Server side request forgery (ssrf)

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

CVE-2024-23633 Label Studio XSS Vulnerability on Data Import

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

CVE-2024-23633

CVE-2024-23633 affects Label Studio (open‑source data labeling tool) prior to version 1.10.1. The issue arises in the remote import feature: when a URL is fetched, the server uses the URL’s filename and returns a file via an API, with the response content type determined by the file’s extension (...

CVE-2024-23633 Label Studio XSS Vulnerability on Data Import

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

CVE-2024-23633 Label Studio XSS Vulnerability on Data Import

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

SUSE CVE-2024-0564

A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging KSM, added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is "max page...

CentOS 7 : firefox (RHSA-2023:4461)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:4461 advisory. - Offscreen Canvas did not properly track cross-origin tainting, which could have been used to access image data from another site in violation of...

CentOS 7 : thunderbird (RHSA-2023:4495)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:4495 advisory. - Thunderbird allowed the Text Direction Override Unicode Character in filenames. An email attachment could be incorrectly shown as being a document...

PT-2024-13785 · Bosch · Bcc102 +3

Name of the Vulnerable Software and Affected Versions: Bosch BCC100 smart thermostat affected versions not specified BCC101/BCC102/BCC50 products affected versions not specified Description: A vulnerability allows an unauthenticated attacker to replace the device’s firmware with a malicious one b...

GitLab 10.6 < 14.1.7 / 14.2 < 14.2.5 / 14.3 < 14.3.1 (CVE-2021-39886)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references...

PT-2023-8494 · Curl +2 · Curl +2

Name of the Vulnerable Software and Affected Versions: curl affected versions not specified Description: The issue is related to a flaw in curl where it inadvertently keeps the SSL session ID for connections in its cache even when the verify status OCSP stapling test failed. This allows a...

CVE-2023-40058

Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager ARM if the threat actor is in the same environment...

Same-Origin Policy Bypass

@koa/cors is vulnerable to Same-Origin Policy Bypass. The vulnerability exists in the index.js because the middleware operates in a way that if an allowed origin is not provided by default, it will return an Access-Control-Allow-Origin header with the value set to the origin from the request. Thi...

CVE-2023-49803

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

CVE-2023-49803 @koa/cors has overly permissive origin policy

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

CVE-2023-49803 @koa/cors has overly permissive origin policy

@koa/cors npm provides Cross-Origin Resource Sharing CORS for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request...

Overly permissive origin policy

Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy SOP,...

GHSA-QXRJ-HX23-XP82 Overly permissive origin policy

Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an Access-Control-Allow-Origin header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy SOP,...

PT-2023-31361 · Npm · @Koa/Cors

Name of the Vulnerable Software and Affected Versions: @koa/cors versions prior to 5.0.0 Description: The @koa/cors middleware for the koa web framework in Node.js has a security issue where it returns an Access-Control-Allow-Origin header with the value of the origin from the request if an allow...

PT-2023-31423 · Dalmann · Ocpp.Core

Name of the Vulnerable Software and Affected Versions: Dalmann OCPP.Core versions prior to 1.3.0 Description: An issue was discovered in Dalmann OCPP.Core for OCPP Open Charge Point Protocol for electric vehicles. It permits multiple transactions with the same connectorId and idTag, contrary to t...