2020-15270

Parse Server (parse-server) Vulnerability CVE-2020-15270: the Live Query mechanism allowed broadcasting subscription objects to clients with invalid/expired sessions because the session token validation was not enforced after the WebSocket connection was established. The issue is described in mul...

PT-2020-14328 · Parse · Parse Server

Name of the Vulnerable Software and Affected Versions: Parse Server versions 4.3.0 Description: The issue allows clients with expired sessions to still receive subscription objects because Parse Server broadcasts events to all clients without checking if the session token is valid. It is not...

CVE-2020-27197

TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the nonetwork setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxml library...

PYSEC-2020-59

DISPUTED TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the nonetwork setting is used for the XML parser. NOTE: the vendor points out that the parse method "wraps the lxm...

PT-2020-16660 · Eclecticiq +2 · Opentaxii +2

Name of the Vulnerable Software and Affected Versions: TAXII libtaxii versions 1.1.117 and earlier EclecticIQ OpenTAXII versions 0.2.0 and earlier Description: The issue allows SSRF via an initial http:// substring to the parse method, even when the no network setting is used for the XML parser...

Cross-Site Scripting (XSS)

dompurify is vulnerable to cross-site scripting XSS. A mutation XSS vulnerability exists as a serialize-parse roundtrip does not return the original DOM tree, causing a namespace change from HTML to MathML via FORM elements...

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

UBUNTU-CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements...

Pastego - Scrape/Parse Pastebin Using GO And Expression Grammar (PEG)

Scrape/Parse Pastebin using GO and grammar expression PEG. Installation $ go get -u github.com/notdodo/pastego Usage Search keywords are case sensitive pastego -s "password,keygen,PASSWORD" You can use boolean operators to reduce false positive pastego -s "quake && earthquake, password && php ||...

Mozilla: Out of bound read in Date.parse()

Due to confusion processing a hyphen character in Date.parse, a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox 78...

kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c

An out-of-bounds write flaw was found in the Linux kernel. An empty nodelist in mempolicy.c is mishandled durig mount option parsing leading to a stack-based out-of-bounds write. The highest threat from this vulnerability is to system availability...