33227 matches found
Heap OOB write in TFLite
Impact A specially crafted TFLite model could trigger an OOB write on heap in the TFLite implementation of ArgMin/ArgMax: cc TfLiteIntArray outputdims = TfLiteIntArrayCreateNumDimensionsinput - 1; int j = 0; for int i = 0; i dataj = SizeOfDimensioninput, i; ++j; If axisvalue is not a value betwee...
Stack overflow due to looping TFLite subgraph
Impact TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be replaced by stack overflow due to too many recursive calls. For...
Heap buffer overflow in `MaxPool3DGradGrad`
Impact The implementation of tf.rawops.MaxPool3DGradGrad is vulnerable to a heap buffer overflow: python import tensorflow as tf values = 0.01 11 originput = tf.constantvalues, shape=11, 1, 1, 1, 1, dtype=tf.float32 origoutput = tf.constant0.01, shape=1, 1, 1, 1, 1, dtype=tf.float32 grad =...
Prototype Pollution in deep-override
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution...
Improper Input Validation in Google Closure Library
A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation -- update your library to version v20200315...
Path Traversal in marscode
This affects all versionsup to and including version 1.0.1-0 of package marscode. There is no path sanitization in the path provided at fs.readFile in index.js...
Command injection in bestzip
The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param...
Code injection in mock2easy
This affects all versions up to and including version 0.0.24 of package mock2easy. a malicious user could inject commands through the data variable: Affected Area js require'../server/getJsonByCurl'mock2easy, functionerror, stdout if error return res.json500, error; res.jsonJSON.parsestdout; , ''...
Prototype Pollution in property-expr
The package property-expr before 2.0.3 are vulnerable to Prototype Pollution via the setter function...
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2 allows attacker to update element property values via crafted synchronization message. - https://vaadin.com/security/cve-2018-25007...
Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7
Unsafe validation RegEx in EmailValidator class in com.vaadin:vaadin-server versions 7.0.0 through 7.7.21 Vaadin 7.0.0 through 7.7.21 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses. - https://vaadin.com/security/cve-2020-36320...
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 Vaadin 10.0.0 through 10.0.13, and 1.1.0 through 1.4.2 Vaadin 11.0.0 through 13.0.5 allows attacker to execute malicious JavaScript via crafted URL. -...
Remote code execution in mongo-express
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769...
bottle HTTP Request smuggling
The package bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with default...
Insertion of Sensitive Information into Log File, Invocation of Process Using Visible Sensitive Information, and Exposure of Sensitive Information to an Unauthorized Actor in Ansible
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl...
Arbitrary Command Injection in portprocesses
Impact An Arbitrary Command Injection vulnerability was reported in portprocesses impacting versions = 1.0.4. Example Proof of Concept The following example demonstrates the vulnerability and will run touch success therefore creating a file named success. js const portprocesses =...
Chakra Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge HTML-based. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who...
Regular Expression Denial of Service (ReDoS) in Pillow
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS ReDoS attack via a crafted PDF file because of a catastrophic backtracking regex...
Authenticated remote code execution
Impact Authenticated remote code execution using plugin manager without ACL permissions. Patches We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview...
Potential Session Hijacking
Impact Potential session hijacking of store customers. Patches We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workarounds For older...
Steam Socialite Provider v1 does not correctly validate openid server
Impact The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server. Patches This vulnerability only affects the outdated v1.x versions of the package. These are no longer...
Path Traversal in the Java Kubernetes Client
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process...
Hostname spoofing via backslashes in URL
Impact If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may...
Information Disclosure in Apache Groovy
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the...
datasette-graphql leaks details of the schema of private database files
Impact When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents. Patches Patched in version 1.2. Workarounds This issue is only present if a Datasette instance that includes private databases...
Twig Sandbox Escape by authenticated users with access to editing CMS templates when safemode is enabled.
Impact An authenticated backend user with the cms.managepages, cms.managelayouts, or cms.managepartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig...
Data corruption in tensorflow-lite
Impact When determining the common dimension size of two tensors, TFLite uses a DCHECK which is no-op outside of debug compilation modes: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/lite/kernels/internal/types.hL437-L442 Since the function...
XSS in Action View
There is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. Impact When an HTML-unsafe string is passed as the default for a...
Server secret was included in static assets and served to clients
Impact Server JWT signing secret was included in static assets and served to clients. This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface which is unprotected and ALLOWS arbitrary code execution and usually wide-ranging privileges ...
Remote Code Execution in SyliusResourceBundle
Impact Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions...
Context isolation bypass via leaked cross-context objects in Electron
Impact Apps using contextIsolation are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Workarounds There are no app-side workarounds, you must update your...
Privilege escalation in mysql-connector-jav
Vulnerability in the MySQL Connectors component of Oracle MySQL subcomponent: Connector/J. Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise...
Arbitrary File Read in Snyk Broker
All versions of snyk-broker before 4.80.0 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal...
Arbitrary File Read in Snyk Broker
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. package.json...
Arbitrary File Read in Snyk Broker
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json...
Improper Input Validation in Symfony
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter...
Information disclosure in the Contao backend
Impact Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them. Patches Update to Contao 4.4.46 or 4.8.6. Workarounds None. References https://contao.org/en/security-advisories/information-disclosure-in-the-back-end For more information If...
Polymorphic Typing in FasterXML jackson-databind
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled either globally or for a specific property for an externally exposed JSON endpoint and the service has the commons-dbcp 1.4 jar in the classpath, and an attacker can find a...
Cross-Site Scripting via JSONP
JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors...
Incorrect Permission Assignment for Critical Resource in Apache hive
In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not veri...
nori contains Improper Input Validation
The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption involving...
Puppet Improper Input Validation vulnerability
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call...
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
Summary The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result ...
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
Summary The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Details There is a check in DocTypeReader.js that trie...
PrestaShop cross-site scripting via customer contact form in FO, through file upload
Impact Only PrestaShops with customer-thread feature flag enabled are impacted, starting from PrestaShop 8.1.0. The impact is substantial, when the customer thread feature flag is enabled, through the front-office contact form, a hacker can upload a malicious file containing an XSS that will be...
Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
Impact Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier but not the latest ATX as previous break...
1Panel arbitrary file write vulnerability
Summary There are many command injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. We can use the following mirror configuration write symbol to achieve arbitrary file writing PoC Dockerfile FROM bash:latest COPY...
react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
Summary If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true which is the default value, unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches This patch forces isEvalSupported to false, removing...
ThinkPHP Cross-Site Scripting Vulnerability
ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to inadequate filtering of function argument values in thinkexception.tpl...