33225 matches found
Reposilite artifacts vulnerable to Stored Cross-site Scripting
Summary Reposilite v3.5.10 is affected by Stored Cross-Site Scripting XSS when displaying artifact's content in the browser. Details As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The...
Pomerium exposed OAuth2 access and ID tokens in user info endpoint response
Impact The Pomerium user info page at /.pomerium unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of an XSS vulnerability in an upstream...
Session Middleware Token Injection Vulnerability
A security vulnerability has been identified in the Fiber session middleware where a user can supply their own sessionid value, leading to the creation of a session with that key. Impact The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability...
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
Summary By combining two vulnerabilities an Open Redirect and session token sent as URL query parameter in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction one click. Impact...
State Guessing Vulnerability in laravel/socialite
laravel/socialite versions prior to 2.0.10 are susceptible to a security vulnerability related to state guessing during OAuth authentication. This vulnerability could potentially lead to session hijacking, allowing attackers to compromise user sessions. The issue has been addressed and fixed in...
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the deleteartifactmlflowartifacts handler and localfileuritopath function, allowing for...
PyMongo Out-of-bounds Read in the bson module
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the...
Account Takeover via Session Fixation in Zitadel [Bypassing MFA]
Impact ZITADEL uses a cookie to identify the user agent browser and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomai...
Apache Superset: Improper error handling on alerts
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert...
Allegro AI ClearML path traversal vulnerability
A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with...
Local Privilege Escalation in Windows
Impact A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to. A user is affected if all the following are satisfied: The user runs an application containing either...
mockjs vulnerable to Prototype Pollution via the Util.extend function
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolves to the object prototype. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, o...
HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
Summary HtmlUnit 3.8.0 are vulnerable to Remote Code Execution RCE via XSTL, when browsing the attacker’s webpage Details Vulnerability code location: org.htmlunit.activex.javascript.msxml.XSLProcessortransformorg.htmlunit.activex.javascript.msxml.XMLDOMNode The reason for the vulnerability is th...
JWT Algorithm Confusion
Summary The fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. Details The 'publicKeyPemMatcher' in 'fast-jwt/src/crypto.js' does not properly match all common PEM formats for public keys. To exploit this vulnerability, an attacker needs to craft a...
XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
Impact In XWiki Platform, it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. The reason for this is that the edit action sets the content without modifying the content author. To reproduce: Log in as a...
MTProto proxy remote code execution vulnerability
In the mtprotoproxy aka MTProto proxy component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve remote command execution ability...
plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images
Impact There is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this, by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an...
Jetty vulnerable to errant command quoting in CGI Servlet
If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the...
Terraform allows arbitrary file write during the `init` operation
Terraform version 1.0.8 through 1.5.6 allows arbitrary file write during the init operation if run on maliciously crafted Terraform configuration. This vulnerability is fixed in Terraform 1.5.7...
tss-lib leaks secret keys in response to incorrectly constructed Paillier moduli
Impact The specification of the GG18 threshold ECDSA signature protocol contains a vulnerability allowing an attacker to recover the shared secret key. If a participant generates a Paillier modulus N containing small factors less than 2^100 they can interact with other participants in the signing...
libp2p nodes vulnerable to OOM attack
Summary In go-libp2p, by using signed peer records a malicious actor can store an arbitrary amount of data in a remote node’s memory. This memory does not get garbage collected and so the victim can run out of memory and crash. It is feasible to do this at scale. An attacker would have to transfe...
Apache XML Graphics Batik Server-Side Request Forgery vulnerability
Server-Side Request Forgery SSRF vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even...
Angular critical CSS inlining Cross-site Scripting Vulnerability Advisory
Impact Angular Universal applications on 16.1.0 and 16.1.1 using critical CSS inlining are vulnerable to a cross-site scripting XSS attack where an attacker can trick another user into visiting a page which injects malicious JavaScript. Angular CLI applications without Universal do perform critic...
Pygments vulnerable to ReDoS
A ReDoS issue was discovered in pygments/lexers/smithy.py in Pygments until 2.15.0 via SmithyLexer...
RocketMQ NameServer component Code Injection vulnerability
The RocketMQ NameServer component still has a remote command execution vulnerability as the CVE-2023-33246 issue was not completely fixed in version 5.1.1. When NameServer address are leaked on the extranet and lack permission verification, an attacker can exploit this vulnerability by using the...
Microsoft Security Advisory CVE-2023-33127: .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2023-33127: .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update thei...
1Panel vulnerable to command injection when adding container repositories
Impact The authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. 1. Vulnerability analysis. backend\app\api\v1\imagerepo.gocreate backend\app\service\imagerepo.goCheckConn 2. vulnerability reproduction. POST /api/v1/containers/repo...
Rancher Webhook is misconfigured during upgrade process
Impact A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. When the Webhook is operating in a degraded state, it no...
Shopware Has Improper Control of Generation of Code in Twig rendered views
Impact We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list Patches The problem has been fixed with 6.4.20.1 with an improved override...
Snowflake JDBC vulnerable to command injection via SSO URL authentication
Snowflake JDBC driver is vulnerable to command injection vulnerability via SSO URL authentication. The vulnerability was patched on March 17, 2023 as part of Snowflake JDBC driver Version 3.13.29. An attacker could set up a malicious, publicly accessible server which responds to the SSO URL with ...
Jenkins Mashup Portlets Plugin vulnerable to stored cross-site scripting
Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission...
Apiman vulnerable to permissions bypass due to missing check on API key URL
Impact Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL. The URL includes Organisation ID, Client ID, and Client Version of the targeted non-permitted...
tripleo-ansible may disclose important configuration details from an OpenStack deployment
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information...
Dompdf vulnerable to URI validation failure on SVG parsing
Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing tags with uppercase letters. This might leads to arbitrary object unserialize on PHP tags, in src/Image/Cache.php : if $type === "svg" $parser = xmlparsercreate"utf-8"; xmlparsersetoption$parser,...
Zitadel RefreshToken invalidation vulnerability
Impact RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtai...
CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation
Impact It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry. Note: because the pod author is in control of the container's /etc/passwd, this is not...
pgadmin4 vulnerable to Code Injection
The pgAdmin server includes an HTTP API that is intended to be used to validate the path a user selects to external PostgreSQL utilities such as pgdump and pgrestore. The utility is executed by the server to determine what PostgreSQL version it is from. Versions of pgAdmin prior to 6.17 failed to...
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
Impact Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The URL...
Twisted vulnerable to NameVirtualHost Host header injection
When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. Example configuration: python from twisted.web.server import Site from...
MySQL JDBC deserialization vulnerability
Impact In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, MysqlConfiguration class don't filter any parameters, directl...
Duplicate Advisory: AWS Redshift JDBC Driver fails to validate class type during object instantiation
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jc69-hjw2-fm86. This link is maintained to preserve external references. Original Description In Amazon AWS Redshift JDBC Driver aka amazon-redshift-jdbc-driver or redshift-jdbc42 before 2.1.0.8, the Object...
TensorFlow vulnerable to `CHECK` fail in `FakeQuantWithMinMaxVarsPerChannel`
Impact If FakeQuantWithMinMaxVarsPerChannel is given min or max tensors of a rank other than one, it results in a CHECK fail that can be used to trigger a denial of service attack. python import tensorflow as tf numbits = 8 narrowrange = False inputs = tf.constant0, shape=4, dtype=tf.float32 min ...
OPA Compiler: Bypass of WithUnsafeBuiltins using "with" keyword to mock functions
Impact The Rego compiler provides a deprecated WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found,...
Deluge Web-UI vulnerable to XSS through a crafted torrent file
The Deluge Web-UI is vulnerable to cross-site scripting through a crafted torrent file. The the data from torrent files is not properly sanitised as it's interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can execute arbitrary Javascript code in the context ...
Undertow vulnerable to memory exhaustion due to buffer leak
Buffer leak on incoming WebSocket PONG messages in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service...
Cross-site Scripting in the Flamingo theme manager
Impact We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet wiki page related to the "newThemeName" form field. Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. Workarounds The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeShe...
Missing validation causes denial of service via `SparseTensorToCSRSparseMatrix`
Impact The implementation of tf.rawops.SparseTensorToCSRSparseMatrix does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack: python import tensorflow as tf indices = tf.constant53, shape=3, dtype=tf.int64 values =...
Remote code execution vulnerability in Jenkins Templating Engine Plugin
Jenkins Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. Jenkins Templating Engine Plugin 2....
Denial of service in ASP.NET Core
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'...
Keycloak Authentication Error
A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none LDAP anonymous bind, any password, invalid or valid will be accepted...