CVE-2025-34314

IPFire versions prior to 2.29 Core Update 198 contain a stored cross-site scripting XSS vulnerability that allows an authenticated attacker to inject arbitrary JavaScript code through the SRC, DST, and COMMENT parameters when creating a time constraint rule. When a user adds a time constraint rul...

CVE-2024-1483 Path Traversal Vulnerability in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifactlocation' and 'source' parameters, using a local URI with '' instead of '?', an attacker can...

CVE-2024-3573

The CVE-2024-3573 entry concerns mlflow/mlflow with a Local File Inclusion (LFI) caused by improper parsing of URIs in the is_local_uri logic. The issue misclassifies URIs with empty or file schemes as non-local, enabling an attacker to craft malicious model versions (source parameter) that bypas...

PT-2024-26681 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow affected versions not specified Description: The issue arises from the is local uri function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can...