33254 matches found
Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
The basic-ftp library contains a path traversal vulnerability in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ../ that cause files to be written outside the intended download directory. Source-to-Sink Flow 1. SOURC...
Information Disclosure via Flags override link
Summary An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted flags ≤3.2.0 and @vercel/flags ≤3.1.1 and in certain circumstances, allowed a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint...
Fast-JWT Improperly Validates iss Claims
Summary The fast-jwt library does not properly validate the iss claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519page-9. Details The iss issuer claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a potential...
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption. To demonstrate...
The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames
Summary The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. Details When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the allowedCredentials property i...
RailsAdmin Cross-site Scripting vulnerability in the list view
Impact RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. The issue was originally reported in https://github.com/railsadminteam/railsadmin/issues/3686. Patches Upgrade to 3.1.4. The vulnerability itself was patched in 3.1.3 but it has a functionali...
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
There is a cross-site scripting XSS issue in wangEditor via the image upload function in version 4.7.11. This issue has been fixed in version 4.7.12...
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Impact There is a vulnerability in GO managing malformed DNS message, which impacts Traefik. This vulnerability could be exploited to cause a denial of service. References - CVE-2024-24788 Patches - https://github.com/traefik/traefik/releases/tag/v2.11.3 -...
Next.js Vulnerable to HTTP Request Smuggling
Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to...
Deno permission escalation vulnerability via open of privileged files with missing `--deny` flag
The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading /proc/self/environ may provide access equivalent to --allow-env, and writing /proc/self/mem may provide access equivalent t...
otelgrpc DoS vulnerability due to unbound cardinality metrics
Summary The grpc Unary Server Interceptor opentelemetry-go-contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go // UnaryServerInterceptor returns a grpc.UnaryServerInterceptor suitable // for use in a grpc.NewServer call. func UnaryServerInterceptoropts ...Option...
Authorization Header forwarded on redirect
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this...
Remote Denial of Service Vulnerability in Microsoft.Native.Quic.MsQuic.Schannel
Impact The MsQuic server application or process will crash, resulting in a denial of service. Patches The following patch was made: - Don't Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343 Workarounds...
Jetty accepts "+" prefixed value in Content-Length
Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smugglin...
Microsoft Security Advisory CVE-2023-36794: .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2023-36794: .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update thei...
Electron context isolation bypass via nested unserializable return value
Impact Apps using contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Workarounds This issue is exploitable under eithe...
Golang TIFF decoder does not place a limit on the size of compressed tile data
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image both in terms of pixel width/height, and encoded size to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU...
Spring Security's authorization rules can be misconfigured when using multiple servlets
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
Apache Tomcat - Fix for CVE-2023-24998 was incomplete
The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded...
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients
When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients...
Access bypass in Drupal core
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...
vm2 Sandbox Escape vulnerability
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException which can be used to escape the sandbox and run arbitrary code in host context. Impact A threat actor can bypass the sandbox...
otelhttp and otelbeego have DoS vulnerability for high cardinality metrics
Impact The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration instruments. The ServerRequest...
openssl-src subject to Timing Oracle in RSA Decryption
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages fo...
Switcher Client contains Regular Expression Denial of Service (ReDoS)
Impact Unsanitized input flows into Strategy match operation EXIST, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack reDOS. Patches Patched in 3.1.4 Workarounds Avoid using Strategy settings that use REGEX in conjunction with EXIST a...
Component takeover in Oracle Data Provider for .NET
Vulnerability in the Oracle Data Provider for .NET component of Oracle Database Server. Supported versions that are affected are 19c and 21c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TCPS to compromise Oracle Data Provider for .NET. Successful...
Code injection in ruby git
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648...
Keycloak vulnerable to path traversal via double URL encoding
Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks...
October CMS Safe Mode bypass leads to authenticated Remote Code Execution
Impact This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode cms.safemode...
d3-color vulnerable to ReDoS
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds...
rdiffweb Cross-Site Request Forgery vulnerability can lead to user email ID being changed
rdiffwen prior to version 2.4.7 is vulnerable to Cross-Site Request Forgery CSRF. An attacker can change a user's email ID. Version 2.4.7 has a fix for this issue...
JOSE vulnerable to resource exhaustion via specifically crafted JWE
The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named p2c PBES2 Count, which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order...
graphql-go has infinite recursion in the type definition parser
graphql-go aka GraphQL for Go through 0.8.0 has infinite recursion in the type definition parser...
Moodle vulnerable to RCE
A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remo...
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. Thi...
Tampering vulnerability in .NET Core
A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1...
Insufficient Verification of Data Authenticity in Async Http Client
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client aka AHC or async-http-client before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate...
Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Tomcat
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename...
Cross-site scripting (XSS) vulnerability in CakePHP
Cross-site scripting XSS vulnerability in cake/libs/error.php in CakePHP before 1.1.7.3363 allows remote attackers to inject arbitrary web script or HTML via the URL, which is reflected back in a 404 "Not Found" error page. NOTE: some of these details are obtained from third party information...
Apache Geronimo console 1.0 vulnerable to cross-site scripting
Multiple cross-site scripting XSS vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the 1 time parameter to cal2.jsp and 2 any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer. Version 1.1 contai...
Command Injection Vulnerability with Mercurial in VCS
URLs and local file paths passed to the Mercurial hg APIs that are specially crafted can contain commands which are executed by Mercurial if it is installed on the host operating system. The vcs package uses the underly version control system, in this case hg, to implement the needed functionalit...
Leading white space bypasses protocol validation
Impact Whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly and protocol validation mechanisms may fail. Patches Patched in 1.19.9 Workarounds Remove leading whitespace from values before passing them to URI.parse e.g. via .hrefvalue or new...
Multiple security issues in Pomerium's embedded envoy
Envoy, which Pomerium is based on, has issued multiple CVEs impacting stability and security. Though Pomerium may not be vulnerable to all of the issues, it is recommended that all users upgrade to Pomerium v0.16.4 as soon as possible to minimize risk. Impact - Possible DoS or crash - Resources...
Zip slip directory exploit in github.com/deislabs/oras
Impact The directory support 55 allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting...
OS Command Injection in Laravel Framework
OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17...
Vulnerable dependency in XTDB connector
Impact The impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable httpclient dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact...
Unsafe Deserialization that can Result in Code Execution
JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data...
Overflow/crash in `tf.tile` when tiling tensor is large
Impact If tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. python import tensorflow as tf import numpy as np tf.keras.backend.tilex=np.ones1,1,1, n=100000000,100000000, 100000000 The number of elements in the output...
Cross-site Scripting in bootstrap-table
This affects all versions of package bootstrap-table. A type confusion vulnerability can lead to a bypass of input sanitization when the input provided to the escapeHTML function is an array instead of a string even if the escape attribute is set...