33100 matches found
request-baskets vulnerable to Server-Side Request Forgery
request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery SSRF via the component /api/baskets/name. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request...
WEBRick vulnerable to HTTP Request/Response Smuggling
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...
Potential XSS vulnerability in jQuery
Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. Patches This problem is patched in jQuery 3.5.0. Workarounds To workaround the issue without upgrading, adding the...
esbuild enables any website to send any requests to the development server and read the response
Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. Details esbuild sets Access-Control-Allow-Origin: header to all requests, including the SSE connection, which allows any websites to send any request to the...
angular Prototype Pollution vulnerability
Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation Upgrade...
Graylog user session is still usable after logout
Summary In a multi-node Graylog cluster, after a user has explicitly logged out, a user session may still be used for API requests until it has reached its original expiry time. Details Each node maintains an in-memory cache of user sessions. Upon a cache-miss, the session is loaded from the...
Vendure Cross Site Request Forgery vulnerability impacting all API requests
Impact Vendure is an e-commerce GraphQL framework with a number of APIs and different levels of authorization. By default the Cookie settings are insecure, having the SameSite setting as false which results in not having one originates from the cookie-session npm package’s default settings. Patch...
Graylog server has partial path traversal vulnerability in Support Bundle feature
A partial path traversal vulnerability exists in Graylog's Support Bundle feature. The vulnerability is caused by incorrect user input validation in an HTTP API resource. Thanks to weiweiwei9811 for reporting this vulnerability and providing detailed information. Impact Graylog's Support Bundle...
Hard-coded System User Credentials in Folio Data Export Spring module
Impact The module creates a system user that is used to perform internal module-to-module operations. Credentials for this user are hard-coded in the source code. This makes it trivial to authenticate as this user, resulting in unauthorized access to potentially dangerous APIs, allowing to view a...
Remote Code Execution in Spring Framework
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell. Impact A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the...
Potential XSS vulnerability in jQuery
Impact Passing HTML containing elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. Patches This problem is patched in jQuery 3.5.0. Workarounds To workaround this issue without...
ejs template injection vulnerability
The ejs aka Embedded JavaScript templates package 3.1.6 for Node.js allows server-side template injection in settingsview optionsoutputFunctionName. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command which is executed upon template...
PostCSS line return parsing error
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets CSS. There may be \r discrepancies, as demonstrated by @font-face font:\r/; in a rule. This vulnerability affects linters using PostCSS to parse external untrusted CSS. An...
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service ReDoS vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks. The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s?:+-?\s\d+? with quantified overlapping adjacency and can be...
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site...
XSS in jQuery as used in Drupal, Backdrop CMS, and other products
jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...
Potential remote code execution in Apache Tomcat
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a an attacker is able to control the contents and name of a file on the server; and b the server is configured to use the PersistenceManager with a FileStore; and c the...
Cross-site Scripting in quill
A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload a crafted onloadstart attribute of an IMG element in a text field. No patch exists and no further releases are planned. This CVE is disputed. Researchers have claimed that...
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Summary The v3, v5, and v6 API methods not uuid release versions accept external output buffers but do not reject out-of-range writes small buf or large offset. By contrast, v4, v1, and v7 API methods explicitly throw RangeError on invalid bounds. This inconsistency allows silent partial writes...
Server-Side Request Forgery in Request
The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect HTTP to HTTPS, or HTTPS to HTTP. NOTE: The request package is no longer supported by the maintain...
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator...
High severity vulnerability that affects jquery-ui
Withdrawn, accidental duplicate publish. Cross-site scripting XSS vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function...
Angular vulnerable to Cross-site Scripting
angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping elements in ones changes parsing behavior, leading to possibly unsanitizing code...
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution RCE when selecting certain compiling options to compile templates coming from an untrusted source...
Prototype Pollution in sheetJS
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files for example, exporting data to spreadsheet files are unaffected. A non-vulnerable version cannot be found via npm, as the repository...
Croos-site scripting in Croogo
Croogo before 3.0.7 allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies...
xmldom allows multiple root nodes in a DOM
Impact xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led ...
json-schema is vulnerable to Prototype Pollution
json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution'...
jQuery-UI vulnerable to Cross-site Scripting in dialog closeText
Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting XSS...
Cross-Site Scripting (XSS) in jquery
Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. Recommendation Update to version 3.0.0 or later...
Code Injection in PHPUnit
Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a ?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external...
Improper Handling of `callbackUrl` parameter in next-auth
Impact An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led t...
Command Injection in gnuplot
All versions of gnuplot are vulnerable to Command Injection. The package fails to sanitize plot titles, which may allow attackers to execute arbitrary code in the system if the title value is supplied by a user. The following proof-of-concept creates a testing file in the current directory: var...
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1 are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282...
Moderate severity vulnerability that affects Bootstrap.Less, bootstrap, and bootstrap.sass
In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/...
.NET Core Remote Code Execution Vulnerability
.NET Core Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-24112. Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1, and .NET Core 2.1. This advisory also provides guidance on what...
AngularJS Cross-site Scripting due to failure to sanitize `xlink.href` attributes
Versions of angular prior to 1.5.0-beta.1 are vulnerable to Cross-Site Scripting. The package fails to sanitize xlink:href attributes, which may allow attackers to execute arbitrary JavaScript in a victim's browser if the value is user-controlled. Recommendation Upgrade to version 1.5.0-beta.1 or...
Arbitrary code execution in Apache Commons Text
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "$prefix:name", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation...
Cross-Site Scripting in jquery
Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove HTML tags that contain a whitespace character, i.e: , which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a...
Improper neutralization of arguments in freediskspace
This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js...
SvelteKit framework has Insufficient CSRF protection for CORS requests
Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery CSRF protection to its users. The protection is...
Server Side Request Forgery in Apache Axis
A Server Side Request Forgery SSRF vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2...
dom4j allows External Entities by default which might enable XXE attacks
dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to dom4j:dom4j...
NPM IP package incorrectly identifies some private IP addresses as public
The isPublic function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery SSRF if isPublic is used to...
Spring Framework URL Parsing with Host Validation
Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...
Prototype Pollution in handlebars
Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads. Recommendation Upgrade to versi...
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true which is the default value, unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval:...
Cross-Site Scripting in swagger-ui
Versions of swagger-ui prior to 3.20.9 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 3.20.9 or later...
Moderate severity vulnerability that affects bootstrap and bootstrap-sass
In Bootstrap 4 before 4.3.1 and Bootstrap 3 before 3.4.1, XSS is possible in the tooltip or popover data-template attribute. For more information, see: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/...
Duplicate Advisory: Prototype Pollution in jquery
Duplicate Advisory This advisory is a duplicate of GHSA-6c3j-c64m-qhgq. This link is maintained to preserve external references. Original Description Versions of jquery prior to 3.4.0 are vulnerable to Prototype Pollution. The extend method allows an attacker to modify the prototype for Object...