BIT-TENSORFLOW-2022-36016 `CHECK`-fail in `tensorflow::full_type::SubstituteFromAttrs` in TensorFlow

TensorFlow is an open source platform for machine learning. When tensorflow::fulltype::SubstituteFromAttrs receives a FullTypeDef& t that is not exactly three args, it triggers a CHECK-fail instead of returning a status. We have patched the issue in GitHub commit...

BIT-TENSORFLOW-2022-41895 `MirrorPadGrad` heap out of bounds read in Tensorflow

TensorFlow is an open source platform for machine learning. If MirrorPadGrad is given outsize input paddings, TensorFlow will give a heap OOB error. We have patched the issue in GitHub commit 717ca98d8c3bba348ff62281fdf38dcb5ea1ec92. The fix will be included in TensorFlow 2.11. We will also...

BIT-DISCOURSE-2021-37693 Re-use of email tokens in Discourse

Discourse is an open-source platform for community discussion. In Discourse before versions 2.7.8 and 2.8.0.beta4, when adding additional email addresses to an existing account on a Discourse site an email token is generated as part of the email verification process. Deleting the additional email...

BIT-DISCOURSE-2021-43793 Bypass of Poll voting limits in Discourse

Discourse is an open source discussion platform. In affected versions a vulnerability in the Polls feature allowed users to vote multiple times in a single-option poll. The problem is patched in the latest tests-passed, beta and stable versions of Discourse...

BIT-GRAFANA-2021-41244 Cross organization admin control in Grafana

Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a...

BIT-DISCOURSE-2023-28440 Denial of service via admin theme import route in Discourse

Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untruste...

BIT-GRAFANA-2022-39324 Grafana vulnerable to spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be...

BIT-GRAFANA-2023-1410 Stored XSS in Graphite FunctionDescription tooltip

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have contro...

BIT-DISCOURSE-2023-44391 Prevent unauthorized access to summary details in Discourse

Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when hideuserprofilesfrompublic is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upgrade. There are no know...

Code injection

Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs private messages can be retrieved by anyone, even if they're not logg...

Synacor Zimbra Security Vulnerability

Synacor Zimbra is an open source email collaboration platform from Synacor, Inc. in the United States. A security vulnerability exists in Synacor Zimbra Collaboration. An attacker could exploit the vulnerability to inject DOM-based JavaScript...

Design/Logic Flaw

Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This...

Mattermost Denial of Service Vulnerability (CNVD-2023-9963037)

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a denial-of-service vulnerability that stems from an inability to handle empty request bodies in an add endpoint, which could be exploited by an attacker to send a request with ...

Silverpeas Security Vulnerabilities

Silverpeas is an open source business collaboration platform. The platform includes applications for project management, blogs, forums and document management. A security vulnerability exists in Silverpeas Core 6.3.1 and earlier versions, which stems from the vulnerability of the application to...

Mattermost Information Disclosure Vulnerability (CNVD-2023-9769937)

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that originates in the public/metrics endpoint display channel ID. an attacker could exploit this vulnerability to cause an information disclosure...

EverShop Security Breach

EverShop is a NodeJS e-commerce platform open-sourced by EverShop. A security vulnerability exists in EverShop versions prior to 1.0.0-rc.8, which stems from the presence of a directory traversal vulnerability that allows remote attackers to obtain sensitive information via a crafted request...

GitLab Security Breach

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery, and other features. GitLab has a security vulnerability that stems from a patch that could be...

MISP Security Vulnerabilities

MISP is an open source software solution. The product is used to collect, store, distribute, and share cybersecurity metrics and has features such as threat cybersecurity event analysis and malware analysis. A security vulnerability exists in MISP versions prior to 2.4.176 that stems from...

MISP Security Vulnerabilities

MISP is an open source software solution. The product is used to collect, store, distribute, and share cybersecurity metrics and has features such as threat cybersecurity event analysis and malware analysis. A security vulnerability exists in MISP versions prior to 2.4.176, which stems from...

GitLab Security Breach

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. A security vulnerability exists in GitLab that stems from allowing an attacker...