CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

CVE-2023-22602

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

Regular Expression Denial Of Service (ReDoS)

terminal-kit is vulnerable to regular expression denial of service. The vulnerability exists due to the insecure regex pattern used in multiple functions of the library, allowing an attacker to crash the application by providing a malicious strings such as '^'.repeatbigNumber...

GHSA-WQQV-JCFR-9F5G PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash

Impact DyeColorIdMap-fromId did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened. This code is indirectly called during Banner-deserializeCompoundTag, which is invoked when deserializing any item NBT...

Uninialized or front-runnable .init function in proxy implementation contract

Lines of code Vulnerability details Uninialized or front-runnable .init function in proxy implementation contract Impact DoS for all users' smart account proxies leading to locked funds forever. Proof of Concept Nowhere in the code the SmartAccount.sol implementation contract is initialized by...

@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)

Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...

GHSA-H857-2G56-468G @mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)

Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...

CVE-2021-4305

A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed ...

PT-2023-12409 · Unknown · Woorank Robots-Txt-Guard

Name of the Vulnerable Software and Affected Versions: Woorank robots-txt-guard affected versions not specified Description: A vulnerability was found in the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression...

Cross site scripting

The sanitize-svg package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal -tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on sanitize-sv...

getStakers() and getMinipools() could return wrong values (Access Control)

Lines of code Vulnerability details Impact Staking.sol and MinipoolManager.sol contracts use the eternal storage pattern. The contracts are a key-value store that all protocol contracts can write to and read. more info: Functions getStakers.staking and getMinipools.MinipoolManager are implemented...

CVE-2022-46171

Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards , ?, and ... match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As...

CVE-2022-46171 Tauri vulnerable to path traversal

Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards , ?, and ... match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As...

CVE-2022-46171

The CVE-2022-46171 entry concerns the Tauri framework, where filesystem glob pattern wildcards (*, ?, [...]) by default match file path literals and leading dots, unintentionally exposing subfolder contents within allowed paths. This is a path traversal risk tied to the fs scope behavior, particu...

CVE-2022-46171 Tauri vulnerable to path traversal

Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards , ?, and ... match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As...

Regular Expression Denial Of Service (ReDoS)

setuptools is vulnerable to regular expression denial of service. The vulnerability exists due to the insecure regex pattern used for the REL attribute in the findexternallinks function of packageindex.py, allowing an attacker to crash the application by passing a malicious HTML...

Regular Expression Denial Of Service (ReDoS)

isjs is vulnerable to regular expression denial of service. The vulnerability exists due to the insecure regex pattern used for url matching in is.js allowing an attacker to crash the application by providing malicious urls...

CVE-2022-1834

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown...

Tauri Filesystem Scope Glob Pattern is too Permissive

Impact The filesystem glob pattern wildcards , ?, and ... match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Example: The fs scope $HOME/.key would also allow $HOME/.ssh/secret.key to be read even though it is in a sub director...