33227 matches found
Remote Code Execution for 2.4.1 and earlier
Impact OpenTSDB is vulnerable to Remote Code Execution vulnerability by writing user-controlled input to Gnuplot configuration file and running Gnuplot with the generated configuration. Patches Patched in 07c4641471c6f5c2ab5aab615969e97211eb50d9 and further refined in...
smarty Cross-site Scripting vulnerability in Javascript escaping
Impact An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the...
Spring Framework vulnerable to denial of service via specially crafted SpEL expression
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...
phpseclib Infinite Loop vulnerability
Math/PrimeField.php in phpseclib has an infinite loop with composite primefields. This vulnerability was introduced in version 3.0.0, and has been patched in 3.0.19. The CVE for this issue originally identified the the vulnerable version as 2.x, however, the vulnerable functionality was not...
StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route
Summary When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard then an attacker can exfiltrate any class path resource. Details When computing the relative path to locate the resource, in cas...
KubePi may allow unauthorized access to system API
Summary Unauthorized access refers to the ability to bypass the system's preset permission settings to access some API interfaces. The attack exploits a flaw in how online applications handle routing permissions. Affected Version = v1.6.3 Patches The vulnerability has been fixed in v1.6.4...
PHPMailer vulnerable to email header injection
Impact Arbitrary additional email headers can be injected via crafted From or Sender headers. Patches Fixed in 2.2.1 Workarounds Filter user-supplied values prior to using them in From or Sender properties. References https://nvd.nist.gov/vuln/detail/CVE-2012-0796 For more information If you have...
matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions
Impact An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-android-sdk2 implementing a...
October CMS upload process vulnerable to RCE via Race Condition
Impact This advisory affects plugins that expose the October\Rain\Database\Attach\File::fromData as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. When the developer allow...
Code injection in Apache Commons Configuration
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "$prefix:name", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the...
Unsanitized JavaScript code injection possible in gatsby-plugin-mdx
Impact The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack MDX fil...
SM2 Decryption Buffer Overflow
In order to decrypt SM2 encrypted data an application is expected to call the API function EVPPKEYdecrypt. Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size...
Improper Restriction of XML External Entity Reference in Openpyxl
Openpyxl 2.4.1 resolves external entities by default, which allows remote attackers to conduct XXE attacks via a crafted .xlsx document...
Improper Input Validation in Microsoft.NETCore.App
Microsoft .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker to send specially crafted requests to a .NET web application, resulting in denial of service, aka .NET Denial of Service Vulnerability...
Incorrect Authorization in Apache Solr
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all...
Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm
An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution RCE. Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x...
Deleted Admin Can Sign In to Admin Interface
Impact Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0. Patches The issue has been patched in v2.1.12 Workarounds - Reset the password of the deleted accounts to prevent them from signing in. - Plea...
Deserialization of Untrusted Data in org.apache.ddlutils:ddlutils
Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used...
Clipboard-based XSS
Impact XSS against the user. Details jsuites is vulnerable to DOM based XSS if the user can be tricked into copying anything from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to innerHTML causing XSS. References The Curious...
Remote Code Execution in Apache Dubbo
Apache Dubbo supports various rules to support configuration override or traffic routing called routing in Dubbo. These rules are loaded into the configuration center eg: Zookeeper, Nacos, ... and retrieved by the customers when making a request in order to find the right endpoint. When parsing...
Remote code execution in Eclipse Theia
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file...
Layout XML Arbitrary Code Fix
Impact Layout XML enabled admin users to execute arbitrary commands via block methods...
Cross-site scripting in Apache Jena Fuseki
A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 inclusive...
Prototype Pollution in deepmergefn
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function...
Incorrect Access Control in Nacos
Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in...
Improper Input Validation in Centreon Web
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings...
Cross-Site Scripting in Query Generator & Query View
Meta CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C 4.5 Problem Failing to properly encode error messages, the components QueryGenerator and QueryView are vulnerable to both reflected and persistent cross-site scripting. A valid backend user account having administrator privileg...
Improper Verification of Cryptographic Signature
Impact The verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature of a SHA-512 hash matching the SHA-512 hash of the message even if the signature is invalid. Patches Upgrade to v7.0.3 immediately to resolve this issue. Since the vulnerability lies within the...
Incorrect Permission Assignment for Critical Resource in Hashicorp Consul
HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers. Introduced in 1.4.0, fixed in 1.6.6 and 1.7.4. Specific Go Packages Affected github.com/hashicorp/consul/agent/structs...
github.com/sassoftware/go-rpmutils Arbitrary File Write via Archive Extraction (Zip Slip)
The CPIO extraction functionality doesn't sanitize the paths of the archived files for leading and non-leading .. which leads in file extraction outside of the current directory. Note, the fixing commit was applied to all affected versions which were re-released...
Command Injection in Centreon
Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabasestatuspath via a main.get.php request and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page...
SQL Injection in t3/dce
The dce aka Dynamic Content Element extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account...
Regular expression denial of service in forms
The package forms before 1.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via email validation...
Script injection
Impact A malicious internal actor is able to upload documentation content with malicious scripts. These scripts would normally be sanitized by the TechDocs frontend, but by tricking a user to visit the content via the TechDocs API, the content sanitazion will be bypassed. If the TechDocs API is...
Repository index file allows for duplicates of the same chart entry in helm
Impact During a security audit of Helm's code base, security researchers at Trail of Bits identified a bug in which the a Helm repository can contain duplicates of the same chart, with the last one always used. If a repository is compromised, this lowers the level of access that an attacker needs...
Improper Input Validation in HashiCorp Vault
HashiCorp Vault and Vault Enterprise 1.4.x before 1.4.2 in Go package github.com/hashicorp/vault-plugin-secrets-gcp/plugin has Incorrect Access Control...
Reflected Cross-site Scripting (XSS) in ACS Commons
ACS Commons version 4.9.2 and earlier suffers from a Reflected Cross-site Scripting XSS vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly. An attacker could potentially exploit this vulnerability to inject malicious JavaScript content...
Path Traversal in marked-tree
This affects all versions up to and including version 0.8.1 of package marked-tree. There is no path sanitization in the path provided at fs.readFile in index.js...
Cross-site Scripting in OpenCart
OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload section...
Prototype Pollution in promisehelpers
All versions of package promisehelpers up to and including version 0.0.5 are vulnerable to Prototype Pollution via the insert function...
Improper Input Validation in Spring Framework
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter...
Gon gem lack of escaping certain input when outputting as JSON
An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escapemode parameter to escape fields as an XSS protection mechanism. To mitigate, jsondumper.rb in gon now does escaping for XSS by default without relying on MultiJson...
Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:vaadin-server versions 7.0.0 through 7.7.23 Vaadin 7.0.0 through 7.7.23, and 8.0.0 through 8.12.2 Vaadin 8.0.0 through 8.12.2 allows attacker to guess a security token via timing attack -...
Denial of Service (DoS) in restify-paginate
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception...
Out of bounds read in Pillow
An issue was discovered in Pillow before 8.2.0. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries...
Prototype Pollution in y18n
Overview The npm package y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. POC js const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true Recommendation Upgrade to version 3.2.2, 4.0.1, 5.0.5 or later...
XStream is vulnerable to a Remote Command Execution attack
Impact The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
Django Incorrect Default Permissions
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 when Python 3.7+ is used. FILEUPLOADDIRECTORYPERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level...
Regular Expression Denial of Service (REDoS) in httplib2
Impact A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service CPU burn while parsing header of the httplib2 client accessing said server. Patches Version 0.19.0 contains new implementation of auth headers parsing, using...
Denial of Service in uap-core
Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-core to = v0.11...