33225 matches found
XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets
Impact When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If...
Arbitrary Code Execution in Pillow
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 which was about the expression parameter...
Bouncy Castle Denial of Service (DoS)
Bouncy Castle for Java before 1.73 contains a potential Denial of Service DoS issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafte...
pyminizip affected by zlib's integer overflow/heap based buffer overflow vulnerability due to vulnerable dependency
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip464 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. pyminizip uses version 1.2.11 of zlib's code...
sing-box vulnerable to improper authentication in the SOCKS inbound
Impact This vulnerability allows specially crafted requests to bypass authentication, affecting all SOCKS inbounds with user authentication. Patches Update to sing-box 1.4.5 or 1.5.0-rc.5 and later versions. Workarounds Don't expose the SOCKS5 inbound to insecure environments...
Argo CD authenticated but unauthorized users may enumerate Application names via the API
Impact All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For...
RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user...
GeoServer OGC Filter SQL Injection Vulnerabilities
Impact GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language CQL as part of the Web Feature Service WFS and Web Map Service WMS protocols. CQL is also supported through the Web Coverage Service WCS protocol for ImageMosaic coverages. SQL Injection...
openssl-src contains Double free after calling `PEM_read_bio_ex`
The function PEMreadbioex reads a PEM file from a BIO and parses and decodes the "name" e.g. "CERTIFICATE", any header data and the payload data. If the function succeeds then the "nameout", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data...
ExifTool vulnerable to arbitrary code execution
Impact Arbitrary code execution can occur when running exiftool against files with hostile metadata payloads Patches ExifTool has already been patched in version 12.24. exiftoolvendored.rb, which vendors ExifTool, includes this patch in v12.25.0. Workarounds No References...
XStream can cause Denial of Service via stack overflow
Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream. Patches XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead...
Cross-site Scripting in wicket-jquery-ui
In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor...
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
Impact This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. All current stable versions of Electron are affected...
Path traversal in impacket
Multiple path traversal vulnerabilities exist in smbserver.py in Impacket before 0.9.23. An attacker that connects to a running smbserver instance can list and write to arbitrary files via ../ directory traversal. This could potentially be abused to achieve arbitrary code execution by replacing...
Improper Verification of Cryptographic Signature in Apache Pulsar in TensorFlow
If Apache Pulsar is configured to authenticate clients using tokens based on JSON Web Tokens JWT, the signature of the token is not validated if the algorithm of the presented token is set to "none". This allows an attacker to connect to Pulsar instances as any user incl. admins...
Cross-site scripting vulnerability in TinyMCE
Impact A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then...
Insecure permissions on build temporary rootfs in Singularity
Impact Insecure permissions on temporary directories used in explicit and implicit container build operations. When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build...
Improper Verification of Cryptographic Signature in golang.org/x/crypto
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client...
Prototype Pollution in arr-flatten-unflatten
All versions of package arr-flatten-unflatten up to and including version 1.1.4 are vulnerable to Prototype Pollution via the constructor...
OS Command Injection and Improper Input Validation in ansible
A flaw was found in the solariszone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the na...
Padding Oracle Attack due to Observable Timing Discrepancy in jose
jose is an npm library providing a number of cryptographic operations. Impact AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly...
Key Caching behavior in the DynamoDB Encryption Client.
Impact This advisory concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions were changed at the key provider, time-based key reauthorization logic in...
Blind SQL injection in PrestaShop productcomments module
Impact An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. Patches The problem is fixed in 4.2.1...
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of pla...
Improper Restriction of Excessive Authentication Attempts in Sorcery
Impact Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This doe...
Command Injection in npm-programmatic
All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passed to the...
Improper Restriction of Rendered UI Layers or Frames in Keycloak
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other...
OS Command Injection in devcert-sanscache
devcert-sanscache before 0.4.7 allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization...
Bleach vulnerable to mutation XSS via whitelisted math or svg and raw tag
Impact A mutation XSS affects users calling bleach.clean with all of: the svg or math in the allowed/whitelisted tags an RCDATA tag see below in the allowed/whitelisted tags the keyword argument strip=False Patches Users are encouraged to upgrade to bleach v3.1.2 or greater. Workarounds modify...
Users can view database names in Apache Superset
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab...
Improper Restriction of XML External Entity Reference in Apache Olingo
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks...
Improper input validation in Apache Shiro
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack...
HTTP Request Smuggling in Waitress: Invalid whitespace characters in headers (Follow-up)
Impact The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTTP request with invalid data. This updates the existing CVE with ID: CVE-2019-16789 Patches Waitress...
XML External Entity (XXE) Injection in Apache Solr
In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debuggi...
Critical severity vulnerability that affects org.eclipse.jetty:jetty-server
In Eclipse Jetty, versions 9.2.x and older, 9.3.x, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined...
jackson-dataformat-xml vulnerable to XML external entity (XXE)
XML external entity XXE vulnerability in XmlMapper in the Data format extension for Jackson aka jackson-dataformat-xml allows attackers to have unspecified impact via unknown vectors...
Possible privilege escalation in org.springframework:spring-core
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application server A receives input from a remote client, and then uses that input to make a...
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it containe...
TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
Summary A type-confusion bug in seroval ≤ 1.5.2 upstream advisory allowed a crafted JSON body sent to one TanStack Start server function to trigger invocation of a different client-referenced server function as a side effect of deserializing the request payload. This is not an authentication bypa...
Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability
Microsoft Security Advisory CVE-2025-26646: .NET Spoofing Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0.xxx and .NET 8.0.xxx SDK. This advisory also provides guidance on what developers can do to update their...
Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensiti...
Requests `Session` object does not verify requests after making first request with verify=False
When using a requests.Session, if the first request to a given origin is made with verify=False, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if verify=True is explicitly specified later. This occurs because the underlying connection is reused...
JWX vulnerable to a denial of service attack using compressed JWE message
Summary This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory...
Kyverno vulnerable due to usage of insecure cipher
Summary Insecure 3DES ciphers are used which may lead to exploitation of the Sweet32 vulnerability. Specifically, the ciphers TLSECDHERSAWITH3DESEDECBCSHA secp256r1 and TLSRSAWITH3DESEDECBCSHA rsa 2048 are allowed. See CVE-2016-2183. This is fixed in Kyverno v1.9.5 and v1.10.0 and no known users...
XWiki vulnerable to Code Injection in template provider administration
Impact Any user with edit rights on any document e.g., the own user profile can execute code with programming rights, leading to remote code execution by following these steps: 1. Set the title of any document you can edit can be the user profile to async async="true" cached="false"...
angular vulnerable to regular expression denial of service via the $resource service
All versions of the package angular are vulnerable to Regular Expression Denial of Service ReDoS via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtrackin...
LiteDB may deserialize bad JSON on object type using _type
Impact LiteDB use a special field in JSON documents to cast diferent types from BsonDocument do POCO classes. When instance of an object are not the same of class, BsonMapper use a special field type string info with full class name with assembly to be loaded and fit in your model. If your end-us...
golang.org/x/net vulnerable to Uncontrolled Resource Consumption
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...
X.509 Email Address 4-byte Buffer Overflow
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...
Ghost vulnerable to remote code execution in locale setting change
Impact A vulnerability in an upstream library means an authenticated attacker can abuse locale input to execute arbitrary commands from a file that has previously been uploaded using the file upload functionality in the post editor. Patches Fixed in 5.2.3, all 5.x sites should update as soon as...