33187 matches found
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
Impact The sanitize-svg package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting XSS. In doing so, literal -tags and on-event handlers were detected: typescript ... const svgEl = div.firstElementChild! const attributes = Array.fromsvgEl.attributes.map name = name const...
phpMyAdmin IPv6 and proxy server IP-based authentication rule circumvention
An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the...
Directory Traversal in typo3/phar-stream-wrapper
The PharStreamWrapper aka phar-stream-wrapper package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL...
Uncontrolled Resource Consumption in urllib3
The encodeinvalidchars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service CPU consumption because of an inefficient algorithm. The percentencodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length ...
Local information disclosure via system temporary directory
Impact Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this fil...
Prototype pollution in gsap
There is a prototype pollution vulnerability in gsap which affects all versions before 3.6.0...
XStream can be used for Remote Code Execution
Impact The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Patches If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.14. Workarounds No user is affected, who...
Validation Bypass in kind-of
Versions of kind-of 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. Recommendation Upgrade to versions 6.0.3 or later...
Insufficient Nonce Validation in Eclipse Milo Client
Impact Credential replay affecting those connected to a server when all 3 of the following conditions are met: - SecurityPolicy is None - using username/password or X509-based authentication - the server has a defect causing it to send null/empty or zeroed nonces Patches The problem has been...
HTTP Response Splitting in Styx
Vulnerability Styx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Response Splitting'. Vulnerable Component The vulnerable component is the com.hotels.styx.api.HttpHeaders.Builder due to disabling the HTTP Header validation built into Netty in these...
Private data exposure via REST API in BuddyPress
In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2...
The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack...
Integer overflow on 32-bit systems
Impact An integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for a...
Generation of Error Message Containing Sensitive Information in RESTEasy client
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data...
Privilege Escalation in cordova-plugin-inappbrowser
Versions of cordova-plugin-inappbrowser prior to 3.1.0 are vulnerable to Privilege Escalation. A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI. This affects Cordova Android...
Exposure of Sensitive Information to an Unauthorized Actor in Doorkeeper
Impact Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values including secrets using authorized applications controller if it's enabled GET /oauth/authorizedapplications.json. Patches These versions have the fix: 5.0.3 5.1.1 5.2.5 5.3.2...
Pannellum Cross-Site Scripting due to data not being sanitized for URIs or vbscript
Versions of pannellum prior to 2.5.6 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize URLs for data URIs, which may allow attackers to execute arbitrary code in a victim's browser. Recommendation Upgrade to version 2.5.6 or later...
In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree...
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Recommendation Update to version 2.0.3 or later...
@babel/core: Arbitrary File Read via sourceMappingURL Comment
Impact Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the...
React Router allows pre-render data spoofing on React-Router framework mode
Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted. Details The vulnerable header i...
Authorization Bypass in Next.js Middleware
Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. Patches For Next.js 15.x, this issue is fixed in 15.2.3 For Next.js 14.x, this issue is fixed in 14.2.25 For Next.js 13.x, this issue is fixed in 13.5.9 For Next.js...
Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability
Microsoft Security Advisory CVE-2024-38095 | .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their...
Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference 'XXE' vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that...
Withdrawn Advisory: Netty-handler does not validate host names by default
Withdrawn Advisory This advisory has been withdrawn because the underlying vulnerability only concerns Red Hat's Hot Rod client, which is not in one of the GitHub Advisory Database's supported ecosystems. This link is maintained to preserve external references. Original Description Netty-handler...
Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Patches: Released in v.0.0.308. numexpr dependency is optional for langchain...
langchain Code Injection vulnerability
An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,frommathpromptllm.run in the python exec method...
PDFKit vulnerable to Command Injection
The package pdfkit is vulnerable to Command Injection where the URL is not properly sanitized. Note: This issue was patched in 0.8.7.2, but the patch was discovered to be ineffective. The updated patch version is 0.8.7.2...
Unrestricted Upload of File with Dangerous Type in Strapi
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file...
Arbitrary file upload in Ghost
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file...
Reflected XSS in GraphQL Playground
Impact directly impacted: - [email protected] - all unsanitized user input for renderPlaygroundPage all of our consuming packages of graphql-playground-html are impacted: - [email protected] - unsanitized user input to expressPlayground -...
Cross site scripting vulnerability in ActionView
There is a possible cross site scripting XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escapejavascript methods may be susceptible to XSS attacks. Impact There is a possible XSS vulnerability in the j and escapejavascript methods in ActionView. These...
npm Vulnerable to Global node_modules Binary Overwrite
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global nodemodules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent...
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack
Keepalive thread overload/DoS Impact A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the...
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR ArchiveTar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details...
JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.
JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java...
jrburke requirejs vulnerable to prototype pollution
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts..configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...
Partial Path Traversal in com.amazonaws:aws-java-sdk-s3
Overview A partial-path traversal issue exists within the downloadDirectory method in the AWS S3 TransferManager component of the AWS SDK for Java v1. Applications using the SDK control the destinationDirectory argument, but S3 object keys are determined by the application that uploaded the...
golang.org/x/sys/unix has Incorrect privilege reporting in syscall
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Reporting in syscall. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. Specific Go Packages Affected golang.org/x/sys/unix...
Buffer Overflow in Pillow
Pillow through 8.2.0 and PIL aka Python Imaging Library through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c...
HTTP Request Smuggling in Apache Tomcat
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer...
Improper Handling of Length Parameter Inconsistency in Compress
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package...
Uncontrolled Resource Consumption in firebase
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program...
Authentication bypass in Apache Shiro
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass...
Cross-site Scripting (XSS) in Django REST Framework
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious tags, leadin...
Bypass of fix for CVE-2020-15247, Twig sandbox escape
Impact A bypass of CVE-2020-15247 fixed in 1.0.469 and 1.1.0 was discovered that has the same impact as CVE-2020-15247: An authenticated backend user with the cms.managepages, cms.managelayouts, or cms.managepartials permissions who would normally not be permitted to provide PHP code to be execut...
jquery-ui Tooltip widget vulnerable to XSS
Cross-site scripting XSS vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo...
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP...
Mattermost Desktop App Remote Code Execution
Mattermost Desktop App versions =5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes...
Apache Spark vulnerable to Improper Privilege Management
In Apache Spark versions prior to versions 3.4.0 and 3.3.3, applications using spark-submit can specify a proxy-user to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the...