33123 matches found
JSZip contains Path Traversal via loadAsync
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive...
ASP.NET Core Information Disclosure Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0, .NET Core 3.1 and .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An information disclosure vulnerabilit...
containerd-shim API Exposed to Host Network Containers
Impact Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID...
Memory leak in Nanopb
Impact Decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern wh...
HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability
HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10...
Server-side request forgery (SSRF) in Apache Batik
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests...
Incorrect Regular Expression in RestSharp
RestSharp 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service ReDoS when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus...
Denial of Service in Action Dispatch
Impact ------ There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases -------- The fixed releases are available at the norm...
XSS in TinyMCE
Impact A cross-site scripting XSS vulnerability was discovered in: the core parser and media plugin. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE...
Gogs Vulnerable to 2FA Bypass via Recovery Code
Contact OpenAI Security Research at [email protected] to engage on this report. See PDF report for easier reading. Security Advisory: 2FA Bypass via Recovery Code Vulnerability Type: 2FA Authentication Bypass Affected Software: GOGS Severity: High Date: Aug 5, 2025 Discoverer: OpenAI...
Remote CLI Command Execution Vulnerability in CodeIgniter4
Impact This vulnerability allows attackers to execute CLI routes via HTTP request. Patches Upgrade to v4.1.9 or later. Workarounds None. For more information If you have any questions or comments about this advisory: Open an issue in codeigniter4/CodeIgniter4 Email us at SECURITY.md...
Invalid validation in `SparseMatrixSparseCholesky`
Impact An attacker can trigger a null pointer dereference by providing an invalid permutation to tf.rawops.SparseMatrixSparseCholesky: python import tensorflow as tf import numpy as np from tensorflow.python.ops.linalg.sparse import sparsecsrmatrixops indicesarray = np.array0, 0 valuearray =...
Authentication bypass in Apache Airflow
The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at...
Prototype Pollution in node-forge
The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions...
jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...
io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. Impact This is a DDOS attack, any http2 server is affected and so you should update as soon as possible. Patches This is patched in version...
Chromium Remote Code Execution in electron
Affected versions of ElectronJS are susceptible to a remote code execution vulnerability that occurs when an affected application access remote content, even if the sandbox option is enabled. Recommendation Update to electron version 1.7.8 or later...
Keycloak vulnerable to user impersonation via stolen UUID code
Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session...
Improper Input Validation in Hibernate Validator
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation escaping, stripping controls that developers may have put in place...
jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean aka spring-aop...
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in Armeria
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. Impact 1. Cross-User Defacement 2. Cache...
Cross-site Scripting in Eclipse Jetty
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents...
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any...
Unrestricted Upload of File with Dangerous Type in Umbraco CMS
Umbraco CMS 8.5.3 allows an authenticated file upload and consequently Remote Code Execution via the Install Package functionality...
Unexpected database bindings
This is a follow-up to the previous security advisory GHSA-3p32-j457-pg5x which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the quer...
Prototype Pollution in immer
Overview Affected versions of immer are vulnerable to Prototype Pollution. Proof of exploit js const applyPatches, enablePatches = require"immer"; enablePatches; let obj = ; console.log"Before : " + obj.polluted; applyPatches, op: 'add', path: "proto", "polluted" , value: "yes" ; // applyPatches,...
Cross-Site Scripting in dompurify
Versions of dompurify prior to 2.0.3 are vulnerable to Cross-Site Scripting XSS. The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of / elements and /. An example payload is: ". This allows attackers to bypass the XSS protection and execute...
go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment
Impact The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag. 2. There are network connectivity...
Laravel RCE vulnerability in "cookie" session driver
Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie"...
Java: DoS Vulnerability in JSON-JAVA
Summary A denial of service vulnerability in JSON-Java was discovered by ClusterFuzz. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: 1 the parser bug can be used to circumvent a check that is supposed to...
Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12
Summary Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses: - CVE-2019-20388 Medium severity - CVE-2020-24977 Medium severity - CVE-2021-3517 Medium severity - CVE-2021-3518 Medium severity - CVE-2021-3537 Low severity - CVE-2021-3541 Low severity Note that two...
sharp vulnerability in libwebp dependency CVE-2023-4863
Overview sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr. Who does this affect? Almost anyone processing untrusted input with versions of sharp prior to 0.32.6. How to resolve...
Buildah processes using chroot isolation may leak environment values to intermediate processes
Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes CVE-2021-3602. This isolation type is often used when running buildah in unprivileged containers, and it is often used to do so in...
Django Channels leakage of session identifiers using legacy AsgiHandler
Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channe...
Potential Code Injection in Sprout Forms
Impact A potential Server-Side Template Injection vulnerability exists in Sprout Forms which could lead to the execution of Twig code. Patches The problem is fixed inbarrelstrength/sprout-forms:v3.9.0 which upgrades to barrelstrength/sprout-base-email:v1.2.7 Workarounds Users unable to upgrade...
Vulnerable OpenSSL included in cryptography wheels
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8.1-39.0.0 are vulnerable to a security issue. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221213.txt and...
Timing attacks in python-rsa
It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA...
PrestaShop gamification module ZIP archives were vulnerable from CVE-2017-9841
Impact We have identified that some gamification module ZIP archives have been built with phpunit dev dependencies. PHPUnit contains a php script that would allow, on a webserver, an attacker to perform a RCE. This vulnerability impacts - phpunit before 4.8.28 and 5.x before 5.6.3 as reported in...
Cross-site Scripting in jquery-ui
Cross-site scripting XSS vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option...
Spring Framework DataBinder Case Sensitive Match Exception
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...
path-to-regexp outputs backtracking regular expressions
Impact A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period .. For example, /:a-:b. Patches For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0. These versions add backtrack protection...
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data...
Token reuse in Ory fosite
Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...
Server-Side Request Forgery in axios
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs...
python-jose denial of service via compressed JWE content
python-jose through 3.3.0 allows attackers to cause a denial of service resource consumption during a decode via a crafted JSON Web Encryption JWE token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319...
Remote Code Execution Vulnerability in Validation Placeholders in CodeIgniter4
Impact This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally...
Type confusion during tensor casts lead to dereferencing null pointers
Impact Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer dereferences. There are multiple ways to reproduce this, listing a few examples here: python import tensorflow as tf import numpy as np data =...
Deserialization of untrusted data in Symfony
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to...
Validation bypass is possible in Json Pattern Validator
In jpv aka Json Pattern Validator before 2.1.1, compareCommon can be bypassed because certain internal attributes can be overwritten via a conflicting name, as demonstrated by 'constructor': 'name':'Array'. This affects validate. Hence, a crafted payload can overwrite this builtin attribute to...
DOMPurify XSS via selectedcontent re-clone
Summary DOMPurify 3.4.4 allows selectedcontent by default, allowing a chain in which browsers "re-clone" an XSS payload after sanitization, effectively bypassing DOMPurify. Details The chain is as follows: 1. The browser parses the input and creates a clone from the selected 2. DOMPurify walks an...