33227 matches found
HTTP Host Header Injection
Meta CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C 3.5 Problem It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend...
Flask-AppBuilder Open Redirect vulnerability
Impact If using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability Patches Install Flask-AppBuilder 3.2.2 or above...
Integer overflow in pywin32
An integer overflow exists in pywin32 prior to version b301 when adding an access control entry ACE to an access control list ACL that would cause the size to be greater than 65535 bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process...
No Restriction of Excessive Authentication Attempts in Firefly III
firefly-iii is vulnerable to Improper Lack of Restriction of Excessive Authentication Attempts...
Erroneous Proof of Work calculation in geth
Impact An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch estimated early January, 2021. This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. Patches This issue is also...
Missing Authentication for Critical Function
Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versio...
Uncontrolled Resource Consumption in XNIO
A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final...
Script injection
Impact A malicious internal actor can potentially upload documentation content with malicious scripts by embedding the script within an object element. This may give access to sensitive data when other users visit that same documentation page. The ability to upload malicious content may be limite...
Private Field data leak
This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during...
Cross-Site Request Forgery in OpenNMS Horizon
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at...
HTTP Request Smuggling in reel
reel through 0.6.1 allows Request Smuggling attacks due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as...
pomerium_signature is not verified in middleware in github.com/pomerium/pomerium
Impact Some API endpoints under /.pomerium/ do not verify parameters with pomeriumsignature. This could allow modifying parameters intended to be trusted to Pomerium. The issue mainly affects routes responsible for sign in/out, but does not introduce an authentication bypass. Specific Go Packages...
Improper Authorization in github.com/containers/libpod
A flaw was found in podman before 1.7.0. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the...
Denial of Service (DoS) in HashiCorp Consul
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. Specific Go Packages Affected github.com/hashicorp/consul/agent/consul...
OS Command Injection in gulp-tape
gulp-tape through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of gulp-tape options...
OS Command Injection in gulkp-styledocco
gulp-styledocco through 0.0.3 allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization...
Cross-Site Request Forgery in ForkCMS
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
SQL Injection in librenms
A second-order SQL injection issue in Widgets/TopDevicesController.php aka the Top Devices dashboard widget of LibreNMS before 21.1.0 allows remote authenticated attackers to execute arbitrary SQL commands via the sortorder parameter against the /ajax/form/widget-settings endpoint...
Exposure of Sensitive Information to an Unauthorized Actor in ansible
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldapattr and ldapentry community modules are used. The issue...
Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take...
XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)
Impact The vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. Patches If you rely on...
Command Injection in ps-kill
This affects all versions of package ps-kill. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization in the index.js file. PoC provided by...
Cross-site scripting in Bleach
Impact A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument stripcomments=False Note: none of the above tags are in the default...
XSS in Vega
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execut...
XML External Entity in Dashboard Widget
Problem It has been discovered that RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At leas...
Cross-site Scripting in dijit editor's LinkDialog plugin
Impact XSS possible for users of the Dijit Editor's LinkDialog plugin Patches Yes, 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3 Workarounds Users may apply the patch made in these releases. For more information If you have any questions or comments about this advisory, open an issue in dojo/di...
Upload whitelisted files to any directory in OctoberCMS
Impact An attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the...
Persistent Cross-Site scripting in Nexus Repository Manager
Sonatype Nexus Repository before 3.21.2 allows XSS...
Prevent cache poisoning via a Response Content-Type header in Symfony
Description ----------- When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a...
Incorrect Account Used for Signing
Impact Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account i.e. the account at index 0, or with the legacy MEW/MyCrypto HD path, they are not affected. The vulnerability impacts cases where the user sign...
Incorrect Default Permissions in keyring
Python keyring lib before 0.10 created keyring files with world-readable permissions...
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers
Impact If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the...
Stored XSS in Apache Atlas
Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored Cross-Site Scripting in the search functionality...
Downloads Resources over HTTP in httpsync
Affected versions of httpsync insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the syste...
Unrestricted Upload of File with Dangerous Type in blueimp-file-upload
Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload = v9.22.0...
Moderate severity vulnerability that affects activerecord
Withdrawn, accidental duplicate publish. Active Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions a...
Improper Input Validation in multi_xml
multixml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption involvin...
basic-ftp has FTP Command Injection via CRLF
Summary basic-ftp version 5.2.0 allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handles leading spaces and returns other...
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
Summary Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attac...
Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication...
Microsoft Security Advisory CVE-2024-38081 | .NET Elevation of Privilege Vulnerability
Microsoft Security Advisory CVE-2024-38081 | .NET Elevation of Privilege Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 . This advisory also provides guidance on what developers can do to update their...
Open redirect in gradio
An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting XSS, Server-Side Request Forgery SSRF, amongst others. This...
SQL Injection in Harbor scan log API
Impact A user with an administrator, projectadmin, or projectmaintainer role could utilize and exploit SQL Injection to allow the execution of any Postgres function or the extraction of sensitive information from the database through this API: GET...
eZ Platform Bundled jQuery affected by CVE-2019-11358
In eZ Platform 2.x, ezsystems/ezplatform-admin-ui-assets before v4.2.0 includes jQuery version 3.3.1. This version of jQuery is affected by the security vulnerability https://www.cvedetails.com/cve/CVE-2019-11358/ This is fixed in jQuery version 3.4. We recommend that you upgrade your...
Bouncy Castle Java Cryptography API vulnerable to DNS poisoning
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 ships with BC Java 1.78, BC Java LTS 2.73.6 and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname as happens...
Apache HugeGraph-Server: Command execution in gremlin
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue...
Keycloak path traversal vulnerability in the redirect validation
An issue was found in the redirecturi validation logic that allows for a bypass of otherwise explicitly allowed hosts...
Pillow buffer overflow vulnerability
In imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy...
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
If pkcs12.serializekeyandcertificates is called with both: 1. A certificate whose public key did not match the provided private key 2. An encryptionalgorithm with hmachash set via PrivateFormat.PKCS12.encryptionbuilder.hmachash... Then a NULL pointer dereference would occur, crashing the Python...
Directus crashes on invalid WebSocket message
Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix if only I had some extra time..., but I decided...