33254 matches found
Authentication bypass issue in the Operator Console
During an internal security audit, we detected an authentication bypass issue in the Operator Console when an external IDP is enabled. The security issue has been reported internally. We have not observed this exploit in the wild or reported elsewhere in the community at large. All users are...
SQL Injection in topthink/thinkphp
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods...
Cross site scripting in datatables.net
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped...
Deserialization of Untrusted Data in com.jsoniter:jsoniter
Withdrawn was withdrawn by its CNA. Further investigation showed that it was not a security issue. Original Description All versions of package com.jsoniter:jsoniter are vulnerable to Deserialization of Untrusted Data via malicious JSON strings. This may lead to a Denial of Service, and in certai...
Older releases of better_errors open to Cross-Site Request Forgery attack
Impact bettererrors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with...
Uncontrolled Resource Consumption in pillow
The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service ReDoS via the getrgb function...
Dolibarr Cross-site Scripting vulnerability
In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victim’s browser when th...
Account Takeover in Octobercms
Impact An attacker can request an account password reset and then gain access to the account using a specially crafted request. - To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form. Patches - Issue has been patched in...
TimelockController vulnerability in OpenZeppelin Contracts
Impact A vulnerability in TimelockController allowed an actor with the executor role to take immediate control of the timelock, by resetting the delay to 0 and escalating privileges, thus gaining unrestricted access to assets held in the contract. Instances with the executor role set to "open"...
Out-of-bounds write in ChakraCore
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0826, CVE-2020-0827, CVE-2020-0828, CVE-2020-0829,...
Reflected cross-site scripting in development mode handler in Vaadin
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. -...
Reflected XSS from the callback handler's error query parameter
Overview Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message. Am I affected? You are affected by this vulnerability ...
Helm passes repository credentials to alternate domain
While working on the Helm source, a Helm core maintainer discovered a situation where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Impact The index.yaml within a Helm chart repository contains a...
Prototype Pollution
Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution...
Auto-merging Person Records Compromised
Impact New user registrations are able to access anyone's account by only knowing their basic profile information name, birthday, gender, etc. This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages such as giving and events. Patches We have...
Temporary urls leaked via logging
In OpenStack Swift prior to 2.15.2, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected...
Improper Authentication in InfluxDB
InfluxDB before 1.7.6 has an authentication bypass vulnerability in the authenticate function in services/httpd/handler.go because a JWT token may have an empty SharedSecret aka shared secret...
OS Command Injection in wifiscanner
wifiscanner.js in thingsSDK WiFi Scanner 1.0.1 allows Code Injection because it can be used with options to overwrite the default executable/binary path and its arguments. An attacker can abuse this functionality to execute arbitrary code...
Authorization service vulnerable to DDos attacks in Apache CFX
CXF supports via JwtRequestCodeFilter passing OAuth 2 parameters via a JWT token as opposed to query parameters see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request JAR. Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from...
Cross-site scripting in jspdf
It's possible to use nested script tags in order to bypass the filtering regex...
OS Command Injection in docker-compose-remote-api
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within index.js of the package, the function execserviceName, cmd, fnStdout, fnStderr, fnExit uses the variable serviceName which can be controlled by users without any sanitization...
OS Command injection in Bolt
Bolt before 3.7.2 does not restrict filter options in a Request in the Twig context, and is therefore inconsistent with the "How to Harden Your PHP for Better Security" guidance...
Prototype Pollution in deep-get-set
All versions of package deep-get-set prior to version 1.1.1 are vulnerable to Prototype Pollution via the main function...
Path Traversal in Ansible
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the winunzip module as the extracted files are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive...
Incorrect Session Validation in Apache Airflow
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have...
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime
Impact AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while...
Cross-site Scripting (XSS) in moodle
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10...
Remote code execution in Kramdown
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated...
Cross-Site Scripting in Content Preview
Problem It has been discovered that database fields used as descriptionColumn are vulnerable to cross-site scripting when their content gets previewed in the page module. A valid backend user account is needed to exploit this vulnerability. Solution Update to TYPO3 versions 10.4.14, 11.1.1 that f...
XStream is vulnerable to an Arbitrary Code Execution attack
Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
printf vulnerable to Regular Expression Denial of Service (ReDoS)
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service ReDoS via the regex string regex /%?:\w.+|1-9\d$?0 +-\|\d+?.?|\d+?hlL?%bscdeEfFgGioOuxX/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity...
Exposure of Sensitive Information to an Unauthorized Actor
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been...
Cross-site scripting (XSS)
Cross-site scripting XSS in modules/content/admin/content.php in ImpressCMS profile 1.4.2 allows remote attackers to inject arbitrary web script or HTML parameters through the "Display Name" field...
Elliptic Uses a Broken or Risky Cryptographic Algorithm
The npm package elliptic before version 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential...
Reflected Cross-site Scripting in ACS Commons
Impact ACS Commons version 4.9.2 and earlier suffers from a Reflected Cross-site Scripting XSS vulnerability in version-compare and page-compare due to invalid JCR characters that are not handled correctly. An attacker could potentially exploit this vulnerability to inject malicious JavaScript...
Command injection in ts-process-promises
This affects all versions of package ts-process-promises. The injection point is located in line 45 in main entry of package in lib/process-promises.js...
Path Traversal in Apache Flink
A change introduced in Apache Flink 1.11.0 and released in 1.11.1 and 1.11.2 as well allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users shou...
MPXJ path Traversal vulnerability
common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations...
ReDOS vulnerabities: multiple grammars
Impact: Potential ReDOS vulnerabilities exponential and polynomial RegEx backtracking oswasp: The Regular expression Denial of Service ReDoS is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very...
Command injection via Celery broker in Apache Airflow
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands...
Remote code execution via user-provided local names in ActionView
The is a code injection vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call to perform a RCE...
Denial of Service in Cryptacular
CiphertextHeader.java in Cryptacular before 1.2.4, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data...
Information disclosure of source code in SimpleSAMLphp
Background The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. Description The che...
Negative charge in shopping cart in Shopizer
Impact Using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. Patches Adding a back-end verification to check that quantity parameter isn't negative. If so, it is set to 1. Patched in 2.11.0 Workarounds Without...
Python Twisted trustRoot is not respected in HTTP client
Python Twisted 14.0.0 trustRoot is not respected in HTTP client...
XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml...
Potential to access user credentials from the log files when debug logging enabled
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files...
XSS in search engine
In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine...
Allocation of Resources Without Limits or Throttling in Apache Tika
A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file a quine, causes a StackOverflowError in Apache Tika's RecursiveParserWrapper in versions 1.7-1.21. Apache Tika users should upgrade to 1.22 or later...
Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core
Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."...