USN-7351-1: RESTEasy vulnerabilities

Nikos Papadopoulos discovered that RESTEasy improperly handled URL encoding when certain errors occur. An attacker could possibly use this issue to modify the app's behavior for other users through the network. CVE-2020-10688 Mirko Selber discovered that RESTEasy improperly validated user input...

USN-7351-1 resteasy vulnerabilities

Nikos Papadopoulos discovered that RESTEasy improperly handled URL encoding when certain errors occur. An attacker could possibly use this issue to modify the app's behavior for other users through the network. CVE-2020-10688 Mirko Selber discovered that RESTEasy improperly validated user input...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : RESTEasy vulnerabilities (USN-7351-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-7351-1 advisory. Nikos Papadopoulos discovered that RESTEasy improperly handled URL encoding when certain errors occur. An attacker could...

Important: git-lfs

Issue Overview: Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters, and then sends any credentials it...

Astra Linux – Vulnerability in Apache2

A encoding problem in the modproxy component of the Apache HTTP Server 2.4.59 and earlier versions allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication through crafted requests. Users are recommended to upgrade to version 2.4.60, which...

CVE-2021-4452

The Google Language Translator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in versions up to, and including, 6.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary we...

CVE-2020-26226

In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a U...

AZL-55670 CVE-2024-53263 affecting package git-lfs for versions less than 3.6.1-1

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters, and then sends any credentials it receives back fr...

AZL-55644 CVE-2024-53263 affecting package git-lfs for versions less than 3.5.1-4

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters, and then sends any credentials it receives back fr...

CVE-2024-36498 Stored cross site scripting

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function...

CVE-2024-48866

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

CVE-2024-48866

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

CVE-2024-48866 QTS, QuTS hero

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

CVE-2024-48866

CVE-2024-48866 concerns an improper handling of URL encoding (Hex Encoding) affecting QNAP QTS and QuTS hero. Affected products include QTS 5.1.9.2954 build 20241120 and later, QTS 5.2.2.2950 build 20241114 and later, QuTS hero h5.1.9.2954 build 20241120 and later, and QuTS hero h5.2.2.2952 build...

CVE-2024-48866 QTS, QuTS hero

An improper handling of URL encoding Hex Encoding vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to run the system into unexpected state. We have already fixed the vulnerability in the following...

QNAP Systems QTS和QNAP Systems QuTS hero 安全漏洞

QNAP Systems QTS and QNAP Systems QuTS hero are both products of China Weilian Technology QNAP Systems, Inc.QNAP Systems QTS is an entry operating system.QNAP Systems QuTS hero is an operating system. A security vulnerability exists in QNAP Systems QTS and QNAP Systems QuTS hero that stems from t...

CVE-2024-23983

Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules...

CVE-2024-23983

CVE-2024-23983 concerns Ping Identity PingAccess where improper handling of canonical URL-encoding may bypass request rules. Affected component is PingAccess (central policy engine) with vulnerability enabling bypass due to URL-encoded characters not properly constrained by access rules. Public s...

GHSA-QM92-93FV-VH7M Path traversal in oak allows transfer of hidden files within the served root directory

Summary By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by encoding / as its URL encoded form %2F. Details 1. Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that...

PT-2024-33679 · Oak · Oak

Name of the Vulnerable Software and Affected Versions: oak versions prior to 17.1.3 Description: The issue allows an attacker to bypass the default restriction on transferring hidden files using the Context.send API by encoding / as its URL encoded form %2F. This can potentially lead to reading...