33190 matches found
Denial of Service in Google Guava
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class when serialized with Java serialization...
Information disclosure in Apache Superset
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset...
jackson-databind polymorphic typing issue
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled either globally or for a specific property for an externally exposed JSON endpoint and the service has the p6spy 3.8.6 jar in the classpath, and a...
Deserialization of Untrusted Data and Code Injection in xstream
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...
Prototype Pollution in handlebars
Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Recommendation For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or late...
@actions/download-artifact has an Arbitrary File Write via artifact extraction
Impact Versions of actions/download-artifact before 4.1.3 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames. Patches Upgrade to version 4.1.3 or higher. Alternatively use 'v4' tag which points to the lates...
Mezzanine allows attackers to bypass access control mechanisms
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request...
dbt-core's secret env vars written to package-lock.json in plaintext
Impact When used to pull source code from a private repository using a Personal Access Token PAT, some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file. Patches The bug has been fixed in dbt-core v1.7.3. Mitigations Remove any git URLs with plaintext secrets...
Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`
Impact When using the Django integration of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their...
PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names
Impact What kind of vulnerability is it? Who is impacted? The PGJDBC implementation of the java.sql.ResultRow.refreshRow method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to...
Configuration API in EdgeXFoundry 2.1.0 and earlier exposes message bus credentials to local unauthenticated users
Impact The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message b...
CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes...
Authentication Bypass in Apache Tomcat
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the...
Code injection in npm git
All versions of package git are vulnerable to Remote Code Execution RCE due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. At this time, there is no known workaround. There has been no patch released...
Remote Code Execution vulnerability in PHPMailer 6.4.1 running on Windows
PHPMailer 6.4.1 contains a possible remote code execution vulnerability through the $langpath parameter of the setLanguage method. If the $langpath parameter is passed unfiltered from user input, it can be set to a UNC path, and if an attacker is also able to create a remote mount on the server...
Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
Impact When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Patches The issue has been fixed in...
Out of bounds access in tensorflow-lite
Impact In TensorFlow Lite, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices for the tensors, indexing into an array of...
Privilege Escalation in Hibernate Validator
In Hibernate Validator 5.2.x before 5.2.5.Final, 5.3.x before 5.3.6.Final, and 5.4.x before 5.4.2.Final, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege...
Cross-Site Scripting in seeftl
All versions of seeftl are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Consider using a...
Apache NiFi process group information disclosure
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents at the top most level, not recursively. The response included details about processors and controller services which the user may not have had read access to...
Billion laughs attack in c3p0
c3p0 version 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration...
Denial of Service in Connect2id Nimbus JOSE+JWT
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service resource consumption via a large JWE p2c header value aka iteration count for the PasswordBasedDecrypter PBKDF2 component...
Imageflow affected by libwebp zero-day and should not be used with malicious source images.
Impact This vulnerability affects deployments of Imageflow that involve decoding or processing malicious source .webp files. If you only process your own trusted files, this should not affect you but you should update anyway. Imageflow relies on Google's libwebp library to decode .webp images, an...
Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials
Impact An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token used to provision clusters, were stored in plaintext directly on Kubernetes objects like Clusters, for example...
Spring Cloud Function Code Injection with a specially crafted SpEL as a routing expression
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...
Shopware guest session is shared between customers
Impact Guest sessions are shared between customers when HTTP cache is enabled. Setups with Varnish are not affected by this issue Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview...
OS Command Injection in GenieACS
In GenieACS 1.2.x before 1.2.8, the UI interface API is vulnerable to unauthenticated OS command injection via the ping host argument lib/ui/api.ts and lib/ping.ts. The vulnerability arises from insufficient input validation combined with a missing authorization check...
Server Side Request Forgery in Grafana
The avatar feature in Grafana github.com/grafana/grafana/pkg/api/avatar 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result t...
Predictable CSRF tokens in centreon/centreon
An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user...
Server-Side Request Forgery in yoast_seo
The yoastseo aka Yoast SEO extension before 7.2.1 for TYPO3 allows SSRF via a backend user account...
Plaintext password leak in Apache Superset
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the...
SSRF in Rendertron
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery SSRF attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are t...
Server-Side Template Injection
Impact A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution RCE vulnerability. This has been assigned CVE-2020-26282. Patches Effective Immediately, all users should upgrade ...
CRLF injection in httplib2
Impact Attacker controlling unescaped part of uri for httplib2.Http.request could change request headers and body, send additional hidden requests to same server. Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Kafka
When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, or 2.3.0 are configured with one or more config providers, and a connector is created/updated on that Connect cluster to use an externalized secret variable in a substring of a connector configuration property value,...
Potential buffer overflow in psd-tools
Impact An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malformed PSD input data during decoding to the PIL.Image or NumPy format, leading to a Buffer Overflow. Patches Users of psd-tools version v1.8.37 to v1.9.3 should upgrade to...
Improper implementation of the session fixation protection in Infinispan
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling...
Apache NiFi information disclosure by XXE
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services via XXE and reveal information such as the versions of Java, Jersey, and Apache that the NiFI...
Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.*
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty"java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol";'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old...
Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling)
Eclipse Jetty, versions 9.2.x and older, 9.3.x all configurations, and 9.4.x non-default configuration with RFC2616 compliance enabled, contain an HTTP Request Smuggling Vulnerability that can result in cache poisoning...
Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers ca...
Grafana Plugin signature bypass
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31123 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
Impact It was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared e.g.., docker|podman|nerdctl run --cgroupns=host, with Rootless...
Python Charmers Future denial of service vulnerability
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. This issue has been patched in version 0.18.3...
Apache CXF vulnerable to Exposure of Sensitive Information
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes...
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
Impact The tags document Main.Tags in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document default in a public wiki or for authenticated users on private wikis to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassi...
CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection
Impact This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct or indirect, e.g., XSS control over a subdomain site e.g., https://a.example.com/ of the target site e.g.,...
Canvs Canvas XSS Vulnerability
Canvs Canvas version 3.4.2 contains a Cross Site Scripting XSS vulnerability in User's details that can result in denial of service and execution of javascript code...
Command injection in ruby-git
The package prior to v1.11.0 is vulnerable to Command Injection via git argument injection. When calling the fetchremote = 'origin', opts = function, the remote parameter is passed to the git fetch subcommand in a way such that additional flags can be set. The additional flags can be used to...