33227 matches found
RuoYi vulnerable to arbitrary file download
An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server...
Cross-site Scripting in DaSchTour matomo-mediawiki-extension
A vulnerability classified as problematic has been found in DaSchTour matomo-mediawiki-extension up to 2.4.2. This affects an unknown part of the file Piwik.hooks.php of the component Username Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely...
AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it...
Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in...
ff4j is vulnerable to Remote Code Execution (RCE)
ff4j 1.8.1 is vulnerable to Remote Code Execution RCE. This issue has been patched in version 1.9...
Invalid char to bool conversion when printing a tensor
Impact When printing a tensor, we get it's data as a const char array since that's the underlying storage and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so sanitizers/fuzzers will crash. Patches We have patched the issu...
Unsafe deserialization in Apache MINA SSHD
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD = 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys ...
Container build can leak any path on the host into the container
Description Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime formerly Docker EE, and Docker Desktop. Moby allows for building container images using a set of build...
Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL
Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution RCE attack when a configuration uses a JMS Source with an unsafe...
parse-server crashes when receiving file download request with invalid byte range
Impact Parse Server crashes when a file download request is received with an invalid byte range. Patches Improved parsing of the range parameter to properly handle invalid range requests. Workarounds None References - GHSA-h423-w6qv-2wj3...
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
A regular expression denial of service ReDoS flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or ta...
Apache Airflow may allow authenticated users who have been deactivated to continue using the UI or API
In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API...
XNIO `notifyReadClosed` method logging message to unexpected end
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk...
Apache Tapestry 5.8.1 vulnerable to ReDoS via Content Types causing catastrophic backtracking
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service ReDoS in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on...
Cross-domain cookie leakage in Guzzle
Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains...
Server-Side Request Forgery in charm
We've discovered a vulnerability in which attackers could forge HTTP requests to manipulate the charm data directory to access or delete anything on the server. This has been patched in https://github.com/charmbracelet/charm/commit/3c90668f955c7ce5ef721e4fc9faee7053232fd3 and is available in...
Exposure of Sensitive Information to an Unauthorized Actor in Jenkins Kubernetes Plugin
Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 includes a feature to replace placeholders in pod template and container template fields with environment variable values. This feature allows low-privilege users to access possibly sensitive Jenkins controller environment...
Authorization bypass in Spring Security
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...
Concurrent Execution using Shared Resource with Improper Synchronization in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.2 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected value of None for the address, or ...
CodeIgniter Session Fixation Vulnerability
A Session Fixation issue exists in CodeIgniter before 3.1.10 because session.usestrictmode in the Session Library was mishandled...
JBoss RESTEasy vulnerable to Improper Input Validation
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions...
Improper Authentication in Apache Axis2
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418...
Exposure of Sensitive Information in Apache Tomcat
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle 1 double quote " characters or 2 %5C encoded backslash sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable...
Old sessions not blocked by login enable function in Snipe-IT
Snipe-IT is a FOSS project for asset management in IT Operations. In Snipe-IT versions 5.4.1 and 6.0.0-RC-5 and prior, active sessions are not revoked when a user account is disabled, allowing that user to still access information that they should no longer be able to. Workarounds include using t...
Unrestricted Upload of File with Dangerous Type in Gogs
Impact The malicious user is able to upload a crafted config file into repository's .git directory with to gain SSH access to the server. All installations with repository upload enabled default are affected. Patches Repository file uploads are prohibited to its .git directory. Users should upgra...
Embedded Malicious Code in node-ipc
The package node-ipc versions 10.1.1 and 10.1.2 are vulnerable to embedded malicious code that was introduced by the maintainer. The malicious code was intended to overwrite arbitrary files dependent upon the geo-location of the user IP address. The maintainer removed the malicious code in versio...
containers/image library Insufficiently Protects Credentials
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launc...
Cross-site scripting in @atlaskit/editor-core
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting XSS vulnerability in link targets...
Memory leak in decoding PNG images
Impact When decoding PNG images TensorFlow can produce a memory leak if the image is invalid. After calling png::CommonInitDecode..., &decode, the decode value contains allocated buffers which can only be freed by calling png::CommonFreeDecode&decode. However, several error case in the function...
XML Injection in Crafter CMS Crafter Studio 3.0.1
Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity XXE. An unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band...
Mustache remote code injection vulnerability
In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strictcallables is true when section value is controllable...
Server-Side Request Forgery in Apache Kylin
All request mappings in StreamingCoordinatorController.java handling /kylin/api/streamingcoordinator/ REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification...
Arbitrary PHP code execution in Drupal
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6, and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing...
Apache Solr Improper Input Validation and Path Traversal
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB...
Serialization gadgets exploit in jackson-databind
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource...
Cross-site scripting vulnerability in TinyMCE
Impact A cross-site scripting XSS vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content...
Regular Expression Denial of Service in Leo Editor
Leo Editor v6.2.1 was discovered to contain a regular expression denial of service ReDoS vulnerability in the component plugins/importers/dart.py...
Unsafe defaults in `remark-html`
Impact The documentation of remark-html has mentioned that it was safe by default. In practise the default was never safe and had to be opted into. This means arbitrary HTML can be passed through leading to potential XSS attacks. Patches The problem has been patched in 13.0.2 and 14.0.1:...
Path traversal in Grafana Loki
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that locatio...
Prototype Pollution in object-path
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === 'proto' returns false if currentPath is 'proto'. This is because t...
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in...
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
firefly-iii is vulnerable to Cross-Site Request Forgery CSRF...
SafeCurl before 0.9.2 has a DNS rebinding vulnerability.
SafeCurl before 0.9.2 has a DNS rebinding vulnerability...
XStream is vulnerable to an Arbitrary Code Execution attack
Impact The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required...
Improper Handling of Length Parameter Inconsistency in Apache Ant
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected...
Denial of service in Valine
Valine is a fast, simple & powerful comment system. Valine 1.4.14 allows remote attackers to cause a denial of service application outage by supplying a ua aka User-Agent value that only specifies the product and version...
Missing Authorization in Jenkins S3 publisher Plugin
Jenkins S3 publisher Plugin prior to 0.11.7 and 0.11.5.1 does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to obtain the list of configured profiles. S3 publisher Plugin 0.11.7 and 0.11.5.1 performs permission checks when providing a list ...
Cross-site Scripting (XSS) in baserCMS
Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors...
Uncontrolled Resource Consumption in Pillow
An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could...
Pillow denial of service
An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImageFile lacked a sanity check on the number of input layers relative to the size of the data block. This could lead to a DoS on Image.open prior to Image.load...