33268 matches found
Prefix escape
Impact By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is /pub/, a user expect that accessing /priv on the target service would not be possible. Unfortunately, it is. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N...
Inline JS XSS vulnerability in Mautic
Impact Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack when using Mautic forms on a Mautic landing page using GET parameters to pre-populate the form. Patches Upgrade to 2.12.0 or later. Workarounds None References https://github.com/mautic/mautic/releases/tag/2.12.0 For mo...
XSS vulnerability in Author URL of themes in Mautic
Impact An XSS vulnerability was discovered in Mautic 2.13.1 in the Author URL of themes. Patches Update to 2.14 or later Workarounds None References https://github.com/mautic/mautic/releases/tag/2.14.0 For more information If you have any questions or comments about this advisory: Email us at...
Remote Code Execution (RCE) Exploit on Cross Site Scripting (XSS) Vulnerability
Impact A RCE exploit has been discovered in the Red Discord Bot - Dashboard Webserver: this exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive...
Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS
Meta CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C 8.2 CWE-325, CWE-20, CWE-200, CWE-502 Problem It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message...
Denial of service in Apache Xerces2
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment JRE in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service infinite loop and application hang via malformed XML input, as...
CSRF issue on preview pages in Bolt CMS
Impact Bolt CMS lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could...
path traversal in Jooby
Impact Access to sensitive information available from classpath. Patches Patched version: 1.6.7 and 2.8.2 Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009 Commit 2.x:...
XSS in python-markdown2
python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...
CSRF and DNS Rebinding in Oasis
Impact What kind of vulnerability is it? Who is impacted? If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks to read/write to vulnerable applications. There is no evidence that...
Cross-Site Scripting in http_server
All versions of httpserver are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Consider usi...
GitHub personal access token leaking into temporary EasyBuild (debug) logs
Impact The GitHub Personal Access Token PAT used by EasyBuild for the GitHub integration features like --new-pr, --from-pr, etc. is shown in plain text in EasyBuild debug log files. Scope: the log message only appears in the top-level log file, not in the individual software installation logs see...
Holder can generate proof of ownership for credentials it does not control in vp-toolkit
Impact The verifyVerifiablePresentation method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id DID matches the signer of the VP proof. The verifier is impacted by this vulnerability. Patches Patch will be available in version...
URL Redirection to Untrusted Site (Open Redirect) in Ktor
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location...
Unrestricted file uploads in Contao
Impact A back end user with access to the form generator can upload arbitrary files and execute them on the server. Patches Update to Contao 4.4.46 or 4.8.6. Workarounds Configure your web server so it does not execute PHP files and other scripts in the Contao file upload directory. References...
SQL Injection in usmanhalalit/pixie
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit function due to improper sanitization...
SQLAlchemy is vulnerable to SQL Injection via group_by parameter
SQLAlchemy 1.2.17 has SQL Injection when the groupby parameter can be controlled...
Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers
gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "processheaders" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been...
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
Hook mutation of data.allowedTags / data.allowedAttributes permanently pollutes DEFAULTALLOWEDTAGS / DEFAULTALLOWEDATTR CWE: CWE-501 Trust Boundary Violation — hook-scoped mutation leaks to global default sets via CWE-693 Protection Mechanism Failure — the default allow-list is silently widened f...
Malware in @opensearch-project/opensearch
Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take...
FlowiseAI Pre-Auth Arbitrary Code Execution
Summary An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync to launch reverse...
Incorrect permission check in Jenkins GitLab Plugin allows enumerating credentials IDs
The Jenkins GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and...
Blind XSS Leading to Froxlor Application Compromise
Description: A Stored Blind Cross-Site Scripting XSS vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious...
Apache ActiveMQ's default configuration doesn't secure the API web context
In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context where the Jolokia JMX REST API and the Message REST API are located. It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker using Jolokia J...
RDoc RCE vulnerability with .rdoc_options
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be...
Denial of service while parsing a tar file due to lack of folders count validation
Description: During some analysis today on npm's node-tar package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt, In-thi...
GeoServer log file path traversal vulnerability
Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location. This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause...
Container escape at build time
Impact What kind of vulnerability is it? Who is impacted? Users running containers with root privileges allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed. Patches From @nalind cat...
Directus has MySQL accent insensitive email matching
Password reset vulnerable to accent confusion The password reset mechanism of the Directus backend is implemented in a way where combined with specific, need to double check if i can work around configuration in MySQL or MariaDB. As such, it allows attackers to receive a password reset email of a...
Spring Framework server Web DoS Vulnerability
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC Spring Security 6.1....
Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270)
Summary The OrderAndPaginate function is used to order and paginate data. It is defined as follows: go func OrderAndPaginatec gin.Context funcdb gorm.DB gorm.DB return funcdb gorm.DB gorm.DB sort := c.DefaultQuery"order", "desc" order := fmt.Sprintf"%s %s", DefaultQueryc, "sortby", "id", sort db ...
Test code in published microsoft-graph-beta package exposes phpinfo()
Impact The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system...
RaspAP Command Injection vulnerability
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfgid parameter in /ajax/openvpn/activateovpncfg.php and /ajax/openvpn/delovpncfg.php...
is_js vulnerable to Regular Expression Denial of Service
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to...
semver vulnerable to Regular Expression Denial of Service
Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service ReDoS via the function new Range, when untrusted user data is provided as a range...
Sqlite-jdbc vulnerable to remote code execution when JDBC url is attacker controlled
Summary Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. Impacted versions : 3.6.14.1-3.41.2.1 References https://github.com/xerial/sqlite-jdbc/releases/tag/3.41.2.2...
Cross-site Scripting (XSS) in DataObject Any Getter grid operator
Impact Stored cross site scripting vulnerability in operator any getter in dataobject grid configuration. Patches Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480.patch Workarounds Apply patch...
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
Summary Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Details Dompdf parses the href attribute of image tags with the following code: src/Image/Cache.php line 135-150 php function $parser, $name,...
Remote code execution in simple-git
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution RCE via the clone, pull, push and listRemote methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of CVE-2022-25912...
ThinkPHP Framework vulnerable to remote code execution
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled langswitchon=true. An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php...
TensorFlow vulnerable to `CHECK` fail in `Save` and `SaveSlices`
Impact If Save or SaveSlices is run over tensors of an unsupported dtype, it results in a CHECK fail that can be used to trigger a denial of service attack. python import tensorflow as tf filename = tf.constant"" tensornames = tf.constant"" Save data = tf.casttf.random.uniformshape=1,...
.NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET 6.0, .NET 5....
Duplicate Advisory: KubeVirt arbitrary host file read from the VM
Duplicate Advisory This advisory is a duplicate of GHSA-qv98-3369-g364. This link is maintained to preserve external references. Original Description Summary As part of a Kubevirt audit performed by NCC group, a finding dealing with systemic lack of path sanitization which leads to a path travers...
Moodle Arbitrary file read when importing lesson questions
The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature...
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc and Extract database functions are subject to SQL injection if untrusted data is used as a kind/lookupname value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected...
BlockWishList SQL Injection vulnerability
Impact An authenticated customer can perform SQL injection Patches Issue is fixed in 2.1.1...
URL Redirection to Untrusted Site ('Open Redirect') in next-auth
Impact We found that this vulnerability is present when the developer is implementing an OAuth 1 provider by extension, it means Twitter, which is the only built-in provider using OAuth 1, but upgrading is still recommended. next-auth v3 users before version 3.29.3 are impacted. We recommend...
Drupal Core Remote Code Execution Vulnerability
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations...
Exposure of Sensitive Information to an Unauthorized Actor in Oracle MySQL Connectors Java
Vulnerability in the MySQL Connectors component of Oracle MySQL subcomponent: Connector/J. Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise...
Improper Authentication in Jenkins Blue Ocean Plugin
Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue...