33122 matches found
Command Injection in marsdb
All versions of marsdb are vulnerable to Command Injection. In the DocumentMatcher class, selectors on $where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed. Recommendation No fix is currently...
Spring MVC controller vulnerable to a DoS attack
Spring MVC controller methods with an @RequestBody byte method parameter are vulnerable to a DoS attack...
Prototype pollution in grpc and @grpc/grpc-js
"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition."...
Open redirects on some federation and push requests
Impact Requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the...
logback serialization vulnerability
A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html...
Clipboard-based DOM-XSS
Impact A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown library. If the clipboard data contains the string , a div is dynamically created, and the clipboard content is copied into its innerHTML property without any sanitization, resulting in improper execution of...
JMESPath for Ruby uses unsafe JSON.load when safe JSON.parse is preferable
jmespath.rb aka JMESPath for Ruby before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable...
Improper handling of case sensitivity in Spring Framework
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...
HTTP Request Smuggling in Netty
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header...
Vite: `server.fs.deny` bypassed with queries
Summary The contents of files that are specified by server.fs.deny can be returned to the browser. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file exists in th...
Withdrawn Advisory: NULL Pointer Dereference in Protocol Buffers
Withdrawn Advisory This advisory has been withdrawn because the protobuf vulnerability comes from the compiler rather that the code. This link is maintained to preserve external references. Original Description Nullptr dereference when a null char is present in a proto symbol. The symbol is parse...
Arbitrary expression injection in Pillow
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method ImageMath.eval"execexit". While Pillow 9.0.0 restricted top-level builtins available to PIL.ImageMath.eval, it did not prevent builtins available to lambda expression...
`aiohttp` Open Redirect vulnerability (`normalize_path_middleware` middleware)
Impact Open redirect vulnerability — a maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.webmiddlewares.normalizepathmiddleware middleware. Patches This security problem has been fixed in v3.7.4. Upgrade...
Dynamic modification of RPyC service due to missing security check
Impact Version 4.1.0 of RPyC has a vulnerability that affects custom RPyC services making it susceptible to authenticated remote attacks. Patches Git commits between September 2018 and October 2019 and version 4.1.0 are vulnerable. Use a version of RPyC that is not affected. Workarounds The commi...
SQLAlchemy vulnerable to SQL Injection via order_by parameter
SQLAlchemy before 1.3.0b3 allows SQL Injection via the orderby parameter. The fix commit 30307c4 was applied only to the main branch and was never backported to the 1.2.x release line; all 1.2.x versions remain vulnerable...
body-parser vulnerable to denial of service when url encoding is enabled
Impact body-parser 1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. Patches this issue is patched in 1.20.3 References...
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
Summary The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. Details The changed-files action returns a list of files changed in a commit or pull request which provides an escapejson...
Cross-site scripting (XSS) from field and configuration text displayed in the Panel
On Saturday, @hdodov reported that the Panel's ListItem component used in the pages and files section for example displayed HTML in page titles as it is. This could be used for cross-site scripting XSS attacks. We used his report as an opportunity to find and fix XSS issues related to dynamic sit...
HTTP Request Smuggling in Netty
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace such as a spaceTransfer-Encoding:chunked line and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869...
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via constructor: prototype: ... causing the addition or modification of an existing property that will exist on all objects. Recommendation...
SQL Injection in Log4j 1.2.x
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings...
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender...
iFrames Bypass Origin Checks for Tauri API Access Control
Impact Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent...
Improper Input Validation in pip
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1...
Reflected XSS when using flashMessages or languageDictionary
Overview Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage. - languageDictionary feature is utilized a...
Cross-Site Scripting in Content Preview (CType menu)
Problem It has been discovered that content elements of type menu are vulnerable to cross-site scripting when their referenced items get previewed in the page module. A valid backend user account is needed to exploit this vulnerability. Solution Update to TYPO3 versions 7.6.51, 8.7.40, 9.5.25,...
avo vulnerable to stored cross-site scripting (XSS) in key_value field
Summary A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. Details The value of the keyvalue is inserted directly into the HTML code. In the current...
Unrestricted File Upload in Form Framework
Problem Due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default fileDenyPattern successfully blocked files like .htaccess or malicious.php. TYPO3 Extbase extensions, which implement ...
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Summary Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8. libxml2 v2.13.8 addresses: - CVE-2025-32414 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 - CVE-2025-32415 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 Impact CVE-2025-32414: No impact ...
Gerapy may cause remote code execution
Impact projectconfigure function exist remote code execute in Gerapy 0.9.8 Patches Patched in version 0.9.8, please install with: pip3 install -U gerapy...
Uncontrolled Resource Consumption in trim-newlines
@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service ReDoS for the .end method...
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
PostCSS: XSS via Unescaped in CSS Stringify Output Summary PostCSS v8.5.5 latest does not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS values breaks out of the style context, enabling XSS. Proof of Concept...
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it...
Traefik vulnerable to HTTP/2 request causing denial of service
Impact A vulnerability CVE-2023-39325 exists in Go managing HTTP/2 requests, which impacts Traefik. This vulnerability could be exploited to cause a denial of service. References - CVE-2023-44487 - CVE-2023-39325 Patches - https://github.com/traefik/traefik/releases/tag/v2.10.5 -...
Sandbox Bypass in Apache Velocity Engine
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...
Apache Log4j Remote Code Execution
Impact Opencast uses an Apache Log4j2 version which, combined with older JDK versions, can be used for remote code execution attacks which have been found to be actively exploited. Apache Log4j2 =2.14.1 JNDI features is not sufficiently protected. An attacker who can control log messages or log...
Remote Code Execution Vulnerability in Session Storage
Impact A malicious attacker can achieve Remote Code Execution RCE via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. If your application does not use Ratpack's session mechanism, it is not vulnerable. Details Attackers with the ability to writ...
Withdrawn: Arbitrary code execution in lodash
Withdrawn GitHub has chosen to publish this CVE as a withdrawn advisory due to it not being a security issue. See this issue for more details. CVE description " DISPUTED A command injection vulnerability in Lodash 4.17.21 allows attackers to achieve arbitrary code execution via the template...
ReDoS Vulnerability in ua-parser-js version
Description: A regular expression denial of service ReDoS vulnerability has been discovered in ua-parser-js. Impact: This vulnerability bypass the library's MAXLENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to g...
.NET Information Disclosure Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET, .NET Core and .NET Framework's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. A vulnerability exists in System.Data.SqlClient and Microsoft.Data.SqlClient libraries where a...
Passing in a non-string 'html' argument can lead to unsanitized output
A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. Impact XS...
Out-of-Memory Error in Bouncy Castle Crypto
The ASN.1 parser in Bouncy Castle Crypto aka BC Java 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64...
Duplicate Advisory: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7x4w-cj9r-h4v9. This link is maintained to preserve external references. Original Description The actions defined inside of the MediaController class do not check whether a given path is inside a certain path e....
Authentication Bypass in keycloak
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application...
SQL Injection and Cross-site Scripting in class-validator
In TypeStack class-validator, validate input validation can be bypassed because certain internal attributes can be overwritten via a conflicting name. Even though there is an optional forbidUnknownValues parameter that can be used to reduce the risk of this bypass, this option is not documented a...
Xnx3 Wangmarket Cross-Site Scripting vulnerability
A vulnerability was found in xnx3 wangmarket 6.1. It has been rated as critical. Affected by this issue is some unknown functionality of the component Role Management Page. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public...
Cross-Site Scripting in serialize-to-js
Versions of serialize-to-js prior to 3.0.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications. Recommendation Upgrade to version 3.0.1 or later...
2FA bypass in Wagtail through new device path
2FA bypass through new device path Impact If someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. Patches This problem has been patched in version 1.3.0...
Context isolation bypass in Electron
Impact Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nativeWindowOpen: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context an...
HTTP Request Smuggling: LF vs CRLF handling in Waitress
Impact Waitress implemented a "MAY" part of the RFC7230 https://tools.ietf.org/html/rfc7230section-3.5 which states: Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR...