33187 matches found
Path Traversal in Django
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if and only if the default admindocs templates have been...
github.com/russellhaering/goxmldsig vulnerable to Signature Validation Bypass
Impact With a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. Patches A patch is available, all users of goxmldsig should upgrade to v1.1.0. For more information If you have any questions or comments about this...
Prototype pollution in multi-ini
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448...
TemporaryFolder on unix-like systems does not limit access to created files
Vulnerability The JUnit4 test rule TemporaryFolder contains a local information disclosure vulnerability. Example of vulnerable code: java public static class HasTempFolder @Rule public TemporaryFolder folder = new TemporaryFolder; @Test public void testUsingTempFolder throws IOException...
XSS via Angular Expression in ag-grid
Affected versions of ag-grid are vulnerable to Cross-site Scripting XSS via Angular Expressions, if used in combination with AngularJS. Recommendation Avoid using ag-grid in combination with AngularJS until a fix is available...
Data leakage via cache key collision in Django
An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage...
Regular Expression Denial of Service in websocket-extensions (NPM package)
Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...
Arbitrary File Write in npm
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended nodemodules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to create files on ...
Object injection in cookie driver in phpfastcache
Impact An possible object injection has been discovered in cookie driver prior 5.0.13 versions of 5.x releases. Patches The issue has been addressed by enforcing JSON conversion when deserializing Workarounds If you can't fix it, use another driver such as "Files" Filesystem References Fixing...
Deserialization of Untrusted Data in jackson-databind
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6...
Microsoft Security Advisory CVE-2023-36049: .NET Elevation of Privilege Vulnerability
Microsoft Security Advisory CVE-2023-36049: .NET Elevation of Privilege Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 and .NET 8.0 RC2. This advisory also provides guidance on what developers can do...
sweetalert2 v8.19.1 and above contains hidden functionality
sweetalert2 versions 8.19.1 and up until 9.0.0 are vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions below 8.19.1. Workaround Users who a...
cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch
Impact If a vunerable version of cruddl is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use @flexSearchFulltext are not affected. The attacker needs...
Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2
There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher...
Regular Expression Denial of Service in Handlebars
Handlebars before 4.4.5 allows Regular Expression Denial of Service ReDoS because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources...
Open Redirect in Next.js
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly...
Craft CMS Remote Code Injection
An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes if an attacker were somehow able to hijack an administrator's session...
Cross-site scripting in LocalStack
A Cross-site scripting XSS vulnerability exists in StackLift LocalStack...
OS Command Injection in jw.util
An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safeload is not used...
Logic error in Legion of the Bouncy Castle BC Java
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...
Command Injection Vulnerability
Impact command injection vulnerability Patches Problem was fixed with a parameter check. Please upgrade to version = 5.3.1 Workarounds If you cannot upgrade, be sure to check or sanitize service parameters that are passed to si.inetLatency, si.inetChecksite, si.services, si.processLoad ... do onl...
vrana/adminer vulnerable to SSRF by connecting to privileged ports
Impact All users are affected. Patches Unsuccessfully patched by 0fae40fb, included in version 4.4.0. Patched by 35bfaa75, included in version 4.7.8. Workarounds Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin. References...
HTTP Smuggling via Transfer-Encoding Header in Puma
Impact This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via...
Low severity vulnerability that affects com.linecorp.armeria:armeria
Multiple timing attack vulnerabilities leading to the recovery of secrets based on the use of non-constant time compare function Impact String comparison method in multiple authentication validation in Armeria were known to be vulnerable to timing attacks. This vulnerability is caused by the...
Server-Side Request Forgery (SSRF) in jackson-databind
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization...
league/commonmark's quadratic complexity bugs may lead to a denial of service
Impact Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service. Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case...
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
Summary The latest version of lobe-chatby now v0.141.2 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information. Details visit https://chat-preview.lobehub.com/settings/agent you...
Stylelint has vulnerability in semver dependency
Summary Our meow dependency which we use for our CLI depended on [email protected] . A vulnerability in this version of semver was recently identified and surfaced by npm audit: Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw Details Original post by the...
Spring Security logout not clearing security context
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...
gotify/server vulnerable to Cross-site Scripting in the application image file upload
Impact The XSS vulnerability allows authenticated users to upload .html files. With that, an attacker could execute client side scripts if another user opened a link, such as: https://push.example.org/image/alphanumeric string.html An attacker could potentially take over the account of the user...
Zenario CMS is vulnerable to Remote Code Execution (RCE).
Zenario CMS 9.3.57186 is vulnerable to RCE...
kangax html-minifier REDoS vulnerability
A Regular Expression Denial of Service ReDoS flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression...
Uncontrolled Resource Consumption in Apache Tomcat
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...
Cross-site scripting in react-bootstrap-table
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...
Inadequate Encryption Strength
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution...
CSRF Vulnerability in rails-ujs
There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag...
Denial of Service in Netty
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder...
Insufficient output escaping of attachment names in PHPMailer
Impact CWE-116: Incorrect output escaping. An attachment added like this note the double quote within the attachment name, which is entirely valid: $mail-addAttachment'/tmp/attachment.tmp', 'filename.html";.jpg'; Will result in a message containing these headers: Content-Type:...
XSS in MITREid Connect
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript...
Sort order SQL injection in Administrate
In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...
Argument injection in a MimeTypeGuesser in Symfony
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command...
Apache Airflow vulnerable to XSS and local file disclosure
A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process...
Cross-site scripting in Apache Tomcat
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a...
Electron protocol handler browser vulnerable to Command Injection
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to hav...
Netplex Json-smart Uncontrolled Recursion vulnerability
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service DoS. This issue exists because of an incomplete fix for...
Eclipse Vert.x memory leak
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge,...
Arbitrary file read vulnerability through the Jenkins CLI can lead to RCE
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands. This command parser has a feature that replaces an @ character...
Go Fiber CSRF Token Validation Vulnerability
A Cross-Site Request Forgery CSRF vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and...
containerd CRI plugin: Insecure handling of image volumes
Impact A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup...
Attack on Kubernetes via Misconfigured Argo Workflows
Impact Users running using the Argo Server with --auth-mode=server which is the default v3.0.0 AND have exposed their UI to the Internet may allow remote users to execute arbitrary code on their cluster, e.g. crypto-mining. Resolution Do not expose your user interface to the Internet. Change...