CVE-2023-30840 On a compromised node, the fluid-csi service account can be used to modify node specs

Fluid is an open source Kubernetes-native distributed dataset orchestrator and accelerator for data-intensive applications. Starting in version 0.7.0 and prior to version 0.8.6, if a malicious user gains control of a Kubernetes node running fluid csi pod controlled by the csi-nodeplugin-fluid...

matrix-js-sdk Prototype Pollution vulnerability

Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting...

SUSE CVE-2023-28114

cilium-cli is the command line interface to install, manage, and troubleshoot Kubernetes clusters running Cilium. Prior to version 0.13.2,cilium-cli, when used to configure cluster mesh functionality, can remove the enforcement of user permissions on the etcd store used to mirror local cluster...

Medium: sysstat

Issue Overview: sysstat is a set of system performance tools for the Linux operating system. On 32 bit systems, in versions 9.1.16 and newer but prior to 12.7.1, allocatestructures contains a sizet overflow in sacommon.c. The allocatestructures function insufficiently checks bounds before...

CVE-2023-26047 teler-waf contains detection rule bypass via entities payload

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used...

SUSE CVE-2021-37678

TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses yaml.unsafeload which can perform arbitrary code execution...

SUSE CVE-2021-41186

Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parserapache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service ReDoS vulnerability. A broken apache log with a certain pattern of string ca...

SUSE CVE-2021-45261

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the anotherhunk function, which causes a Denial of Service...

SUSE CVE-2022-45442

Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is...

CVE-2023-23928 reason-jose ignores signature checks

reason-jose is a JOSE implementation in ReasonML and OCaml.Jose.Jws.validate does not check HS256 signatures. This allows tampering of JWS header and payload data if the service does not perform additional checks. Such tampering could expose applications using reason-jose to authorization bypass...

CVE-2023-22500 glpi Unauthorized access to inventory files

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by...

CVE-2014-125079 agy pontifex.http Http.coffee sql injection

A vulnerability was found in agy pontifex.http. It has been declared as critical. This vulnerability affects unknown code of the file lib/Http.coffee. The manipulation leads to sql injection. Upgrading to version 0.1.0 is able to address this issue. The name of the patch is...

PT-2023-9995 · Ziftr · Ziftr Primecoin

Name of the Vulnerable Software and Affected Versions: Ziftr primecoin versions up to 0.8.4rc1 Description: A vulnerability was found in the function HTTPAuthorized of the file src/bitcoinrpc.cpp. The manipulation of the argument strUserPass/strRPCUserColonPass leads to observable timing...

GHSA-F8CC-G7J8-XXPM XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow

Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead...

CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse

authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one...

CVE-2021-32692

Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a...

CVE-2022-23543 HTML attributes when attaching a YouTube link to the post

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped...

CVE-2022-23507 Light client verification not taking into account chain ID

Tendermint is a high-performance blockchain consensus engine for Byzantine fault tolerant applications. Versions prior to 0.28.0 contain a potential attack via Improper Verification of Cryptographic Signature, affecting anyone using the tendermint-light-client and related packages to perform ligh...

CVE-2022-23514 Inefficient Regular Expression Complexity in Loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a...

PT-2022-25999 · Nadesiko3 · Nadesiko3

Name of the Vulnerable Software and Affected Versions: Nadesiko3 PC Version versions 3.3.61 and earlier Nadesiko3 PC Version versions 3.3.68 and earlier Description: The issue allows a remote attacker to execute an arbitrary OS command when processing compression and decompression on the product...