PYSEC-2020-126

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the fill argument of tf.strings.asstring, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentati...

PYSEC-2020-283

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the fill argument of tf.strings.asstring, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentati...

PYSEC-2020-318

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the fill argument of tf.strings.asstring, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentati...

PYSEC-2020-126

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the fill argument of tf.strings.asstring, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentati...

CVE-2020-15203

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the fill argument of tf.strings.asstring, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed. This may result in segmentati...

CVE-2020-14027

CVE-2020-14027 affects Ozeki NG SMS Gateway up to version 4.17.6, where database connection strings accept custom unsafe arguments (e.g., ENABLE_LOCAL_INFILE). This enables MySQL LOAD DATA LOCAL INFILE attacks via rogue servers. The connected sources confirm the vulnerable component as the databa...

CVE-2020-14027

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLELOCALINFILE, that can be leveraged by attackers to enable MySQL Load Data Local rogue MySQL server attacks...

USN-4520-1 sa-exim vulnerability

It was discovered that Exim SpamAssassin does not properly handle configuration strings. An attacker could possibly use this issue to execute arbitrary code. CVE-2019-19920...

Regular Expression Denial Of Service (ReDoS)

locutus is vulnerable to regular expression denial of service ReDoS. An attacker is able to cause a denial of service condition by passing long strings containing repeating a characters followed by multiple a characters...

DEBIAN-CVE-2020-14393

A buffer overflow was found in perl-DBI 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data...

PT-2020-6059 · Github · Ua-Parser-Js

Name of the Vulnerable Software and Affected Versions: ua-parser-js versions prior to 0.7.22 Description: The issue is related to an uncontrolled resource consumption vulnerability in the ua-parser-js library. It may allow a remote attacker to cause a denial of service. The vulnerability is due t...

GHSA-CFJV-5498-MPH5 XSS in Action View

There is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. Impact When an HTML-unsafe string is passed as the default for a...

Hardcodes - Find Hardcoded Strings From Source Code

hardcodes is a utility for searching strings hardcoded by developers in programs. It uses a modular tokenizer that can handle comments, any number of backslashes & nearly any syntax you throw at it. Yes, it is designed to process any syntax and following languages are officially supported: ada,...

Prototype Pollution

locutus is vulnerable to prototype pollution. The vulnerability exists as the php.strings.parsestr function does not restrict proto, constructor and prototype headers to be set in objects...

RPCbind XDR Parsing Memory Exhaustion Denial of Service (CVE-2017-8779)

A resource exhaustion vulnerability exists in rpcbind, within its associated library libtirpc. The vulnerability is due to an unbounded memory leak when parsing XDR strings. A remote attacker could exploit this vulnerability by sending specially crafted RPC messages to the vulnerable server...

PT-2020-19741 · Locutus · Locutus

Name of the Vulnerable Software and Affected Versions: locutus versions prior to 2.0.12 Description: The issue concerns Prototype Pollution via the php.strings.parse str function. This affects the locutus package, allowing for potential manipulation of objects. Recommendations: For versions prior...

Design/Logic Flaw

In BIG-IP versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, and 14.1.0-14.1.2.6, a BIG-IP virtual server with a Session Initiation Protocol SIP ALG profile, parsing SIP messages that contain a multi-part MIME payload with certain boundary strings can cause TMM to free memory to the wrong cache...

Prototype Pollution

Templ8 is vulnerable to prototype pollution. A lack of validation when parsing query strings via the parse function allows an attacker to inject arbitrary objects and execute arbitrary code...

Prototype Pollution

Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution via the php.strings.parsestr function. POC: const locutus = require'locutus';...

macaron: open redirect in the static handler

A flaw was found in macaron. Path URLs aren't cleaned before being redirected creating an open redirect in the static handler...