33187 matches found
Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting)
Impact - Cross Site Scripting - Cache Poisoning - Page Hijacking Patches This was fixed in version 2.2.1. Workarounds If you are unable to update, ensure that user supplied data isn't able to flow to HTTP headers. If it does, pre-sanitize for CRLF characters. References CWE-113: Improper...
AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters
Summary This notification is related to the CloudFront signing utilities in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and...
Spring Framework URL Parsing with Host Validation Vulnerability
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...
Uncontrolled Resource Consumption in Pillow
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux...
libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri...
Django allows unintended model editing
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests,...
Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue...
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
Impact Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-LengthCL and Transfer-EncodingTE it can lead to incorrect interpretation of two entities that parse the HTTP and we can poiso...
Traefik may display authorization header in the debug logs
Impact There is a potential vulnerability in Traefik displaying the Authorization header in its debug logs. Traefik uses oxy to provide the following features: - Round Robin: https://doc.traefik.io/traefik/routing/services/weighted-round-robin-service - Buffering:...
opensearch-ruby 2.x before 2.0.2 vulnerable to unsafe YAML deserialization
Impact A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using YAML.load if the response is of type YAML. Patches The problem has been patched in opensearch-ruby gem version 2.0.2. Workarounds No viable workaround. Please upgrade to 2.0.2 References...
Prototype Pollution in mootools
This affects all versions of package mootools. This is due to the ability to pass untrusted input to Object.merge...
Regular Expression Denial of Service in System.Text.RegularExpressions
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981...
Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin
Impact Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This...
PyCA Cryptography symmetrically encrypting large values can lead to integer overflow
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. When certain sequences of update calls with large values multiple GBs for symetric encryption or decryption occur, it's possible for an integer overflow to happen, leading to mishandling of...
Potential Command Injection in hubot-scripts
Versions 2.4.3 and earlier of hubot-scripts are vulnerable to a command injection vulnerablity in the hubot-scripts/package/src/scripts/email.coffee module. Mitigating Factors The email script is not enabled by default, it has to be manually added to hubot's list of loaded scripts. Recommendation...
OS command injection in aws-lambda
In aws-lambda versions prior to version 1.0.5, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName"...
Internal exception message exposure for login action in Sylius
Internal exception message exposure for login action Impact Exception messages from internal exceptions like database exception are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system...
Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to...
ImageMagick has Possible Heap Information Disclosure in PSD ZIP Decompression
Description A heap information disclosure vulnerability exists in ImageMagick's PSD Adobe Photoshop format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the...
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
Impact Passing functions with very long names or complex default argument names into functioncopy orfunctiontoStringTokens may put script to stall Patches Fixed with https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 and...
xxl-job-admin vulnerable to Remote Code Execution
xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution RCE via /xxl-job-admin/jobcode/save...
NuGet Client Remote Code Execution Vulnerability
Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 7.0...
Tauri Open Redirect Vulnerability Possibly Exposes IPC to External Sites
Impact The Tauri IPC is usually strictly isolated from external websites but the isolation can be bypassed by redirecting an existing Tauri window to an external website. This is either possible by an application implementing a feature for users to visit arbitrary websites or due to a bug allowin...
Persistent Cross-site Scripting vulnerability in PrivateBin
In PrivateBin polygon id="triangle" points="0,0 0,50 50,0" fill="00990...
Remote code execution in Apache Commons Configuration
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML...
Polymorphic Typing issue in FasterXML jackson-databind
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariConfig...
Jetty vulnerable to exposure of sensitive information due to observable discrepancy
Jetty through 9.4.x contains a timing channel attack in util/security/Password.java, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords...
Gevent allows remote attacker to escalate privileges
An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component...
feathers-sequelize vulnerable to SQL injection due to improper parameter filtering
feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection...
Denial of service in HtmlUnit-Neko
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction PI input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 also...
Infinite Loop in Apache Tomcat
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of...
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archiv...
Basic-auth app bundle credential exposure in gatsby-source-wordpress
Impact The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...
Pillow Temporary file name leakage
The 1 JpegImagePlugin.py and 2 EpsImagePlugin.py scripts in Python Image Library PIL 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes...
Remote Code Execution Through Image Uploads in BookStack
Impact A user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area o...
Cross-Site Scripting in dojo
Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.2 o...
pgx: SQL Injection via placeholder confusion with dollar quoted string literals
Impact SQL Injection can occur when: 1. The non-default simple protocol is used. 2. A dollar quoted string literal is used in the SQL query. 3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal. 4. The value of that placeholder is...
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket
Summary server.fs check was not enforced to the fetchModule method that is exposed in Vite dev server's WebSocket. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - WebSocket is no...
Keycloak: Replay of action tokens via improper handling of single-use entries
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This...
Pytorch use-after-free vulnerability
Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp...
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...
Orckestra C1 CMS's deserialization of untrusted data allows for arbitrary code execution.
Impact This vulnerability allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated user may perform the actions unknowingly by visiting a specially crafted site. Patches Patched in ...
Race condition in Apache Tomcat
The fix for bug CVE-2020-9484 introduced a time of check time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is...
Using JMSAppender in log4j configuration may lead to deserialization of untrusted data
Impact ClickHouse JDBC Bridge uses slf4j-log4j12 1.7.32, which depends on log4j 1.2.17. It allows a remote attacker to execute code on the server, if you changed default log4j configuration by adding JMSAppender and an insecure JMS broker. Patches The patch version 2.0.7 removed log4j dependency ...
Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0-rc.9; the package aws-sdk before 2.814.0. If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles , they will pollute the prototype on the application. This can be exploited furth...
Uncontrolled Resource Consumption in trim-off-newlines
All versions of package trim-off-newlines are vulnerable to Regular Expression Denial of Service ReDoS via string processing...
Buffer Overflow in Apache Mina SSHD
A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0...
Encoded URIs can access WEB-INF directory in Eclipse Jetty
Description URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Impact The default compliance mode allows requests with UR...
SessionListener can prevent a session from being invalidated breaking logout
Impact If an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application us...
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...