33268 matches found
Apache XML Security For Java vulnerable to authentication bypass by HMAC truncation
The design of the W3C XML Signature Syntax and Processing XMLDsig recommendation, as implemented in multiple products. The Apache XML Security Java is affected by the vulnerability published in US-Cert VU 466161. See: http://www.kb.cert.org/vuls/id/466161 for more information. This bug can allow ...
ECP SAML binding bypasses authentication flows
Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's...
Nokogiri Inefficient Regular Expression Complexity
Summary Nokogiri = 1.13.4. Severity The Nokogiri maintainers have evaluated this as High Severity 7.5 CVSS3.1. References CWE-1333 Inefficient Regular Expression Complexity Credit This vulnerability was reported by HackerOne user oooooooq ななおく...
Command injection in Parse Server through prototype pollution
Impact This is a Remote Code Execution RCE vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file DatabaseController.js, so it is likely to affect...
Arbitrary Code Execution in Docker
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a 1 symlink or 2 hard link attack in an image archive in a a pull or b load operation...
OS Command Injection in strong-nginx-controller
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the 'nginxCmd' function...
OS Command Injection in diskusage-ng
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument...
Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution...
Exposure of Sensitive Information to an Unauthorized Actor in Moodle
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, and 3.10...
Confused Deputy in Kubernetes
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the lo...
Authentication bypass in Apache Zeppelin
Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions...
HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0
HashiCorp Vault and Vault Enterprise 1.4.0 through 1.7.3 initialized an underlying database file associated with the Integrated Storage feature with excessively broad filesystem permissions. Fixed in Vault and Vault Enterprise 1.8.0...
XStream is vulnerable to an Arbitrary Code Execution attack
Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
Improper Handling of Exceptional Conditions in Apache Tomcat
A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once ...
XML External Entity Reference in Glances
The package glances before 3.2.1 are vulnerable to XML External Entity XXE Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks...
Code injection in topthink/think
A remote code execution RCE vulnerability in /library/think/App.php of Twothink v2.0 allows attackers to execute arbitrary PHP code...
Insufficient Session Expiration and TOCTOU Race Condition in OPC FOundation UA .Net Standard
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard 1.04.358.30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results fr...
Prototype Pollution in GraphHopper
This affects the package com.graphhopper:graphhopper-web-bundle before 3.2, from 4.0-pre1 and before 4.0. The URL parser could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload...
Out-of-bounds write in ChakraCore
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0768, CVE-2020-0823, CVE-2020-0825, CVE-2020-0826, CVE-2020-0827,...
Missing Authorization in TYPO3 extension
The directmail extension through 5.2.3 for TYPO3 allows Information Disclosure via a newsletter subscriber data Special Query...
Cross site scripting in the system log
Impact It is possible to inject code into the tllog table that will be executed in the browser when the system log is called in the back end. Patches Update to Contao 4.9.16 or 4.11.5. Workarounds Disable the system log module in the back end for all users especially admin users. References...
Improper network isolation in Hashicorp Nomad
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1...
Control character injection in console output in github.com/ipfs/go-ipfs
Impact Control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. Patches - Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0 For more information If you have any questions...
Prototype pollution in safe-obj
Prototype pollution vulnerability in 'safe-obj' versions 1.0.0 through 1.0.2 allows an attacker to cause a denial of service and may lead to remote code execution...
Improper Restriction of Recursive Entity References in Apache XMLBeans
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0...
CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified...
Command injection in Apache Unomi
Apache Unomi prior to version 1.5.5 allows CRLF log injection because of the lack of escaping in the log statements...
Cross-site scripting in RESTEasy
A cross-site scripting XSS flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack...
Improper certificate validation in em-imap
em-imap 0.5 and earlier use the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified...
Redirect URL matching ignores character casing
Impact Before version v0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match: 1. Registering a client with allowed redirect URL...
Privilege escalation in rbac
Impact Using a carefully crafted request or malicious proxy, a user with UserWrite permissions could create another user with higher privileges than their own due to insufficient checks on the allowed set of permissions. The event would be captured in the Event Log. Patches The issue has been fix...
gopkg.in/macaron.v1 Open Redirect vulnerability
macaron before 1.3.7 has an open redirect in the static handler. Due to improper request santization, a specifically crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks...
Go JOSE Signature Validation Bypass
Go JOSE before 1.1.0 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the...
SQL Injection in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform...
Lack of protection against cookie tossing attacks in fastify-csrf
Impact Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Patches Version 3.1.0 of the fastify-csrf fixes it. See https://github.com/fastify/fastify-csrf/pull/51 and...
Regular expression denial of service in npm-user-validate
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters...
Flask-Cors Directory Traversal vulnerability
An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...
Prototype Pollution in nodee-utils
All versions of package nodee-utils below version 1.2.3 are vulnerable to Prototype Pollution via the deepSet function...
Cross-site Scripting in GwtUpload
The file-upload feature in GwtUpload 1.0.3 allows XSS via a crafted filename...
Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport
An unintended require and server-side request forgery vulnerabilities in jsreport version 2.5.0 and earlier allow attackers to execute arbitrary code...
OS Command Injection in enpeem
enpeem through 2.2.0 allows execution of arbitrary commands. The "options.dir" argument is provided to the "exec" function without any sanitization...
Code injection in port-killer
This affects all versions of package port-killer. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization. Running this PoC will cause the command touch success to be...
Misuse of `Reference` and other transferable APIs may lead to access to nodejs isolate
Versions of isolated-vm before v4.0.0, and especially before v3.0.0, have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an...
Netflix/Priam: Temporary Directory Information Disclosure
Impact When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain...
Out-of-bounds write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1307, CVE-2019-1308, CVE-2019-1366...
Out of bounds read in Pillow
An issue was discovered in Pillow before 8.1.1. There is an out-of-bounds read in SGIRleDecode.c...
Vulnerability allowing for reading internal HTTP resources
Impact The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources. The impa...
Command Injection in @graphql-tools/git-loader
This affects the package @graphql-tools/git-loader before 6.2.6. The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection...
Deserialization of untrusted data in jackson-databind
A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
Mautic users able to download any files from server using filemanager
Impact Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authorized Mautic user session must be logged into Mautic to use the Filemanager to download any file from the server that the web user has access to. Patches Update to 2.12.0 or later. Workarounds None For more information If y...