33190 matches found
Password exposure in concrete5/core
Unauthorized individuals could view password protected files using viewinline in Concrete CMS previously concrete 5 prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in viewinline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations...
Prototype Pollution in dotty
This affects the package dotty before 0.1.2. A type confusion vulnerability can lead to a bypass of CVE-2021-25912 when the user-provided keys used in the path parameter are arrays...
Prototype Pollution in x-assign
This vulnerability affects all versions of package x-assign. The global proto object can be polluted using the proto object...
Cross-site Scripting in snipe-it
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...
Cross-site Scripting in SilverStripe Framework
SilverStripe Framework through 4.8.1 allows XSS...
Cross-site scripting in Unicorn framework
The Unicorn framework through 0.35.3 for Django allows XSS via component.name...
BuddyPress privilege escalation via REST API
Impact It's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the BuddyPress REST API members endpoint. Patches The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitiga...
URL Redirection to Untrusted Site ('Open Redirect') in fastify-static
Impact A redirect vulnerability in the fastify-static module allows remote attackers to redirect Mozilla Firefox users to arbitrary websites via a double slash // followed by a domain: http://localhost:3000//google.com/%2e%2e. The issue shows up on all the fastify-static applications that set...
Improper escaping of command arguments on Windows leading to command injection
Impact Windows users running Composer to install untrusted dependencies are affected and should definitely upgrade for safety. Other OSs and WSL are not affected. Patches 1.10.23 and 2.1.9 fix the issue Workarounds None...
Remote Code Execution in Halibut
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification...
SQL Injection in Django
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application...
Remote code execution in UReport
An arbitrary file creation vulnerability in UReport 2.2.9 allows attackers to execute arbitrary code...
Path traversal in atlasboard
The renderWidgetResource resource in Atlasian Atlasboard before version 1.1.9 allows remote attackers to read arbitrary files via a path traversal vulnerability. PoC javascript const widget = require"atlasboard/lib/webapp/routes/widget"; // Mock req and res const req = ; const res = sendFile:...
Cross-site Request Forgery (CSRF) in joplin
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery CSRF due to missing CSRF checks in various forms...
Cross Site Scripting (XSS) in Quokka
Cross Site Scripting XSS in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'...
Null pointer deference in openssl-src
Server or client applications that call the SSLcheckchain function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signaturealgorithmscert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm i...
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
firefly-iii is vulnerable to Cross-Site Request Forgery CSRF...
Null pointer dereference in `CompressElement`
Impact It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to tf.rawops.CompressElement: python import tensorflow as tf tf.rawops.CompressElementcomponents= The implementation was accessing the size of a buffer obtained from the return of a separate...
Integer division by 0 in sparse reshaping
Impact The implementation of tf.rawops.SparseReshape can be made to trigger an integral division by 0 exception: python import tensorflow as tf tf.rawops.SparseReshape inputindices = np.ones1,3, inputshape = np.array1,1,0, newshape = np.array1,0 The implementation calls the reshaping functor...
Null pointer dereference in `MatrixDiagPartOp`
Impact If a user does not provide a valid padding value to tf.rawops.MatrixDiagPartOp, then the code triggers a null pointer dereference if input is empty or produces invalid behavior, ignoring all values after the first: python import tensorflow as tf tf.rawops.MatrixDiagPartV2...
Integer overflow due to conversion to unsigned
Impact The implementation of tf.rawops.QuantizeAndDequantizeV4Grad is vulnerable to an integer overflow issue caused by converting a signed integer value to an unsigned one and then allocating memory based on this value. python import tensorflow as tf tf.rawops.QuantizeAndDequantizeV4Grad...
Reference binding to nullptr in `MatrixDiagV*` ops
Impact An attacker can cause undefined behavior via binding a reference to null pointer in all operations of type tf.rawops.MatrixDiagV: python import tensorflow as tf tf.rawops.MatrixDiagV3 diagonal=1,0, k=, numrows=1,2,3, numcols=4,5, paddingvalue=, align='RIGHTRIGHT' The implementation has...
Incomplete validation in `MaxPoolGrad`
Impact An attacker can trigger a denial of service via a segmentation fault in tf.rawops.MaxPoolGrad caused by missing validation: python import tensorflow as tf tf.rawops.MaxPoolGrad originput = tf.constant, shape=3, 0, 0, 2, dtype=tf.float32, origoutput = tf.constant, shape=3, 0, 0, 2,...
Storage corruption due to variables overwritten by re-entrancy locks
Background When attempting to use the v0.2.14 release, @pandadefi discovered an issue using the @nonreentrant decorator. Impact Reentrancy protection storage slots get allocated to the same slots as storage variables, leading to the corruption of storage variables when using the @nonreentrant...
Cross-site scripting in Dutchcoders transfer.sh
Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view...
Denial of service in geth
Impact Denial-of-service crash during block processing Details Affected versions suffer from a vulnerability which can be exploited through the MULMOD operation, by specifying a modulo of 0: mulmoda,b,0, causing a panic in the underlying library. The crash was in the uint256 library, where a buff...
Automatic room upgrade handling can be used maliciously to bridge a room non-consentually
Impact If a bridge has room upgrade handling turned on in the configuration the roomUpgradeOpts key when instantiating a new Bridge instance., any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create...
Missing Authorization in Jenkins Kubernetes CLI Plugin
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...
Insufficiently random values in Ansible
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords a...
Reflected cross-site scripting issue in Datasette
Impact The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as...
Improper Verification of Cryptographic Signature in aws-encryption-sdk-cli
Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In...
Denial of service in direct_mail
The directmail extension through 5.2.3 for TYPO3 allows Denial of Service via log entries...
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
Impact A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be. Small values of int in the functions above will return a smaller subs...
Stack overflow in `ParseAttrValue` with nested tensors
Impact The implementation of ParseAttrValue can be tricked into stack overflow due to recursion by giving in a specially crafted input. Patches We have patched the issue in GitHub commit e07e1c3d26492c06f078c7e5bf2d138043e199c1. The fix will be included in TensorFlow 2.5.0. We will also cherrypic...
Division by zero in TFLite's implementation of `EmbeddingLookup`
The implementation of the EmbeddingLookup TFLite operator is vulnerable to a division by zero error: cc const int rowsize = SizeOfDimensionvalue, 0; const int rowbytes = value-bytes / rowsize; An attacker can craft a model such that the first dimension of the value input is 0. Patches We have...
Null pointer dereference in TFLite's `Reshape` operator
Impact The fix for CVE-2020-15209 missed the case when the target shape of Reshape operator is given by the elements of a 1-D tensor. As such, the fix for the vulnerability allowed passing a null-buffer-backed tensor with a 1D shape: cc if tensor-data.raw == nullptr && tensor-bytes 0 if...
Division by zero in TFLite's implementation of `TransposeConv`
Impact The optimized implementation of the TransposeConv TFLite operator is vulnerable to a division by zero error: cc int heightcol = height + padt + padb - filterh / strideh + 1; int widthcol = width + padl + padr - filterw / stridew + 1; An attacker can craft a model such that strideh,w values...
XWiki users registered with email verification can self re-activate their disabled accounts
Impact A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration. Patches The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. Workarounds It's possible to...
Prototype Pollution in simpl-schema
This affects the package simpl-schema before 1.10.2. Attacker controlled input into a schema could result in remote code execution within the scope of the surrounding application...
Arbitrary Code Execution in shiba
All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load of the package js-yaml instead of its secure replacement , safeLoad...
Prototype Pollution in bmoor
The package bmoor before 0.8.12 are vulnerable to Prototype Pollution via the set function...
Server-Side Request Forgery in Apache Solr
The ReplicationHandler normally registered at "/replication" under a Solr core in Apache Solr has a "masterUrl" also "leaderUrl" alias parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability,...
Improper Authentication in Apache Shiro
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass...
SQL Injection in odata4j
odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued...
Prototype Pollution in node-oojs
All versions of package node-oojs up to and including version 1.4.0 are vulnerable to Prototype Pollution via the setPath function...
Prototype Pollution in locutus
All versions of package locutus prior to version 2.0.12 are vulnerable to Prototype Pollution via the php.strings.parsestr function...
Prototype Pollution in dot-notes
All versions of package dot-notes up to and including version 3.2.0 are vulnerable to Prototype Pollution via the create function...
Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can...
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 Vaadin 12.0.0 through 14.4.9, and 6.0.0 through 6.0.1 Vaadin 19.0.0 allows attacker to access application classes and resources on the server via crafted HTTP request. -...
JavaScript execution via malicious molfiles (XSS)
Impact The viewer plugin implementation of renders molfile data directly inside a tag without any escaping. Arbitrary JavaScript code can thus be executed in the client browser via crafted molfiles. Patches Patched in v0.3.0: Molfile data is now rendered as value of a hidden tag and escaped via...