Lack of ratelimit on public DAV endpoint

None...

Filenames not escaped by default in controllers using DownloadResponse

None...

GHSA-PHJ8-4CQ3-794G Unencrypted storage of client side sessions

Impact The default configuration of client side sessions results in unencrypted, but signed, data being set as cookie values. This means that if something sensitive goes into the session, it could be read by something with access to the cookies. Note: the documentation does point this out and...

Malicious Android application can crash the Nextcloud Android Client

None...

metasploit-framework

This repository is an offensive tool for Metasploit Framework. The Metasploit Framework is a powerful tool for penetration testing and vulnerability assessment. It provides a comprehensive platform for identifying and exploiting vulnerabilities in various systems and applications. The framework...

monkey

This is a Python script repository for a tool called "Infection Monkey". The tool is designed to simulate a cyber attack on a network by injecting malware into the network and observing the behavior of the malware as it spreads. The script is written in Python and uses the "monkey" framework to...

GHSA-HF44-3MX6-VHHW Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.

Impact The regex injection that may lead to Denial of Service. Patches Will be patched in 2.4 and 3.0 Workarounds Versions lower than 2.x are only affected if the navigation module is added References See this pull request for the fix: https://github.com/graphhopper/graphhopper/pull/2304 If you...

Code injection

GraphHopper is an open-source Java routing engine. In GrassHopper from version 2.0 and before version 2.4, there is a regular expression injection vulnerability that may lead to Denial of Service. This has been patched in 2.4 and 3.0 See this pull request for the fix:...

CVE-2021-29506 Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.

GraphHopper is an open-source Java routing engine. In GrassHopper from version 2.0 and before version 2.4, there is a regular expression injection vulnerability that may lead to Denial of Service. This has been patched in 2.4 and 3.0 See this pull request for the fix:...

CVE-2021-31903

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS...

CVE-2021-31903

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS...

Cross site scripting

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS...

Critical RCE Bug Found in Homebrew Package Manager for macOS and Linux

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher...

PT-2021-14482 · Unknown +2 · Filecoin-Ffi +2

Name of the Vulnerable Software and Affected Versions: Lotus affected versions not specified Description: The issue concerns BLS signature validation in Lotus, which uses the blst library method VerifyCompressed. This method accepts signatures in two forms: serialized and compressed, allowing BLS...

Microsoft Visual Studio Code 代码注入漏洞

Microsoft Visual Studio Code is an open source code editor from Microsoft Corporation USA. A code injection vulnerability exists in Microsoft Visual Studio Code, which stems from a GitHub pull request and a remote code execution vulnerability in the extension in question...

Privilege Escalation

projen is vulnerable to privilege escalation. The vulnerability exists due to workflow being able to be triggered the issuecomment on the pull request...

Design/Logic Flaw

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...

CVE-2021-21423 Exposure of Version-Control Repository to an Unauthorized Control Sphere in projen

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...

CVE-2021-22863

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker woul...

CVE-2021-22863

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker woul...