33190 matches found
Code injection in fsevents
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project that depends on fsevents distributes code that was obtained from that URL at a time when it was controlled by an...
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. Impact Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox. Patches None. Workarounds...
Moodle vulnerable to SQL Injection
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions...
angular vulnerable to regular expression denial of service via the <input type="url"> element
All versions of the package angular are vulnerable to Regular Expression Denial of Service ReDoS via the element due to the usage of an insecure regular expression in the inputurl functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in...
Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following
Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to create new files and on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode...
Tauri Filesystem Scope Glob Pattern is too Permissive
Impact The filesystem glob pattern wildcards , ?, and ... match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Example: The fs scope $HOME/.key would also allow $HOME/.ssh/secret.key to be read even though it is in a sub director...
Akeneo PIM Community Edition vulnerable to remote php code execution
Impact Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Patches Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server...
Uncontrolled Resource Consumption in markdown-it
Impact Special patterns with length 50K chars can slow down parser significantly. js const md = require'markdown-it'; md.renderx $' '.repeat150000 x \nx; Patches Upgrade to v12.3.2+ Workarounds No. References Fix + test sample:...
Default CORS config allows any origin with credentials
Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...
Denial of Service in SheetJS Pro
SheetJS Pro through 0.16.9 allows attackers to cause a denial of service CPU consumption via a crafted .xlsx document that is mishandled when read by xlsx.js...
Injection and Cross-site Scripting in osm-static-maps
This affects all versions of package osm-static-maps under 3.9.0. User input given to the package is passed directly to a template without escaping ... . As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the...
TypeORM vulnerable to MAID and Prototype Pollution
Prototype pollution vulnerability in the TypeORM package 0.2.25 may allow attackers to add or modify Object properties leading to further denial of service or SQL injection attacks...
Authentication Bypass
When configured to use authentication -Dnacos.core.auth.enabled=true Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HT...
Duplicate Advisory: XML Injection in petl
Duplicate Advisory This advisoerey has been withdrawn because it is a duplicate of GHSA-f5gc-p5m3-v347. This link is maintained to preserve external references. Original Description petl before 1.68, in some configurations, allows resolution of entities in an XML document...
Directory exposure in jetty
Impact If the $jetty.base directory or the $jetty.base/webapps directory is a symlink soft link in Linux, the contents of the $jetty.base/webapps directory may be deployed as a static web application, exposing the content of the directory for download. For example, the problem manifests in the...
Weak JSON Web Token in yapi-vendor
Weak JSON Web Token JWT signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used as a source of randomness in jwt signing. Math.random does not provide cryptographically secure random numbers. This has be...
Denial of Service in Page Error Handling
Meta CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C 5.5 CWE-405, CWE-674 Status: DRAFT Problem Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a...
Misinterpretation of malicious XML input
Impact xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. Patches Update to 0.5...
Directory Traversal in tencent-server
Affected versions of tencent-server resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system...
Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib
Summary Vulnerability scan of fiona shows CVE-2023-45853. The vulnerability is in GDAL, a dependency of fiona. Details Fiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip464 via a...
Rancher cattle-token is predictable
Impact An issue was discovered in Rancher versions up to and including 2.6.9 and 2.7.0, where the cattle-token secret, used by the cattle-cluster-agent, is predictable. Even after the token is regenerated, it will have the same value. This issue is not present in Rancher 2.5 releases. The...
Remote code execution via MongoDB BSON parser through prototype pollution
Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. Patches Prevent prototype pollution in MongoDB database adapter. Workarounds Disable remote code execution through the MongoDB BSON parser. Collaborators Mikhail Shcherbako...
isolated-vm has vulnerable CachedDataOptions in API
Impact If the untrusted v8 cached data is passed to the API through CachedDataOptions, the attackers can bypass the sandbox and run arbitrary code in the nodejs process. Version 4.3.7 changes the documentation to warn users that they should not accept cachedData payloads from a user...
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Impact undici is vulnerable to SSRF Server-side Request Forgery when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = require"undici" undici.requestorigin: "http://example.com",...
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
Impact Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.jsL189, based on https://github.com/nodejs/undici/issues/872. However, cookie headers which are sensitive headers and are official headers found in the spec...
Deserialization of Untrusted Data in Groovy
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized...
OS Command Injection in Plexus-utils
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings...
SQL Injection in Hibernate ORM
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access...
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through
Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5. Patches The issue has been resolved in lxml 4.6.5...
Regular Expression Denial of Service in path-parse
Affected versions of npm package path-parse are vulnerable to Regular Expression Denial of Service ReDoS via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity...
Improper Handling of Length Parameter Inconsistency in Compress
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package...
Code injection in Narou
Narou aka Narou.rb before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel...
Deserialization of Untrusted Data in NukeViet
includes/core/isuser.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk...
Open Redirect in Flask-Security-Too
Impact Flask-Security allows redirects after many successful views e.g. /login by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc network location as the requesting URL. This check utilizes...
OS Command Injection in ng-packagr
The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option...
Regular Expression Denial of Service (ReDoS)
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service ReDoS. If an attacker provides a malicious string, is-svg will get stuck processing the input...
Activerecord-session_store Vulnerable to Timing Attack
The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...
Rosetta-Flash JSONP Vulnerability in hapi
This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to version 6.1.1...
Reset Password / Login vulnerability in Sulu
Impact What kind of vulnerability is it? Who is impacted? This vulnerability consists of a few related issues: Forget password leaks information if the user exists When the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given stri...
Class destructors causing side-effects when being unserialized in TYPO3 CMS
Calling unserialize on malicious user-submitted content can result in the following scenarios: - trigger deletion of arbitrary directory in file system if writable for web server - trigger message submission via email using identity of web site mail relay Another insecure deserialization...
Cross-Site Scripting in fileview
All versions of fileview are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Consider using...
Micronaut's HTTP client is vulnerable to HTTP Request Header Injection
Vulnerability Micronaut's HTTP client is vulnerable to "HTTP Request Header Injection" due to not validating request headers passed to the client. Example of vulnerable code: java @Controller"/hello" public class HelloController @Inject @Client"/" RxHttpClient client; @Get"/external-exploit"...
Remote Code Execution (RCE) vulnerability in dropwizard-validation
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. Summary A server-side template injection...
auth0-lock vulnerable to XSS via unsanitized placeholder property
Overview Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source e.g. a query paramet...
Malicious takeover of previously owned ENS names
Impact A user who owns an ENS domain can set a "trapdoor", allowing them to transfer ownership to another user, and later regain ownership without the new owner's consent or awareness. Patches A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry. The registry...
Remote Code Execution in Angular Expressions
Impact The vulnerability, reported by GoSecure Inc, allows Remote Code Execution, if you call expressions.compileuserControlledInput where userControlledInput is text that comes from user input. If running angular-expressions in the browser, an attacker could run any browser script when the...
Pallets Werkzeug Insufficient Entropy
Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id...
Security feature bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated
A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2...
Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 bet...
golang.org/x/net vulnerable to Cross-site Scripting
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...