FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment

Summary A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side...

PT-2026-34605

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when safeMode is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit...

Silverstripe Assets Module has a DBFile::getURL() permission bypass

Impact Images rendered in templates or otherwise accessed via DBFile::getURL or DBFile::getSourceURL incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidt...

EUVD-2021-9403

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2021-22257

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions...

CVE-2021-22257

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user...

CVE-2024-6336

A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a depende...

UBUNTU-CVE-2024-2191

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only...

Anyone can open any position with no init period

Lines of code Vulnerability details Impact Anyone can immediately open a malicious position by calling openPosition... and passing 0 as initPeriodSeconds. Proof of Concept The function on line has public visibility, whereas I suspect it should be private. This effectively means anyone can mint an...

CVE-2021-22257

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user...

Design/Logic Flaw

An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user...

PT-2021-14919 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 14.0 through 14.0.8 GitLab versions 14.1 through 14.1.3 GitLab versions 14.2 through 14.2.1 Description: An issue has been discovered in GitLab where the route for "/user.keys" is not restricted on instances with public...

GitLab Information Disclosure Vulnerability (CNVD-2022-23495)

GitLab is a self-hosted, Git version control system project repository application developed in Ruby on Rails by GitLab, Inc. GitLab is vulnerable to an information disclosure vulnerability caused by an unrestricted instance of the application's "/user.keys" route that disables public visibility...

CVE-2021-33038

An issue was discovered in management/commands/hyperkittyimport.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during...

PYSEC-2021-77

An issue was discovered in management/commands/hyperkittyimport.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during...

CVE-2021-33038

An issue was discovered in management/commands/hyperkittyimport.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during...

CVE-2021-33038

An issue was discovered in management/commands/hyperkittyimport.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during...

CVE-2020-36286

The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly...

yara:rules_fuzzer: Use-of-uninitialized-value in yr_hash

Project: https://github.com/VirusTotal/yara.git Detailed Report: https://oss-fuzz.com/testcase?key=5641498071400448 Project: yara Fuzzing Engine: libFuzzer Fuzz Target: rulesfuzzer Job Type: libfuzzermsanyara Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...

mpg123/decode_fuzzer: Heap-buffer-overflow in INT123_parse_new_id3

Detailed report: https://oss-fuzz.com/testcase?key=5081170552815616 Project: mpg123 Fuzzer: aflmpg123decodefuzzer Fuzz target binary: decodefuzzer Job Type: aflasanmpg123 Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x6040000000c0 Crash State: INT123parsenewid3...