EUVD-2021-16086

Malware in sbrugna...

EUVD-2021-28286

Malicious code in bioql PyPI...

EUVD-2022-6190

Malicious code in bioql PyPI...

EUVD-2022-45049

Malicious code in bioql PyPI...

EUVD-2022-45062

Malicious code in bioql PyPI...

CVE-2024-55662

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. This vulnerability has been fixed in...

CVE-2023-45138

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an...

GHSA-HG25-W3VG-7279 XSS in the /download Endpoint of the JPA Web API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

Shescape has potential environment variable exposure on Windows with CMD

Impact This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll. An attacker may be able to get read-only access to environment variables. Example: javascript import as cp from "node:childprocess"; import...

CVE-2025-25198

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the Host HTTP header to generate a password reset link pointing to an attacker-controlled domain. This...

CVE-2025-25198 mailcow: dockerized vulnerable to password reset poisoning

mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the Host HTTP header to generate a password reset link pointing to an attacker-controlled domain. This...

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

CVE-2023-32071 XWiki Platform vulnerable to RXSS via editor parameter - importinline template

XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has...

CVE-2022-39268 orchest vulnerable to cross-site request forgery that allows control of a user instance

Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user...

CVE-2022-36006 Authenticated remote code execution due to insecure deserialization (GHSL-2022-063)

Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution RCE vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This...

CVE-2022-29258 Cross-site Scripting in Filter Stream Converter Application in XWiki Platform

XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI...

CVE-2022-24823 Local Information Disclosure Vulnerability in io.netty:netty-codec-http

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local syst...

Security Bulletin: Apache Struts v2 Jakarta Multipart parser code execution affects IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation (CVE-2017-5638)

Summary An Apache Struts vulnerability of arbitrary code execution was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation. Vulnerability Details CVEID: CVE-2017-5638 DESCRIPTION: Apache Struts...

[Full-Disclosure] iDEFENSE Security Advisory 02.23.05: Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability

Sun Solaris kcmsconfigure Arbitrary File Corruption Vulnerability iDEFENSE Security Advisory 02.23.05 www.idefense.com/application/poi/display?id=206&type=vulnerabilities February 23, 2005 I. BACKGROUND The kcmsconfigure utility is part of the Kodak Color Management System KCMS package that is...