Code Extension Marketplace: Zip Slip Path Traversal

Zip Slip Path Traversal in coder/code-marketplace Summary A Zip Slip CWE-22 vulnerability in coder/code-marketplace ≤ v2.4.1 allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Jo...

GO-2025-4039 OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao

OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

EUVD-2023-1516

Malicious code in bioql PyPI...

Deserialization of untrusted data

Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to insecure deserialization...

CVE-2023-33779

CVE-2023-33779 affects XXL-JOB v2.4.1. A lateral privilege escalation exists where a crafted POST to the "/jobinfo/" endpoint allows a user to execute arbitrary commands on another user’s account. The PT-2023-24485 document corroborates the affected version and endpoint. No exploit code is provid...

CVE-2022-23512 Metersphere is vulnerable to Path Injection.

MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value testId in new...

Argo CD's external URLs for Deployments can include JavaScript

Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions up to and including admin. The scri...

WordPress Sell Media Cross-Site Scripting Vulnerability

The WordPress plugin Sell Media is a tailored e-commerce solution that allows you to sell photos, prints, and videos through your self-hosted WordPress website. A cross-site scripting vulnerability exists in the /inc/class-search.php file in WordPress Sell Media v2.4.1. The vulnerability stems fr...

Fedora 20 : icecast-2.4.1-1.fc20 (2014-16394)

fix CVE-2014-9091 1168146, 1168147, 1168148, 1168149 fix CVE-2014-9018 1165880, 1165882, 1165883, 1165885 enabled fully hardened build 954320 - update new to release v2.4.1 1101950 - added doc-subpkg Note that Tenable Network Security has extracted the preceding description block directly from th...

Fedora 19 : icecast-2.4.1-1.fc19 (2014-16483)

fix CVE-2014-9091 1168146, 1168147, 1168148, 1168149 fix CVE-2014-9018 1165880, 1165882, 1165883, 1165885 enabled fully hardened build 954320 - update new to release v2.4.1 1101950 - added doc-subpkg Note that Tenable Network Security has extracted the preceding description block directly from th...

[Suspected Spam] eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities

Title: ====== eSyndiCat Pro v2.4.1 - Multiple Web Vulnerabilities Date: ===== 2012-05-19 References: =========== http://www.vulnerability-lab.com/getcontent.php?id=575 VL-ID: ===== 575 Common Vulnerability Scoring System: ==================================== 7.1 Introduction: =============...