33187 matches found
Command injection in node-dns-sync
dns-sync through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input...
Code execution vulnerability in HtmlUnit
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is...
Denial of Service in uap-core when processing crafted User-Agent strings
Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core to gt;=...
SQL injection in Django
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter. By passing a suitably crafted delimiter...
SSRF vulnerability using the Aegis DataBinding in Apache CXF
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings including the default databinding are not impacted...
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
Summary An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. Details In dsaVerify function, it checks whether the value of the signature is legal by calling...
github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset
Impact Rapidly creating and cancelling streams HEADERS frame immediately followed by RSTSTREAM without bound cause denial of service. See https://vulners.com/cve/CVE-2023-44487 for details. Patches nghttp2 v1.57.0 mitigates this vulnerability by default. Workarounds If upgrading to nghttp2 v1.57....
debug Inefficient Regular Expression Complexity vulnerability
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. T...
Path Traversal in Grunt
Grunt prior to version 1.5.2 is vulnerable to path traversal...
Denial of service in CBOR library
Impact Due to this library's use of an inefficient algorithm, it is vulnerable to a denial of service attack when a maliciously crafted input is passed to DecodeFromBytes or other CBOR decoding mechanisms in this library. Affected versions include versions 4.0.0 through 4.5.0. This vulnerability...
Improper Handling of Length Parameter Inconsistency in Compress
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package...
A user without PR can reset user authentication failures information
Impact The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights as it should have. Note that being able to reset the authentication failure record mean that an attacker with script right might...
Open Redirect in github.com/AndrewBurian/powermux
Impact Attackers may be able to craft phishing links and other open redirects by exploiting the trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link. Patches The issue is resolved in v1.1.1 Workarounds There are no...
XML Processing error in github.com/crewjam/saml
Impact There are three vulnerabilities in the go encoding/xml package that can allow an attacker to forge part of a signed XML document. For details on this vulnerability see xml-roundtrip-validator Patches In version 0.4.3, all XML input is validated prior to being parsed...
Cross-site scripting in Contentful
Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py...
Path Traversal in restify-swagger-jsdoc
Versions of restify-swagger-jsdoc prior to 3.2.1 are vulnerable to Path Traversal. The package fails to properly sanitize URLs, which may allow attackers to access server files outside the swagger-ui folder by using relative paths. Recommendation Upgrade to version 3.2.1 or later...
Moderate severity vulnerability that affects io.undertow:undertow-core
It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS...
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Summary The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service DoS in the consuming application. Details...
quill-mention Cross-site Scripting vulnerability
Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization, via the renderList function. Note: If the mentions list is sourced from unsafe user-sourced data, this might allow an injection attack when a Quill user hits @...
angular vulnerable to regular expression denial of service via the angular.copy() utility
All versions of the package angular are vulnerable to Regular Expression Denial of Service ReDoS via the angular.copy utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic...
Policies not properly enforced in OWASP Java HTML Sanitizer
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements...
Bzip2Decoder doesn't allow setting size restrictions for decompressed data
Impact The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data which affects the allocation size used during decompression. All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack Workarounds No...
Dependency Confusion in Bundler
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that...
Inappropriate implementation in V8
CVE-2020-16009: Inappropriate implementation in V8 - https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html - https://vulners.com/cve/CVE-2020-16009 Google is aware of reports that exploits for CVE-2020-16009 exist in the wild. Allowed a remote attacker to potentiall...
Directory traversal attack in Spring Cloud Config
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...
Cross-Site Scripting in Kaminari
Impact In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1. Releases The 1.2.1 gem including the patch has already been released. All past released versions are affected by this...
XSS in knockout
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...
Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly
Summary At the rate limit filter, if we enabled the response phase limit with applyonstreamdone in the rate limit configuration and the response phase limit request fails directly, it may crash Envoy. Details When both the request phase limit and response phase limit are enabled, the safe gRPC...
Prototype pollution in swiper
Summary A prototype pollution vulnerability exists in the the npm package swiper =6.5.1, -1; let obj = ; var maliciouspayload = '"proto":"polluted":"yes"'; console.log.polluted; swiper.default.extendDefaultsJSON.parsemaliciouspayload; console.log.polluted; // prints yes - indicating that the patc...
vm2 vulnerable to sandbox escape
vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. - vm2 version: 3.9.14 - Node version: 18.15.0, 19.8.1, 17.9.1 Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the...
Sequelize - Default support for “raw attributes” when using parentheses
Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string as-is in the SQL ts User.findAll attributes: 'countid', 'count' ; Produced sql SELECT countid AS "count" FROM "users" Patches This feature was deprecated i...
Denial of service vulnerability when parsing multipart request body
Summary The request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. Details The multipart body parser processes an unlimited number of file parts. The multipart body parser processes an unlimited number of field parts. Impact...
Firebase PHP-JWT key/algorithm type confusion
In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue e.g., RS256 / HS256 exists via the kid aka Key ID header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way t...
Remote code execution in Apache Struts
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution...
The reset password form reveal users email address
Impact The reset password form reveals the email address of users just by giving their username. Patches The problem has been patched on XWiki 13.2RC1. Workarounds It's possible to manually modify the resetpasswordinline.vm to perform the changes made in...
XXE vulnerability in Jenkins Selenium HTML report Plugin
Jenkins Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for...
Podman Origin Validation Error
Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 including from remote hosts. This impacts containerized applications that trust localhost 127.0.01 connections by default and do not require authentication. This issue affects Podman versions from 1.8.0...
Remote Code Execution in Apache Synapse
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation RMI. So Apache Synapse 3.0.1 or all previous releases 3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1 allows remote code execution attacks that can be performed by injecting specially crafted serialized objects...
Directory Traversal vulnerability in GET/PUT allows attackers to Disclose Information or Write Files via a crafted GET/PUT request
Impact Information Disclosure When the GET method is attacked, attackers can read files which have a .data suffix and which are accompanied by a JSON file with the .meta suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or...
Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
Exposure of Sensitive Information to an Unauthorized Actor in AEgir
Impact aegir publish and aegir build may leak secrets from environmental variables in the browser bundle published to npm. Patches The code has been patched, users should upgrade to = 21.10.1 Workarounds Run printenv to check your environment variables and revoke any secrets. For more information...
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
Impact Stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Patches Patched by validating decoded mce:protected content against configured protect...
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...
setuptools vulnerable to Command Injection via package URL
A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code...
Duplicate Advisory: Use-after-free in libxml2 via Nokogiri::XML::Reader
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xc9x-jj77-9p9j. This link is maintained to preserve external references. Original Description Summary Nokogiri upgrades its dependency libxml2 as follows: - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - v1.16...
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
A vulnerability was identified in Consul and Consul Enterprise “Consul” such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery SSRF. This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5...
SSRF vulnerability in jupyter-server-proxy
Impact What kind of vulnerability is it? Server-Side Request Forgery SSRF Who is impacted? Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled. A lack of input validation allowed authenticated clients to proxy requests to other hosts, bypassing the allowedhos...
Authentication Bypass by Alternate Name in Apache Tomcat
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65...
Remote code execution in ChakraCore
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-1057, CVE-2020-1172...
Cross-site scripting in Products.CMFCore, Products.PluggableAuthService, Plone
Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS...