33225 matches found
OS Command Injection in Locutus
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution...
HashiCorp Consul L7 deny intention results in an allow action
In HashiCorp Consul before 1.10.1 and Consul Enterprise, xds can generate a situation where a single L7 deny intention with a default deny policy results in an allow action...
Insertion of Sensitive Information into Log File in ansible
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by nolog feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to dat...
Improper Sanitizing of plugin names in helm
Impact Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to hel...
Puma's Keepalive Connections Causing Denial Of Service
This vulnerability is related to CVE-2019-16770. Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process...
Cross-site scripting in bootstrap-select
bootstrap-select before 1.13.6 allows Cross-Site Scripting XSS. It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser...
Authentication bypass in MAGMI
MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting maxconnections default 151 is lower than Apache or...
Possible Open Redirect Vulnerability in Action Pack
There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: = v6.1.0.rc2 Not affected: v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host...
Authentication bypass for specific endpoint
The ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. For...
Improper Certificate Validation in oauth ruby gem
lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...
react-dev-utils OS Command Injection in function `getProcessForPort`
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts in Create React App projects, where the usage is safe. Only when this function is manually invok...
Code injection in Apache Ant
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the...
Local File Inclusion by unauthenticated users
Impact An attacker can exploit this vulnerability to read local files on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. Patches Issue has been patched in Build 469 v1.0.469 and v1.1.0. Workarounds Apply...
Ciphertext Malleability Issue in Tink Java
Impact Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a...
Command Injection in jison
Withdrawn: This vulnerability is not present in the released npm package. Rather the vulnerable code is part of the repo, but not part of the package. See linked hackerone report for more details. Insufficient input validation in npm package jison = 0.4.18 may lead to OS command injection attacks...
Deserialization of untrusted data in Jackson Databind
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool aka xalan2...
Django Rest Framework jwt allows obtaining new token from notionally invalidated token
An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of...
django-nopassword stores secrets in cleartext
django-nopassword before 5.0.0 stores cleartext secrets in the database...
Command Injection in hot-formula-parser
Versions of hot-formula-parser prior to 3.0.1 are vulnerable to Command Injection. The package fails to sanitize values passed to the parse function and concatenates it in an eval call. If a value of the formula is supplied by user-controlled input it may allow attackers to run arbitrary commands...
Ability to switch channels via GET parameter enabled in production environments
Impact This vulnerability gives the ability to switch channels via the channelcode GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true. However, if no syliuschannel.debug is set explicitly in the configuration, the default value which is...
Arbitrary JavaScript Execution in bassmaster
A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater...
Aescrypt does not sufficiently use random values
The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack...
Heimdall has an authorization bypass via path normalization mismatch
Summary Heimdall performs rule matching on the raw non-normalized request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path e.g., /user/../admin, or URL-encoded variants...
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Summary The contents of arbitrary files can be returned to the browser. Details @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists. PoC sh $ npm create vite@latest $ cd vite-project/ $ npm...
CIRCL's Kyber: timing side-channel (kyberslash2)
Impact On some platforms, when an attacker can time decapsulation of Kyber on forged cipher texts, they could possibly learn parts of the secret key. Does not apply to ephemeral usage, such as when used in the regular way in TLS. Patches Patched in 1.3.7. References - kyberslash.cr.yp.to...
PrestaShop SQL manager vulnerability
Impact Remote code execution through SQL injection and arbitrary file write in back office Patches 1.7.8.10 8.0.5 8.1.1 Found by Truff via yeswehack Workarounds none References none...
Prototype pollution in webpack loader-utils
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js...
Improper Verification of Cryptographic Signature in `node-forge`
Impact RSA PKCS1 v1.5 signature verification code is not properly checking DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. Patches The issue has been addressed in node-forge 1.3.0. For more...
CSRF vulnerability and missing permission checks in Jenkins Extended Choice Parameter Plugin allow SSRF
Extended Choice Parameter Plugin 346.vd87693c5a86c and earlier does not perform a permission check on form validation methods. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these form validation methods do not require POST requests,...
Incorrect Default Permissions in log4js
Impact Default file permissions for log files created by the file, fileSync and dateFile appenders are world-readable in unix. This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode...
XML2Dict XML Entity Expansion Vulnerability
XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service. The parse function does not properly restrict recursive entity references...
Craft CMS Cross-site Scripting Vulnerability
An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads...
Incorrect Authorization in ORY Oathkeeper
ORY Oathkeeper is an Identity & Access Proxy IAP and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. When you make a request to an endpoint that requires the scope foo using an access token granted with that foo scope, introspection will be valid and that...
Path Traversal in Docker
Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an 1 image or 2 build in a Dockerfile...
Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI-Generator online generator
Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This...
Prototype Pollution in swiper
Versions of the package swiper before 6.5.1 are susceptible to prototype pollution...
Command Injection in ps-visitor
This affects all versions up to and including version 0.0.2 of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Cross-Site Request Forgery in Vert.x-Web framework
Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need t...
Pillow Out-of-bounds Read
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations...
Remote Code Execution in SCIMono
Impact It is possible for attacker to inject and execute java expression and compromising the availability and integrity of the system. Patches The issue was fixed on 0.0.19 version...
Potential DoS with NumberFilter conversion to integer values.
Impact Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Patches Version 2.4.0+ applies a MaxValueValidator with a a default limitvalue of...
DLL Injection in kerberos
Version of kerberos prior to 1.0.0 are vulnerable to DLL Injection. The package loads DLLs without specifying a full path. This may allow attackers to create a file with the same name in a folder that precedes the intended file in the DLL path search. Doing so would allow attackers to execute...
Reverse Tabnabbing in quill
Versions of quill prior to 1.3.7 are vulnerable to Reverse Tabnabbing. The package uses target='blank' in anchor tags, allowing attackers to access window.opener for the original page when opening links. This is commonly used for phishing attacks. Recommendation No fix is currently available...
Cross-Site Scripting in @novnc/novnc
Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting XSS. The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. It affects...
Improper Input Validation in jackson-databind
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup...
Insecure Deserialization in Apache XML-RPC
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC aka ws-xmlrpc library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issu...
Signature wrapping vulnerability in Spring Security
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
Backend Same-Site Request Forgery in TYPO3 CMS
Meta CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C CWE-352 CWE-346 Problem It has been discovered that backend user interface and install tool are vulnerable to same-origin request forgery. A backend user can be tricked into interacting with a malicious resource an attacker...
Improper Certificate Validation in Apache Beam
The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an option to disable SSL trust verification. However this configuration is not respected and the certificate verification disables trust verification in every case. This exclusion also gets registered globally which disables trust...
jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory aka aries.transaction.jms...