127 matches found
CVE-2024-11602 CORS Vulnerability in feast-dev/feast
A Cross-Origin Resource Sharing CORS vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security...
Apache Tomcat RCE Vulnerability (Mar 2025) - Windows
Apache Tomcat is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
GHSA-83QJ-6FR2-VHQG Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
CVE-2025-24813
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
UBUNTU-CVE-2025-24813
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
CVE-2025-24813 Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...
CVE-2025-27137
Summary: CVE-2025-27137 affects Dependency-Track where templates are evaluated with Pebble and can be manipulated via the include tag. Prior to version 4.12.6, users with the SYSTEM_CONFIGURATION permission could exploit include to read arbitrary local files (e.g., /etc/passwd, /proc/1/environ) b...
CVE-2024-6696
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses reads and/or writes to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad becau...
CVE-2024-6696
Hitachi Vantara Pentaho Business Analytics Server exposes an authorization check flaw in the user console trash content across versions prior to 10.2.0.0 and 9.3.0.9 (including 8.3.x). The root cause is insufficient granularity in access controls (CWE-1220), allowing an attacker to bypass protect...
MAL-2025-1355 Malicious code in uzx-dev (npm)
This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 480bcafaaaad658c3b61f5335846df6701c8e8eda0856c45fcd0c1c55babfa1d Any computer that has this package install...
Fixed in Apache Tomcat 9.0.99
Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813 The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator...
CVE-2025-24959 Environment Variable Injection for dotenv API in zx
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for...
Mattermost has Improper Check for Unusual or Exceptional Conditions
Mattermost versions 10.x = 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting...
CVE-2024-52595
lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...
CVE-2024-52595
The CVE-2024-52595 issue affects lxml_html_clean (a cleaning module related to lxml.html.clean). Before version 0.4.0, the HTML Parser mishandles context-switching for tags such as , , and , causing CSS-comment content to be treated inconsistently and potentially enabling XSS in untrusted HTML sa...
CVE-2024-52595 HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...
CVE-2024-52595
lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...
CVE-2020-25720 Samba: check attribute access rights for ldap adds of computers
A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator...
CVE-2020-25720
A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator...