978 matches found
CVE-2023-37274 Python code execution sandbox escape in non-docker version in Auto-GPT
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. When Auto-GPT is executed directly on the host system via the provided run.sh or run.bat files, custom Python code execution is sandboxed using a temporary dedicated docker container which...
CVE-2023-37273 Docker escape in Auto-GPT when running from docker-compose.yml included in git repo
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. Running Auto-GPT version prior to 0.4.3 by cloning the git repo and executing docker compose run auto-gpt in the repo root uses a different docker-compose.yml file from the one suggested i...
CVE-2023-37273 Docker escape in Auto-GPT when running from docker-compose.yml included in git repo
Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. Running Auto-GPT version prior to 0.4.3 by cloning the git repo and executing docker compose run auto-gpt in the repo root uses a different docker-compose.yml file from the one suggested i...
Auto-GPT 代码注入漏洞
Auto-GPT is an artificial intelligence software agent program open-sourced by Significant Gravitas. A code injection vulnerability exists in Auto-GPT versions prior to 0.4.3, which stems from a docker-compose.yml file located in the repository root directory that installs itself into a docker...
CVE-2023-36456 Authentik lacks Proxy IP headers validation
authentik is an open-source Identity Provider. Prior to versions 2023.4.3 and 2023.5.5, authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. Only authentik setups that are directly accessible by users without a reverse proxy a...
CVE-2023-36830
SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. For many users wh...
CVE-2023-36830
CVE-2023-36830 affects SQLFluff prior to v2.1.2 where an attacker with access to config files could abuse the library_path setting to execute arbitrary Python code via Jinja/macros. The issue arises when untrusted users can view or modify config and leverage library_path to reach Python execution...
CVE-2023-36830 SQLFluff vulnerability for users with access to config file, using `library_path` to call arbitrary python code.
SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. For many users wh...
CVE-2023-36830
SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. For many users wh...
CVE-2023-36258
An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...
CVE-2023-36258
An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...
CVE-2023-36258
An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...
HackerOne: Internal machine learning API endpoint for CWE classification is vulnerable to path traversal
Vulnerability description not provided...
XWiki Platform 注入漏洞
XWiki Platform is a suite of Wiki platforms for creating collaborative web applications from the French company XWiki. XWiki Platform suffers from an injection vulnerability, which stems from improper escaping of Invitation.InvitationCommon, that allows any user with view privileges to execute...
PT-2023-22295 · Xwiki · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0-rc-1 Description: The issue allows any user with edit rights on a page to execute...
CVE-2023-29211 org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wiki...
XWiki Commons 代码注入漏洞
XWiki Commons is a technology library shared by several other top XWiki projects. A security vulnerability exists in XWiki Commons, which stems from the fact that any user with editing privileges can execute arbitrary Groovy, Python, or Velocity code in XWiki to gain full access to the XWiki...
XWiki Platform 代码注入漏洞
XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the French company XWiki. A security vulnerability exists in XWiki Platform that originates from the ability of any user to execute arbitrary Groovy, Python or Velocity code in XWiki...
Sysax Multi Server 6.95 - (Password) Denial of Service Exploit
Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service PoC Discovery by: Luis Martinez Vendor Homepage: https://www.sysax.com/ Software Link: https://www.sysax.com/download/sysaxservsetup.msi Tested Version: 6.95 Vulnerability Type: Denial of Service DoS Local Tested on OS: Windows...
PT-2023-21155 · Xwiki · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.7 XWiki Platform versions prior to 14.10-rc-1 Description: The issue allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code in...