33225 matches found
Path traversal
Impact A malicious actor could read sensitive files from the environment where TechDocs documentation is built and published by setting a particular path for docsdir in mkdocs.yml. These files would then be available over the TechDocs backend API. This vulnerability is mitigated by the fact that ...
HTTP Request Smuggling in akka-http-core
A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server...
Open Redirect in Liferay Portal
The redirect module in Liferay Portal before 7.3.3 does not limit the number of URLs resulting in a 404 error that is recorded, which allows remote attackers to perform a denial of service attack by making repeated requests for pages that do not exist...
Improper Input Validation in Laravel
An issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions...
trentm/json vulnerable to command injection
This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function...
Withdrawn: Arbitrary Code Execution in static-eval
All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require'static-eval'; var parse = require'esprima'.parse; var src="function x return...
Bypass of fix for CVE-2020-26231, Twig sandbox escape
Impact A bypass of CVE-2020-26231 fixed in 1.0.470/471 and 1.1.1 was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247: An authenticated backend user with the cms.managepages, cms.managelayouts, or cms.managepartials permissions who would normally not be permitted to provide...
Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain
Impact Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery SSRF. Resolution Validate the provided Zendesk subdomain to be a valid subdomain in: getAuthUrl getAccessToken...
Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.13 Vaadin 10.0.0 through 10.0.16, 1.1.0 prior to 2.0.0 Vaadin 11 through 13, 2.0.0 through 2.4.6 Vaadin 14.0.0 through 14.4.6, 3.0.0 prior to 5.0.0 Vaadin 15 prior to 18, and...
Potential remote code execution in Apache Tomcat
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the...
ansi_up cross-site scripting vulnerability
The npm package ansiup converts ANSI escape codes into HTML. In ansiup v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting XSS vulnerability. This issue is fixed in v5.0.0...
Path traversal in pimcore/pimcore
This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class bundles/AdminBundle/Controller/Reports/CustomReportController.php. An authenticated user can reach this function with a GET...
CORS misconfiguration in socket.io
The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default...
Segfault in `tf.quantization.quantize_and_dequantize`
Impact An attacker can pass an invalid axis value to tf.quantization.quantizeanddequantize: python tf.quantization.quantizeanddequantize input=2.5, 2.5, inputmin=0,0, inputmax=1,1, axis=10 This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation:...
User passwords are stored in clear text in the Django session
Impact django-two-factor-auth versions 1.11 and before store the user's password in clear text in the user session base64-encoded. The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor...
Arbitrary shell command execution in logkitty
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1...
Cross-Site Scripting in TYPO3 CMS Form Engine
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and greater than or equal to 10.0.0 and less than 10.4.2, it has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is need...
confinit vulnerable to prototype pollution
confinit through 0.3.0 is vulnerable to Prototype Pollution.The 'setDeepProperty' function could be tricked into adding or modifying properties of 'Object.prototype' using a 'proto' payload...
Inadequate Encryption Strength in DotNetNuke
DNN aka DotNetNuke 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811...
keycloak-core discloses system properties
It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML...
In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of...
FasterXML jackson-databind allows unauthenticated remote code execution
FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input...
pym.js CSRF Vulnerability
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross Site Request Forgery CSRF vulnerability in Pym.js onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.jsL573 can result in Arbitrary javascript code execution. This attack appears to be...
OpenSSL gem for Ruby using inadequate encryption strength
The OpenSSL gem for Ruby uses the same initialization vector IV in GCM Mode aes--gcm when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism...
@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization such as innerHTML, srcdoc, src, href, data, or sandbox is bound using the two-way binding syntax...
Nuxt: Reflected XSS in `navigateTo()` external redirect
Summary navigateTo with external: true generates a server-side HTML redirect body containing a tag. The destination URL is only sanitized by replacing " with %22, leaving , &, and ' unencoded. An attacker who can influence the URL passed to navigateTourl, external: true can break out of the...
ImageMagick: Heap Buffer Over-Read in IPTC encoder
When writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte...
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
Summary A Cross-Site Scripting XSS vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint /image uses isRemoteAllowed from Astro’s internal helpers, which unconditionally allows data: URLs. When the endpoint receive...
Reflex vulnerable to private state fields modification
Summary A user on the website can modify any private field on their own state. Details An event meant to modify client side storage had access to modify any field on the state for the given user. This includes non-client side ones and most importantly private fields. This still requires the actor...
Netty's HttpPostRequestDecoder can OOM
Summary The HttpPostRequestDecoder can be tricked to accumulate data. I have spotted currently two attack vectors Details 1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consistin...
snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact
Summary snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service DoS attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. Scope All...
Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths
Summary Tornado interprets -, +, and in chunk length and Content-Length values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older...
.NET Information Disclosure Vulnerability
Microsoft Security Advisory CVE-2023-35391: .NET Information Disclosure Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET core 2.1, .NET 6.0 and, .NET 7.0. This advisory also provides guidance on what developers c...
XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. For instance, the following URL execute an alter on the browser:...
Grafana has Broken Access Control in Alert manager: Viewer can send test alerts
Summary Grafana allows an attacker in the Viewer role, send alerts by API Alert - Test. The option is not available from the user panel UI for in the Viewer role. Reason for the error: The API does not check access to this function and allows it by users with the least rights, for example, the...
SQL injection in Liferay Portal
SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is...
Lightbend Alpakka Kafka logs credentials on debug level
Lightbend Alpakka Kafka before 4.0.2 logs its configuration as debug information, and thus log files may contain credentials if plain cleartext login is configured. This occurs in akka.kafka.internal.KafkaConsumerActor...
Sandbox bypass in Jenkins Script Security Plugin
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a2fb25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the...
cookiejar Regular Expression Denial of Service via Cookie.parse function
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service ReDoS via the Cookie.parse function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if...
Apache SOAP contains unauthenticated RPCRouterServlet
UNSUPPORTED WHEN ASSIGNED In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might...
Denial of Service due to parser crash
Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks DOS. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. This...
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 20...
Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service
Description Invalid HTTP/2 requests for example, invalid URIs are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying ...
Jupyter server Token bruteforcing
Affects: Notebook and Lab between 6.4.0?potentially earlier and 6.4.11 currently latest. Jupyter Server =1.16.0. If I am correct about the responsible code it will affect Jupyter-Server 1.17.0 and 2.0.0a0 as well. Description: If notebook server is started with a value of rootdir that contains th...
Open Redirect
Impact In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have...
HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods
Impact Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities: Ping flood: https://vulners.com/cve/CVE-2019-9512 Reset flood: https://vulners.com/cve/CVE-2019-9514 Settings flood: https://vulners.com/cve/CVE-2019-9515 A Twisted...
Cross-site scripting in json-sanitizer
OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause...
Policies not properly enforced in bluemonday
The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python in pybluemonday, does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements...
Cross-site Scripting in Apache Zeppelin
Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0...
vercel/serve allows access to restricted files if filename is URL encoded.
serve node module suffers from Improper Handling of URL Encoding by permitting access to ignored files if a filename is URL encoded...