384 matches found
CVE-2024-55890 D-Tale allows Remote Code Execution through the Custom Filter Input
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability...
GHSA-C2PC-G5QF-RFRF league/commonmark's quadratic complexity bugs may lead to a denial of service
Impact Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service. Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case...
league/commonmark's quadratic complexity bugs may lead to a denial of service
Impact Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service. Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case...
CVE-2024-11079
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within...
CVE-2024-41744
IBM CICS TX Standard 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts...
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Impact This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Patches Will be patched in 14.3.1 and 15.0.0. Workarounds...
CVE-2024-47819
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
IBM Watson Studio Local 跨站请求伪造漏洞
IBM Watson Studio Local is a suite of collaborative data processing solutions from International Business Machines IBM. The product includes features such as data analysis, data visualization, data cleansing and streaming data extraction. A cross-site request forgery vulnerability exists in IBM...
CVE-2024-45537
Apache Druid CVE-2024-45537 describes a vulnerability where an authenticated user can bypass authorization by sending a specially crafted MySQL JDBC connection string that includes properties not on the allow list, enabling access to read data from other databases via JDBC. The issue stems from i...
PT-2024-31697
Name of the Vulnerable Software and Affected Versions: D-Tale versions prior to 3.14.1 Description: D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. The issue is...
CVE-2024-22281
UNSUPPORTED WHEN ASSIGNED The Apache Helix Front UI component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front UI: all versions. As this project is retired, we do not plan to release a version that...
CVE-2024-22281 Apache Helix Front (UI): Helix front hard-coded secret in the express-session
UNSUPPORTED WHEN ASSIGNED The Apache Helix Front UI component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front UI: all versions. As this project is retired, we do not plan to release a version that...
CVE-2024-36448
UNSUPPORTED WHEN ASSIGNED Server-Side Request Forgery SSRF vulnerability in Apache IoTDB Workbench. This issue affects Apache IoTDB Workbench: from 0.13.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restri...
tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users
Impact What kind of vulnerability is it? Who is impacted? Low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via tgstation-server requiring a separate,...
PT-2024-36330 · WordPress · Bible Text Wordpress Plugin
Name of the Vulnerable Software and Affected Versions: The Bible Text WordPress plugin versions 0.2 and earlier Description: The issue is related to the lack of validation and escaping of some shortcode attributes in the plugin, which could allow users with the contributor role and above to perfo...
CVE-2024-36263
UNSUPPORTED WHEN ASSIGNED Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: all versions. As this project is retired, we do not plan to release a version that fixes thi...
CVE-2024-36265 Apache Submarine Server Core: authorization bypass
UNSUPPORTED WHEN ASSIGNED Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or...
CVE-2024-32969
vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know the passwords, and...