33227 matches found
Privilege Escalation in HashiCorp Consul
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6...
Gila CMS SQL Injection vulnerability
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the 'userid' parameter after the login portal...
Authorization bypass in Quarkus
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...
Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation
A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/permanent-redirect annotation on an Ingress object in the networking.k8s.io or extensions API group can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx controller. In the...
Apache Tomcat Improper Input Validation vulnerability
Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomc...
NI MeasurementLink Python Services Improper Access Restriction vulnerability
Impact An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python usin...
Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled
Impact A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences...
Apache RocketMQ may have remote code execution vulnerability when using update configuration function
For RocketMQ versions 5.1.0 and below, under certain conditions, there is a risk of remote command execution. Several components of RocketMQ, including NameServer, Broker, and Controller, are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by...
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alertdocument.domain Th...
php-imap vulnerable to RCE through a directory traversal vulnerability
Summary An unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability which results in a remote code execution vulnerability. Details An attacker can send an email with a malicious attachment to the inbox, which gets crawled with webklex/php-im...
Malware in pre-build binaries of bignum
Impact bignum releases from v0.12.2 to v0.13.0 inclusive used node-pre-gyp to optionally download pre-built binary versions of the addon. These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malwa...
Mailman Core vulnerable to timing attacks
An issue was discovered in Mailman Core before 3.3.5. An attacker with access to the REST API could use timing attacks to determine the value of the configured REST API password and then make arbitrary REST API calls. The REST API is bound to localhost by default, limiting the ability for attacke...
Interactive `run` permission prompt spoofing via improper ANSI neutralization
Summary Arbitrary program names without any ANSI filtering allows any malicious program to clear the first 2 lines of a opspawnchild or opkill prompt and replace it with any desired text. Details The main entry point comes down to the ability to override what the API control says 40process.js...
Users with any cluster secret update access may update out-of-bounds cluster secrets
Impact All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges potentially controlling...
openssl-src vulnerable to Use-after-free following `BIO_new_NDEF`
The public API function BIOnewNDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the...
openssl-src contains Read Buffer Overflow in X.509 Name Constraint
A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate...
Deserialization of Untrusted Data in thinkphp
thinkphp 6.0.06.0.13 and 6.1.06.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload...
Exposure of Sensitive Information in EVE-SRP
A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may ...
Dromara hutool vulnerable to SQL Injection
SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine...
a12nserver vulnerable to potential SQL Injections via Knex dependency
Impact Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients. Patches The knex...
.NET Core Elevation of Privilege Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 5.0,...
etcd has no minimum password length
Vulnerability type Access Control Workarounds The etcdctl and etcd API do not enforce a specific password length during user creation or user password update operations. It is the responsibility of the administrator to enforce these requirements. Detail etcd does not perform any password length...
TensorFlow vulnerable to `CHECK` fail in `MaxPool`
Impact When MaxPool receives a window size input array ksize with dimensions greater than its input tensor input, the GPU kernel gives a CHECK fail that can be used to trigger a denial of service attack. python import tensorflow as tf import numpy as np input = np.ones1, 1, 1, 1 ksize = 1, 1, 2, ...
NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
Impact next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.: [email protected],[email protected] to the sign-in endpoint, NextAuth.js would send emails to...
Regular expression denial of service in scss-tokenizer
All versions of the package scss-tokenizer prior to 0.4.3 are vulnerable to Regular Expression Denial of Service ReDoS via the loadAnnotation function, due to the usage of insecure regex...
Security Update for the OPC UA .NET Standard Stack
A vulnerability was discovered in OPC UA .NET Standard Stack that allows a malicious client or server to cause a peer to hang with a carefully crafted message sent during secure channel creation...
XML External Entity Reference in drools
drools =7.59.x is affected by an XML External Entity XXE vulnerability in KieModuleMarshaller.java. The Validator class is not used correctly, resulting in the XXE injection vulnerability...
Mechanize before v2.8.5 vulnerable to authorization header leak on port redirect
Summary Mechanize rubygem Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a...
Regular expression denial of service in devcert
An exponential ReDoS Regular Expression Denial of Service can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method...
Server-Side Request Forgery in charm
We've discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3 and is available in...
qcubed PHP object injection
A PHP object injection bug in profile.php in qcubed all versions including 3.1.1 unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request...
Remote code execution in Microsoft.WindowsDesktop.App.Ref
A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'...
Jenkins Dynatrace Plugin vulnerable to Insufficiently Protected Credentials
Jenkins Dynatrace Application Monitoring Plugin prior to 2.1.4 stores credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system. NOTE: This plugin is marked as DEPRECATED...
ZendXml and Zend Framework contain XXE and XEE Vulnerabilities
The ZendXmlSecurity::scan in ZendXml before 1.0.1 and Zend Framework before 1.12.14, 2.x before 2.4.6, and 2.5.x before 2.5.2, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity XXE and XML entity expansion XEE...
Apache NiFi JMS Deserialization issue
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release...
Arbitrary code execution in Apache Struts 2
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "$" and "%" sequences, which causes the OGNL code to be evaluated twice...
Injection in Jolokia agent
A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server...
Integer Overflow or Wraparound in Apache Tomcat
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service resource consumption via a malformed chunk size in chunke...
Missing Authentication for Critical Function in Apache Cassandra
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in...
RubyGems may allow a maliciously crafted gem to overwrite files
RubyGems versions 2.6.12 and earlier fail to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem...
JSON-Patch Out-of-bounds Write vulnerability
An out of bound write can occur when patching an Openshift object using the oc patch functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management...
Code injection in Apache Struts
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within...
Cross-Site Request Forgery in Spring Framework
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML Extern...
Disputed: OS Command injection in github.com/kardianos/service
servicewindows.go in the kardianos service package for Go omits quoting that is sometimes needed for execution of a Windows service executable from the intended directory. The validity of this vulnerability has been questioned and the reporter has requested that the CVE be disputed...
Improper Neutralization of Formula Elements in a CSV File in Gradio Flagging
Impact The gradio library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS Excel opens such a file, then it automatically runs these...
Improper Authentication in FreeTAKServer
FreeTAKServer is an open source, lightweight Server for connect TAK clients. An access control issue in the component /ManageRoute/postRoute of FreeTAKServer version 1.9.8 allows unauthenticated attackers to cause a Denial of Service DoS via an unusually large amount of created routes, or create...
Possible code injection vulnerability in Rails / Active Storage
The Active Storage module of Rails starting with version 5.2.0 is possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or...
Cross-Site Request Forgery in xwiki-platform
Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which usernames is actually tight to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those...
OS Command Injection and Command Injection in kill-port-process
The kill-port-process package prior to version 2.2.0 is vulnerable to a Command Injection...
Data Amplification in Play Framework
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON...