33227 matches found
Nokogiri subject to DoS via libxml2 vulnerability
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 as used in nokogiri before 1.6.7.1 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted XML data, a different vulnerability than...
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on al...
Regular Expression Denial of Service in parsejson
Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input. Recommendation The parsejson package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in...
actionpack vulnerable to Cross-site Scripting
Cross-site scripting XSS vulnerability in the numbertocurrency helper in actionpack/lib/actionview/helpers/numberhelper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter...
Rails vulnerable to Cross-site Scripting
There is an XSS vulnerability in the numbertocurrency, numbertopercentage and numbertohuman helpers in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0081. Versions Affected: All. Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17. Impact ------ These helpers allows users...
BRCC Incorrect Access Control vulnerability
Incorrect access control in the /admin/ API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request...
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
Summary field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields. Specifically, when a mutation includes a where clause with multiple...
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF Server-Side Request Forgery. Reference: axios/axios6463 A similar problem that occurs when passing absolute URLs rather than protocol-relative URLs to axios has been identified. Even if...
IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement
Name: ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: Critical Considerable Impact; Almost Certain Likelihood per ACMv1.2 Affected versions: IBC-Go = v7; Earlier IBC-Go versions may also be affected. Affected user...
Bitbucket Server Integration Plugin allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication. In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 both inclusi...
DotNetZip Directory Traversal vulnerability
Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component...
Symfony vulnerable to command execution hijack on Windows with Process class
Description On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. Resolution The Process class now uses the absolute path to cmd.exe. The patch for this...
Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgra...
SAML authentication bypass via Incorrect XPath selector
Ruby-SAML in = 12.2 and 1.13.0 = 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document by the IdP can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrar...
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security...
TYPO3 vulnerable to Cross-Site Scripting in the ShowImageController
Problem Failing to properly encode user-controlled values in file entities, the ShowImageController eID txcmsshowpic is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user account with access to file entities. Solution Update to TYPO3 versions 9.5.48...
Genie Path Traversal vulnerability via File Uploads
Overview Path Traversal Vulnerability via File Uploads in Genie Impact Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted. Using this technique, it is possible to write a file with any...
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If you have configured authentication in front of Frigate via a reverse proxy, then this vulnerabilit...
sqlparse parsing heavily nested list leads to Denial of Service
Summary Passing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. Details + PoC Running the following code will raise Maximum recursion limit exceeded exception: py import sqlparse sqlparse.parse'' 10000 + '' 10000 We expect a traceback of RecursionError:...
XWiki Platform: Remote code execution as guest via DatabaseSearch
Impact XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and...
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Impact If an attacker can alter the integrity option passed to fetch, they can let fetch accept requests as valid even if they have been tampered. Patches Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1...
Black vulnerable to Regular Expression Denial of Service (ReDoS)
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service ReDoS via the lineswithleadingtabsexpanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting thi...
Apache Axis Improper Input Validation vulnerability
UNSUPPORTED WHEN ASSIGNED Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF. This issue affects Apache Axis through 1.3. As Axis 1 has been EOL, we recommend you migrate to a different SOAP engine, such as Apache Axis...
aiohttp's ClientSession is vulnerable to CRLF injection via method
Summary Improper validation makes it possible for an attacker to modify the HTTP request e.g. insert a new header or even create a new HTTP request if the attacker controls the HTTP method. Details The vulnerability occurs only if the attacker can control the HTTP method GET, POST etc. of the...
Remote Code Execution due to Full Controled File Write in mlflow
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on the file system, it gives a lot of ways to archive code execution like overwriting /home//.bashrc. ...
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
Introduction This write-up describes a vulnerability found in Label Studio, a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.9.2post0 and was tested on version 1.8.2. Overview In all current versions of Label Studio, the application allow...
Moodle Cross-site Scripting vulnerability
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk...
Mattermost password hash disclosure vulnerability
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body...
Cosmos packet-forward-middleware vulnerable to chain-halt
The Cosmos SDK is used for Inter-Blockchain Communication Protocol IBC applications and middleware. The packet-forward-middleware module is an IBC middleware module built for Cosmos blockchains utilizing the IBC protocol allowing routing of incoming IBC packets from a source chain to a destinatio...
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF...
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Impact The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when a multi-part respons...
Apache Tomcat Incomplete Cleanup vulnerability
Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recyclin...
Microsoft Security Advisory CVE-2023-36793: .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2023-36793: .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update thei...
LangChain vulnerable to arbitrary code execution
An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool.run component...
Decidim Cross-site Scripting vulnerability in the processes filter
Impact The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of...
Decidim vulnerable to sensitive data disclosure
Note: added the actual report as a comment. Summary Decidim, a platform for digital citizen participation, uses a third-party library named Ransack for filtering certain database collections e.g., public meetings. By default, this library allows filtering on all data attributes and associations...
llhttp vulnerable to HTTP request smuggling
The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...
Langchain OS Command Injection vulnerability
Langchain before v0.0.225 was discovered to contain a remote code execution RCE vulnerability in the component JiraAPIWrapper aka the JIRA API wrapper. This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available...
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime.exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. RCE in Jiffle The Jiffle map algebra language, provided by jai-ext, allows efficient...
unpoly-rails Denial of Service vulnerability
There is a possible Denial of Service DoS vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications. Impact This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The unpoly-rails gem...
google.golang.org/protobuf vulnerable to panic leading to denial of service
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic...
Missing proper state, nonce and PKCE checks for OAuth authentication
Impact next-auth applications using OAuth provider versions before v4.20.1 are affected. A bad actor who can spy on the victim's network or able to social engineer the victim to click a manipulated login link could intercept and tamper with the authorization URL to log in as the victim, bypassing...
Path Traversal In Eclipse GlassFish
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed...
mercurius has Uncaught Exception when using subscriptions
Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. Patches This was patched in https://github.com/mercurius-js/mercurius/pull/940. The patch was released as v11.5.0 and v8.13.2. Workarounds...
hutool-json stack overflow vulnerability
A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service DoS via crafted JSON or XML data...
XSS via uploaded gpx file
A malicious content author could upload a GPX file with a Javascript payload. The payload could then be executed by luring a legitimate user to view the file in a browser with support for GPX files. GPX is an XML-based format used to store GPS data. By default, Silverstripe CMS will no longer all...
Insufficient validation when decoding a Socket.IO packet
Due to improper type validation in the socket.io-parser library which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets, it is possible to overwrite the placeholder object which allows an attacker to place references to functions at arbitrary places in...
.NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET CORE 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a Denial of Service...
SIF's Digital Signature Hash Algorithms Not Validated
Impact The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithms used are cryptographically secure when verifying digital signatures. Patches A patch is available in version = v2.8.1 of the module. Users are encouraged to upgrade. The patch is commit...
Hyperledger indy-node vulnerable to denial of service
Impact An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose. The ledger content will not be impacted by the attack, and the ledger will...