33190 matches found
HTTP Proxy header vulnerability
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP...
Allocation of resources without limits or throttling in keycloak-model-infinispan
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack...
Improper Authentication in Apache Airflow
The lineage endpoint of the deprecated Experimental API was not protected by authentication in Airflow 2.0.0. This allowed unauthenticated users to hit that endpoint. This is low-severity issue as the attacker needs to be aware of certain parameters to pass to that endpoint and even after can jus...
Apache Airflow Cross-site Scripting
In Apache Airflow 1.10.12, the origin parameter passed to some of the endpoints like /trigger and was vulnerable to a XSS exploit...
django-celery-results Stores Sensitive Information In Cleartext
django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. In version 2.4.0 this is no longer the default...
Improper Input Validation in Apache Camel
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel users should upgrade to 3.2.0...
Server-side request forgery in Ghost CMS
Server-side request forgery SSRF vulnerability in Ghost CMS 3.10.0 allows an attacker to scan local or external network or otherwise interact with internal systems...
Generated Code Contains Local Information Disclosure Vulnerability
Impact This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When...
DOS vulnerability for Quoted Quality CSV headers
Impact When Jetty handles a request containing request headers with a large number of “quality” i.e. q parameters such as what are seen on the Accept, Accept-Encoding, and Accept-Language request headers, the server may enter a denial of service DoS state due to high CPU usage while sorting the...
Unsafe object creation in json RubyGem
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specificall...
Link Following in rply
python-rply before 0.7.4 insecurely creates temporary files...
HTTP Response Splitting in Puma
In Puma RubyGem before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters i.e. CR, LF or/r, /n to end the header and inject malicious content, such as additional headers or an entirely new response body. This...
Heap buffer overflow in `UnsortedSegmentSum` in TensorFlow
Impact A heap buffer overflow in UnsortedSegmentSum can be produced when the Index template argument is int32. In this case datasize and numsegments fields are truncated from int64 to int32 and can produce negative numbers, resulting in accessing out of bounds heap memory. This is unlikely to be...
Apache NiFi user log out issue
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out t...
Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is:...
Jinja2 sandbox escape via string formatting
In Pallets Jinja before 2.10.1, str.formatmap allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.formatmap method could be used to escape the sandbox. This...
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Summary Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause...
Flowise OverrideConfig security vulnerability
Impact Flowise allows developers to inject configuration into the Chainflow during execution through the overrideConfig option. This is supported in both the frontend web integration and the backend Prediction API. This has a range of fundamental issues that are a major security vulnerability...
Keycloak Open Redirect vulnerability
An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referreruri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it...
scikit-learn sensitive data leakage vulnerability
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stopwords...
Express.js Open Redirect in malformed URLs
Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the...
node-qpdf vulnerable to command injection
All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt fails to sanitize its parameter input, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they can specify the...
mindsdb arbitrary file write when extracting a remotely retrieved Tarball
Summary An unsafe extraction is being performed using tarfile.extractall from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vulnerability is called a TarSlip or a ZipSlip variant. Details I commented the following...
redis-py Race Condition vulnerability
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time in the case of a pipeline operation, and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions fo...
GeoTools OGC Filter SQL Injection Vulnerabilities
Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. PropertyIsLike filter Requires PostGIS DataStore with...
Jettison Out-of-bounds Write vulnerability
A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service DoS via crafted JSON data...
mockery is vulnerable to prototype pollution
Prototype pollution vulnerability in function enable in mockery.js in mfncooper mockery commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf via the key variable in mockery.js...
Pallets Werkzeug vulnerable to Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names such as C: in Windows pathnames...
Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer
Impact Users unpacking a tarball through dbdeployer may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defences. Mitigating factors For the...
Prototype Pollution in Ajv
An issue was discovered in ajv.validate in Ajv aka Another JSON Schema Validator 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. While untrusted schemas are recommended against, the worst case of an untrusted schema should be a...
Apache Hive Information Exposure and Observable Timing Discrepancy
Apache Hive cookie signature verification used a non constant time comparison which is known to be vulnerable to timing attacks. This could allow recovery of another users cookie signature. The issue was addressed in Apache Hive 2.3.8...
pgjdbc Does Not Check Class Instantiation when providing Plugin Classes
Impact pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before...
Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML
Affected packages The vulnerability has been discovered in the Advanced Content Filter ACF module and may affect all plugins used by CKEditor 4. Impact A potential vulnerability has been discovered in CKEditor 4 Advanced Content Filter ACF core module. The vulnerability allowed to inject malforme...
Expression injection in AviatorScript
AviatorScript through 5.2.7 allows code execution via an expression that is encoded with Byte Code Engineering Library BCEL...
ExternalName Services can be used to gain access to Envoy's admin interface
Impact Josh Ferrell @josh-ferrell from VMware has reported that a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy remotely a denial of service, o...
parse-server new anonymous user session acts as if it's created with password
Impact Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in Session class under createdWith shows the user logged in creating...
Command Injection in picotts
This affects all versions up to and including version 0.1.1 of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
HTTP Request Smuggling in Undertow
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS...
October CMS Session ID not invalidated after logout
Impact When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in...
Inappropriate implementation in V8 in CefSharp
High CVE-2020-16013: Inappropriate implementation in V8. - https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop11.html - https://vulners.com/cve/CVE-2020-16013 Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild. There is...
jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig aka shaded hikari-config...
class.upload.php in verot.net omits .pht from the set of dangerous file extensions
class.upload.php in verot.net class.upload through 1.0.3 and 2.x through 2.0.4, as used in the K2 extension for Joomla! and other products, omits .pht from the set of dangerous file extensions, a similar issue to CVE-2019-19576...
Feedgen Vulnerable to XML Denial of Service Attacks
Impact The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks e.g. XML Bomb. This becomes a concern in particular if feedge...
Prototype Pollution in set-value
Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects...
activesupport in Rails vulnerable to incorrect data conversion
lib/activesupport/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication v...
HTTParty does not restrict casts of string values
The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for YAML type...
Withdrawn Advisory: Netty vulnerability included in redis lettuce
Withdrawn Advisory This advisory has been withdrawn because users of Lettuce may independently exclude vulnerable versions of Netty from their dependencies, and those users should not receive alerts for CVE-2024-47535. This link is maintained to preserve external references. Original Description...
Prototype pollution in ag-grid-community via the _.mergeDeep function
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the .mergeDeep function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties. Prior versions were also found ...
MyBatis-Plus vulnerable to SQL injection via TenantPlugin
MyBatis-Plus below 3.5.3.1 is vulnerable to SQL injection via the tenant ID value. This may allow remote attackers to execute arbitrary SQL commands...
Keycloak Cross-site Scripting on OpenID connect login service
A reflected cross-site scripting XSS vulnerability was found in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page...