33227 matches found
Keycloak vulnerable to privilege escalation on Token Exchange feature
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the clientid of the target. This could allow a client to gain unauthorized access to...
Elasticsearch privilege escalation
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “” index permissions access to this index. Users running a cluster on an affected version...
October/System authenticated file write leads to remote code execution
Impact Assuming an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. Patches Issue has been patched in Build 473 and v1.1.6 Workarounds Apply...
SQL Injection in Subrion CMS
SQL Injection vulnerability in Subrion CMS v4.2.1 in the search page if a website uses a PDO connection...
Directory Traversal in isomorphic-git
isomorphic-git before 1.8.2 allows Directory Traversal via a crafted repository...
Incorrect Authorization in serverless-offline
Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code i.e., possibly greater than expected...
Injection in MockServer
MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine. With an overly broad...
Open redirect in url-parse
Overview Affected versions of npm url-parse are vulnerable to URL Redirection to Untrusted Site. Impact Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior...
Open Redirect in Flask-User
This affects all versions of package Flask-User. When using the makesafeurl function, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple backslashes such as /////evil.com/path or \\evil.com/path. This vulnerability is only exploitable if an...
Workflow re-write vulnerability using input parameter
Impact Allow end-users to set input parameters, but otherwise expect workflows to be secure. Patches Not yet. Workarounds Set EXPRESSIONTEMPLATES=false for the workflow controller References https://github.com/argoproj/argo-workflows/issues/6441 For more information If you have any questions or...
Improper Resource Shutdown or Release in HashiCorp Vault
HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2...
Hashicorp Consul Missing SSL Certificate Validation
HashiCorp Consul before 1.10.1 and Consul Enterprise has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated...
Cross-site Scripting in Gogs
Cross-site scripting XSS vulnerability in models/issue.go in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown...
XXE vulnerability in Launch import
| Release Date | Affected Projects | Affected Versions | Access Vector| Security Risk | |--------------|-------------------|-------------------|---------------|---------------| | Monday, May 4, 2020| service-api | Every version, starting from 3.1.0 | Remote | Medium | Impact Starting from version...
Improper input validation in CNCF Cortex
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack...
Form validation can be skipped
Impact By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators. We consider the severity low because it is not possible to change any form values since the form state is secured with an HMAC that is still verified. That means that...
Cross-site scripting in Plone
Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item...
Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint
Impact Due to incorrect use of a default URL, singularity action commands run/shell/exec specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint cloud.sylabs.io rather than the configured remote endpoint. An attacker may be able...
Denial-of-Service within Docker container
Impact If you run teler inside a Docker container and encounter errors.Exit function, it will cause denial-of-service SIGSEGV because it doesn't get process ID and process group ID of teler properly to kills. Specific Go Packages Affected ktbs.dev/teler/pkg/errors Patches Upgrade to the = 0.0.1...
Go Ethereum Improper Input Validation
In Go Ethereum aka geth before 1.8.14, TraceChain in eth/apitracer.go does not verify that the end block is after the start block. Specific Go Packages Affected github.com/ethereum/go-ethereum/eth...
golang.org/x/text Infinite loop
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to...
Improperly Controlled Modification of Dynamically-Determined Object Attributes in vega-util
vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype...
Command Injection in onion-oled-js
This affects all versions up to and including version 0.0.2 of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...
Cross-Site Request Forgery in MAGMI
All versions of MAGMI up to and including version 0.7.24 are vulnerable to CSRF due to the lack of CSRF tokens. RCE via phpcli command is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI...
Command injection in Gerapy
This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the projectconfigure endpoint, isn’t being sanitized...
SVGlib Vulnerable to XXE Attacks
The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call...
Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial
URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow commands to be executed in the HgDriver if hg/Mercurial is installed on the system. Impact - The impact to Composer users directly is limit...
Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
Unsafe validation RegEx in EmailField component in com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 Vaadin 14.0.6 through 14.4.3, and 3.0.0 through 4.0.2 Vaadin 15.0.0 through 17.0.10 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses...
RSA signature validation vulnerability on maleable encoded message in jsrsasign
Impact Vulnerable jsrsasign will accept RSA signature with improper PKCS1.5 padding. Decoded RSA signature value consists following form: 01ff...8 or more ffs...ff00ASN.1 OF DigestInfo Its byte length must be the same as RSA key length, however such checking was not sufficient. To make crafted...
Command Injection in macfromip
All versions of npm package macfromip are affected by a command injection vulnerability. The injection point is located in line 66 in macfromip.js...
Exposure of class information in RESTEasy
A flaw was found in RESTEasy in all current versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value...
OMERO.web exposes some unnecessary session information in the page
Background OMERO.web loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. Some additional information being loaded is not used by the webclient and is being removed in this release. Impact OMERO.we...
Out-of-bounds write in libpng
An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function gettoken in pnm2png.c in pnm2png...
Command injection in kill-process-on-port
All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId...
Django Incorrect Default Permissions
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 when Python 3.7+ is used. The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077...
Pillow Denial of Service by Uncontrolled Resource Consumption
Pillow before 8.1.2 allows attackers to cause a denial of service memory consumption because the reported size of a contained image is not properly checked for an ICO container, and thus an attempted memory allocation can be very large...
Privilege Escalation Flaw in Elasticsearch
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication...
Disabled users able to log in with third party SSO plugin
Impact Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow a disabled user to still login using email address Patches Upgrade to 2.12.0 or later. Workarounds None. For more information If you have any questions or comments about this advisory: Email us at [email protected]...
Cross-site scripting vulnerability in TinyMCE
Impact A cross-site scripting XSS vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are...
Sensitive Data Exposure in Apache Ant
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build...
Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (CVE-2018-17145)
There was an easily exploitable uncontrolled memory resource consumption denial-of-service vulnerability that existed in the peer-to-peer network code of three implementations of Bitcoin and several alternative chains. For more details please see: https://invdos.net/ For the paper:...
Moped Rubygem Data Injection Vulnerability
The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit dd5a7c14b5d2e466f7875d079af71ad19774609b allows remote attackers to cause a denial of service worker resource consumption or perform a cross-site scripting XSS attack via a crafted string...
Cross-Site Scripting in Prism
Impact The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This impacts all Safari and Internet Explorer users of Prism =v1.1.0 that use the Previewers plugin =v1.10.0 or the Previewer: Easing plugin...
Insecure defaults in UmbracoForms
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that...
Command Injection in Kylin
Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation...
Reflected XSS when importing CSV in OctoberCMS
Impact A user with the ability to use the import functionality of the ImportExportController behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Patches Issue has been patched in Build 4...
XSS/Script injection vulnerability in matestack
matestack-ui-core RubyGem before 0.7.4 is vulnerable to XSS/Script injection. This vulnerability is patched in version 0.7.4...
Arbitrary File Write in iobroker.js-controller
Versions of iobroker.controller prior to 2.0.25 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended /adapter/ folder, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the...
Deserialization of untrusted data in FasterXML jackson-databind
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup, leading to remote code execution...
Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...