33227 matches found
Cross Site Scripting (XSS) in XWiki
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section...
SAML XML Signature wrapping in PySAML2
Impact All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 = 6.4.1 does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elemen...
Multiple cryptographic issues in Python oic
Impact Client implementations using this library Issues 1 The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2 JWA none algorithm was allowed in all flows. 3 oic.consumer.Consumer.parseauthz returns an unverified IdToken. Th...
Out of bounds access in tensorflow-lite
Impact In TensorFlow Lite models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor:...
Cross-Site Scripting in dojo
Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.2.0 or later...
Downloads Resources over HTTP in npm-test-sqlite3-trunk
Affected versions of npm-test-sqlite3-trunk insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code executio...
Open Redirect in serve-static
Versions of serve-static prior to 1.6.5 or 1.7.x prior to 1.7.2 are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory. Proof of Concept A link to http://example.com//www.google.com/%2e%2e will redirect to //www.google.com/%2e%2e Some browse...
Unintended read access in kramdown gem
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access such as template="/etc/passwd" or unintended embedded Ruby code execution such as a string that begins with template="string://%= . NOTE: kramdown is used...
Cross-Site Scripting in Wagtail
Impact When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.asp as directed in the documentation, any HTML tags used within a form field's help text will be...
Potential unauthorized access to stored request & session data when plugin is misconfigured in October CMS Debugbar
Impact The debugbar contains a perhaps little known feature where it will log all requests and all information pertaining to each request including session data whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as the potenti...
Cross-Site Scripting in SVG Sanitizer
Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Albeit the markup is not valid it still is evaluated in browsers and leads to cross-site scripting. An updated version 1.0.3 is available from the TYPo3 extension manager and at...
Local file inclusion vulnerability in http4s
Impact This vulnerability applies to all users of: org.http4s.server.staticcontent.FileService org.http4s.server.staticcontent.ResourceService org.http4s.server.staticcontent.WebjarService Path escaping URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expos...
Incorrect Default Permissions in keyring
Python keyring has insecure permissions on new databases, allowing world-readable files to be created...
Prototype Pollution in Dojox
The Dojox jQuery wrapper jqMix mixin method is vulnerable to Prototype Pollution. Affected Area: //https://github.com/dojo/dojox/blob/master/jq.jsL442 var tobj = ; forvar x in props // the "tobj" condition avoid copying properties in "props" // inherited from Object.prototype. For example, if obj...
Cross-site scripting in SimpleSAMLphp
Background SimpleSAMLphp allows users to report errors and failures to the system administrators via a web form. This web form gathers some contextual information automatically, but it also allows the user to provide their email address for follow-ups and a free-text explanation of what happened...
Path Traversal in Action View
File Content Disclosure in Action View Impact ------ There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents. Th...
Denial of service in ASP.NET Core
A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData...
Growl before 1.10.0 vulnerable to Command Injection
Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution. Recommendation Update to version 1.10.0 or later...
Keycloak: Session fixation in OIDC login flow that can lead to account takeover
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which...
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
If a non-contiguous buffer was passed to APIs which accepted Python buffers e.g. Hash.update, this could lead to buffer overflows. For example: python h = HashSHA256 b.updatebuf::-1 would read past the end of the buffer on Python 3.11...
Better Call routing bug can lead to Cache Deception
Summary Using a CDN that caches //.png, //.json, //.css, etc... requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users. Details The vulnerability occurs in the request processing logic where...
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references. Original Description Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote an...
Directus's webhook trigger flows can leak sensitive data
Describe the Bug In Directus, when a Flow with the "Webhook" trigger and the "Data of Last Operation" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user...
path-to-regexp contains a ReDoS
Impact The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296 Patches Upgrade to 0.1.12. Workarounds Avoid using two parameters within a single path segment, when the separator is not . e.g. no...
Withdrawn Advisory: Symfony's VarDumper vulnerable to unsafe deserialization
Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5048. Original Description A deserialization vulnerability exists in the Stub clas...
HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims
Vault and Vault Enterprise did not properly validate the JSON Web Token JWT role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have be...
Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
Summary Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6. libxml2 v2.12.7 addresses CVE-2024-34459: - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53 Impact There is no impact to Nokogiri...
python-multipart vulnerable to Content-Type Header ReDoS
Summary When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely minutes or...
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm...
aiohttp is vulnerable to directory traversal
Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system. Details When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static...
nvdApiKey is logged in debug mode
Summary The value of nvdApiKey configuration parameter is logged in clear text in debug mode. Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print Note that...
TinyMCE XSS vulnerability in notificationManager.open API
Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been...
Code injection in wix-embedded-mysql
wix-embedded-mysql v4.6.2 and below was discovered to contain a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument...
langchain SQL Injection vulnerability
SQL injection vulnerability in langchain allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component...
Spring Boot Welcome Page Denial of Service
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the condition...
Session fixation in fastify-passport
Applications using @fastify/passport for user authentication, in combination with @fastify/session as the underlying session management mechanism, are vulnerable to session fixation attacks from network and same-site attackers. Details fastify applications rely on the @fastify/passport library fo...
Apache Airflow Spark Provider vulnerable to improper input validation
Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field...
DDOS attack on graphql endpoints
An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack DDOS attack against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas. If your Silverstripe CMS project does not expose a public...
sqlite vulnerable to code execution due to Object coercion
Impact Due to the underlying implementation of .ToString, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of sqlite3 v5.0.0 - v5.1.4 are affected by this. Patches Fixed in v5.1.5. All users are recommended to...
Cross-site Scripting in Quarkus
If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature...
Protobuf Java vulnerable to Uncontrolled Resource Consumption
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes...
Solana Pay Vulnerable to Weakness in Transfer Validation Logic
Description When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied validateTransfer function. An edge case regarding this mechanism could cause the validation logic to validate multiple...
Undertow vulnerable to Dos via Large AJP request
When a POST request comes through AJP and the request exceeds the max-post-size limit maxEntitySize, Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker...
Change in port should be considered a change in origin
Impact Authorization and Cookie headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we...
Code injection in `saved_model_cli` in TensorFlow
Impact TensorFlow's savedmodelcli tool is vulnerable to a code injection: savedmodelcli run --inputexprs 'x=print"malicious code to run"' --dir ./ --tagset serve --signaturedef servingdefault This can be used to open a reverse shell savedmodelcli run --inputexprs 'hello=exec"""\nimport...
Deserialization of Untrusted Data in Apache Tapestry
By manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this...
Withdrawn Advisory: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
Withdrawn Advisory This advisory has been withdrawn because it does not describe a vulnerability. The maintainer states the following: The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected a...
Code execution in Apache Struts 1 plugin
The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage...
`OCSP_basic_verify` may incorrectly verify the response signing certificate
The function OCSPbasicverify verifies the signer certificate on an OCSP response. In the case where the non-default flag OCSPNOCHECKS is used then the response will be positive meaning a successful verification even in the case where the response signing certificate fails to verify. It is...
Exposure of repository credentials to external third-party sources in Rancher
Impact This issue only happens when the user configures access credentials to a private repository in Rancher inside Apps & Marketplace Repositories. It affects Rancher versions 2.5.0 up to and including 2.5.11 and from 2.6.0 up to and including 2.6.2. An insufficient check of the same-origin...