PT-2020-19725 · Npm · Templ8

Name of the Vulnerable Software and Affected Versions: templ8 versions prior to 0.0.45 Description: The issue concerns Prototype Pollution via the parse function. This affects all versions of the templ8 package up to and including 0.0.44. Recommendations: For versions prior to 0.0.45, update to...

Prototype Pollution

Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution via the php.strings.parsestr function. POC: const locutus = require'locutus';...

PT-2020-19723 · Phpjs · Phpjs

Name of the Vulnerable Software and Affected Versions: phpjs versions prior to 1.3.2 and possibly later, as all versions are mentioned as vulnerable in one source, but another source specifies up to 1.3.2. Description: The issue concerns Prototype Pollution via the parse str function. This affect...

The vulnerability of the parse_query method (class-wp-query.php) in the WordPress content management system allows a hacker to access confidential data.

The vulnerability of the parsequery method class-wp-query.php in the WordPress content management system is related to the lack of protection for sensitive data. Exploiting this vulnerability could allow a malicious actor to gain access to confidential information...

The vulnerability of the parse_report() function in the whoopsie error logging service allows a violator to trigger a service failure.

The vulnerability of the parsereport function in the whoopsie error reporting service is related to an uncontrolled resource consumption. Exploiting this vulnerability could allow a perpetrator to cause a service failure using a specially crafted file...

CVE-2020-11937

In whoopsie, parsereport from whoopsie.c allows a local attacker to cause a denial of service via a crafted file. The DoS is caused by resource exhaustion due to a memory leak. Fixed in 0.2.52.5ubuntu0.5, 0.2.62ubuntu0.5 and 0.2.69ubuntu0.1...

Command Injection

Overview json is a 'json' command tool for massaging and processing JSON on the command line. Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbritary commands using the parseLookup function. PoC const json = require'json'; res =...

Whoopsie Resource Management Error Vulnerability

Whoopsie is a bug reporting program for Ubuntu Linux. A resource management error vulnerability exists in the 'parsereport' function of the whoopsie.c file in Whoopsie. A local attacker could exploit this vulnerability to cause a denial of service memory leak...

USN-4298-2 sqlite3 vulnerabilities

USN-4298-1 fixed several vulnerabilities in SQLite. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that SQLite incorrectly handled certain shadow tables. An attacker could use this issue to cause SQLite to crash, resulting in a...

PT-2020-5864 · Php +9 · Php +9

Name of the Vulnerable Software and Affected Versions: PHP versions 7.2.x through 7.2.32 PHP versions 7.3.x through 7.3.20 PHP versions 7.4.x through 7.4.8 Description: The issue is related to the phar parse zipfile function in PHP, which can be tricked into accessing freed memory when processing...

PT-2020-19722

Name of the Vulnerable Software and Affected Versions express-fileupload versions prior to 1.1.8 Description The issue allows for denial of service or arbitrary code execution when a corrupt HTTP request is sent and the parseNested option is enabled. Recommendations For express-fileupload version...

Prototype Pollution

Overview express-fileupload is a file upload middleware for express that wraps around busboy. Affected versions of this package are vulnerable to Prototype Pollution. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution...

OSV-2020-1436 Heap-buffer-overflow in dotnet_parse_com

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8901 Crash type: Heap-buffer-overflow READ 4 Crash state: dotnetparsecom dotnetload yrmodulesload...

OSV-2020-1386 Heap-buffer-overflow in parse_relocation_info

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24400 Crash type: Heap-buffer-overflow READ 4 Crash state: parserelocationinfo getrelocs64 relocs...

OpenDMARC Resource Management Error Vulnerability

OpenDMARC is an open source implementation of the DMARC Domain-based Message Authentication, Reporting and Conformance specification from The Trusted Domain project. A resource management error vulnerability exists in the 'opendmarcxmlparse' function in OpenDMARC versions 1.3.2 and earlier and...

PT-2020-4942 · Trustwave +2 · Opendmarc +2

Name of the Vulnerable Software and Affected Versions: OpenDMARC versions 1.3.2 and 1.4.x through 1.4.0-Beta1 Description: The issue is related to improper null termination in the opendmarc xml parse function, which can result in a one-byte heap overflow in opendmarc xml when parsing a specially...

ots:ots-fuzzer: Use-of-uninitialized-value in ots::OpenTypeGVAR::Parse

Project: https://github.com/khaledhosny/ots.git Detailed Report: https://oss-fuzz.com/testcase?key=5742168799707136 Project: ots Fuzzing Engine: libFuzzer Fuzz Target: ots-fuzzer Job Type: libfuzzermsanots Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...

Information Disclosure

parse is vulnerable to information disclosure. The setPassword function stores the user's password in localStorage as raw text, allowing a user to access the localStorage and obtain the password...

3vot-salesforce-proxy (>=0.0.1 <=0.1.6), @adncorp/parse-server (>=2.0.0 <=2.10.4) +189 more potentially affected by unknown CVE via parse (>=1.10.1 <=2.0.1)

parse NPM version =1.10.1, =0.0.1, =2.0.0, =2.2.11, =2.8.1, =2.2.7, =0.0.2, =1.0.0, =4.0.1, =2.2.7, =1.0.0, =0.1.0, =0.2.0, =1.0.0, =3.0.0, =3.0.10 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WVH7-5P38-2QFC...

Storing Password in Local Storage

The setPassword method http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.htmlsetPassword stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the...