CVE-2024-28181

turboboost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should...

CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double...

CVE-2021-21705

CVE-2021-21705 describes an SSRF bypass in PHP’s URL validation via filter_var(..., FILTER_VALIDATE_URL). Affected are PHP versions: 7.3.x below 7.3.29, 7.4.x below 7.4.21, and 8.0.x below 8.0.8. The issue allows a URL with an invalid password field to be accepted as valid, potentially causing in...

CVE-2021-21705

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filtervar function with FILTERVALIDATEURL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and...

JavaScriptCore GetterSetter Type Confusion

JSC: GetterSetter type confusion during DFG compilation The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: let notAGetterSetter =...

JavaScriptCore - GetterSetter Type Confusion During DFG Compilation

The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: let notAGetterSetter = whatever: 42; function v2v5 const v10 = Object; if v5 const v1...

macOS iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles

macOS iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: // Run with --useConcurrentJIT=false...

mini_httpd Buffer Overflow Vulnerability

The htpasswd implementation of minihttpd is affected by a buffer overflow that can be exploited remotely to perform code execution. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

thttpd Buffer Overflow Vulnerability

The htpasswd implementation of thttpd is affected by a buffer overflow that can be exploited remotely to perform code execution. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Ox gem crashes due to a crafted input

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parseobj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication...

GHSA-PJJ4-W39G-PW54 Ox gem crashes due to a crafted input

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parseobj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication...

Design/Logic Flaw

DISPUTED pmach.cpp in UPX 3.94 allows remote attackers to cause a denial of service invalid memory access and application crash or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implicati...

CVE-2017-16869

pmach.cpp in UPX 3.94 allows remote attackers to cause a denial of service invalid memory access and application crash or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implication...

CVE-2017-16869

pmach.cpp in UPX 3.94 allows remote attackers to cause a denial of service invalid memory access and application crash or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implication...

CVE-2017-16869

pmach.cpp in UPX 3.94 allows remote attackers to cause a denial of service invalid memory access and application crash or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implication...

CVE-2017-15928

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parseobj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication...

Information disclosure

In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation fault when a crafted input is supplied to parseobj. NOTE: the vendor has stated "Ox should handle the error more gracefully" but has not confirmed a security implication...

Doorkeeper gem does not revoke tokens & uses wrong auth/auth method

Doorkeeper failed to implement OAuth 2.0 Token Revocation RFC 7009 in the following ways: 1. Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked 2. Requests were not properly authenticating the client credentials but were, instead, looking at th...

Localize: infinite number of new project creation!

Hello, To be honest, I'm not sure if there is any real security implications of this bug, but it's something which should be fixed soon as possible.. With This bug, Attacker can create thousands of new projects in lest than 5 minutes! http://www.localize.io/pages/createproject I Explained Total...

Fedora Core 6 : perl-Net-DNS-0.60-1.fc6 (2007-609)

This brings FC-6 up to date with the latest changes to Net::DNS. See the project page here : http://search.cpan.org/olaf/Net-DNS-0.60/ The change for this upstream issue is included : http://rt.cpan.org/Public/Bug/Display.html?id=23961 Since this fix has security implications making DNS spoofing...