33187 matches found
Prototype Pollution in json-pointer
This affects versions of package json-pointer up to and including 0.6.1. A type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays...
Privilege Defined With Unsafe Actions in Keycloak
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the...
Cross Site Request Forgery in kindeditor
Cross Site Request Forgery CSRF vulnerability exists in KindEditor 4.1.x. First, you upload an html file containing csrf on the website that uses a google editor, you only need to search in google: inurl:/examples/uploadbutton.html and then use the authority of this website to trick users into...
Improper Input Validation in Jakarta Expression Language
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid...
Remote code execution in ruby-jss
The Pixar ruby-jss gem before 1.6.0 allows remote attackers to execute arbitrary code because of the Plist gem's documented behavior of using Marshal.load during XML document processing...
Open Redirect in Apache Superset
Apache Superset prior to 1.1.0 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link...
CSV injection in shuup
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
SQL Injection in Django
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application...
Cross-Site Request Forgery in sqlite-web
This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Reques...
OS Command Injection in Centreon
/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabasepath parameter...
Parse Server crashes with query parameter
Impact Parse Server crashes when if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. Patches Upgrade to Parse Server 4.10.3...
Improper Restriction of XML External Entity Reference in Quokka
XML External Entities XXE in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'...
Command injection in mail agent settings
Impact Command injection in mail agent settings Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workarounds For older versions of...
Null pointer dereference and heap OOB read in operations restoring tensors
Impact When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null pointer: python import tensorflow as tf tf.rawops.Restore filepattern='/tmp', tensorname=, defaultvalue=21, dt=tf.int, preferredshard=1 The same undefined behavior c...
Storage corruption due to variables overwritten by re-entrancy locks
Background When attempting to use the v0.2.14 release, @pandadefi discovered an issue using the @nonreentrant decorator. Impact Reentrancy protection storage slots get allocated to the same slots as storage variables, leading to the corruption of storage variables when using the @nonreentrant...
Prototype pollution vulnerability in js-extend
Prototype pollution vulnerability in 'js-extend' versions 0.0.1 through 1.0.1 allows attacker to cause a denial of service and may lead to remote code execution...
Improper Verification of Cryptographic Signature in aws-encryption-sdk
Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated. In...
Improper Verification of Cryptographic Signature in aws-encryption-sdk-java
Impact This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This update addresses an issue where certain invalid ECDSA signatures incorrectly passed validation. These signatures provide defense in depth...
Import loops in account imports, nats-server DoS
This advisory is canonically Problem Description An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory. This issue was fixed publicly in in November 2020. The need to call this out as a security issue was highlighted by snyk.io and we are grateful for...
Division by zero in TFLite's implementation of `DepthwiseConv`
Impact The implementation of the DepthwiseConv TFLite operator is vulnerable to a division by zero error: cc int numinputchannels = SizeOfDimensioninput, 3; TFLITEENSUREEQcontext, numfilterchannels % numinputchannels, 0; An attacker can craft a model such that input's fourth dimension would be 0...
Session operations in eager mode lead to null pointer dereferences
Impact In eager mode default in TF 2.0 and later, session operations are invalid. However, users could still call the raw ops associated with them and trigger a null pointer dereference: python import tensorflow as tf tf.rawops.GetSessionTensorhandle='\x12\x1a\x07',dtype=4 python import tensorflo...
Integer overflow in github.com/gorilla/websocket
An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections...
Cross-site scripting in Joplin
Joplin allows XSS via a LINK element in a note...
Duplicate Advisory: "Arbitrary code execution in socket.io-file"
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6495-8jvh-f28x. This link is maintained to preserve external references. Original Description "The socket.io-file package through 2.0.31 for Node.js relies on client-side validation of file types, which allows...
OS Command Injection in pomelo-monitor
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params...
Command Injection in @theia/messages
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...
Server-Side Request Forgery in Apache Solr
The ReplicationHandler normally registered at "/replication" under a Solr core in Apache Solr has a "masterUrl" also "leaderUrl" alias parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability,...
Missing Release of Memory after Effective Lifetime in Apache Tika
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade ...
Path traversal in url-parse
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path...
Options structure open to Cross-site Scripting if passed unfiltered
Impact In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be...
Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19
Insecure temporary directory usage in frontend build functionality of com.vaadin:flow-server versions 2.0.9 through 2.5.2 Vaadin 14.0.3 through Vaadin 14.5.2, 3.0 prior to 6.0 Vaadin 15 prior to 19, and 6.0.0 through 6.0.5 Vaadin 19.0.0 through 19.0.4 allows local users to inject malicious code...
Cross-site scripting in SocksJS-node
htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c aka callback parameter...
Code Injection in script-manager
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code...
Uncontrolled Resource Consumption in rdf-graph-array
rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects resutling in Prototype Pollution. The rdf.Graph.prototype.add method could be tricked into adding or modifying properties of Object.prototype...
Exposure of Resource to Wrong Sphere in valib
valib through 2.0.0 allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function hasOwnProperty from the unsafe user-input to examine an object. It is possible for a crafted payload to overwri...
OS Command Injection in lsof
All versions including 0.0.4 of lsof npm module are vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input...
Cross-site scripting (XSS) and Server side request forgery (SSRF) in moodle
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17...
Null characters not escaped
Impact Anyone using Shescape to defend against shell injection may still be vulnerable against shell injection if the attacker manages to insert a null character into the payload. For example on Windows: javascript const cp = require"childprocess"; const shescape = require"shescape"; const nullCh...
User content sandbox can be confused into opening arbitrary documents
Impact The user content sandbox can be abused to trick users into opening unexpected documents after several user interactions. The content can be opened with a blob origin from the Matrix client, so it is possible for a malicious document to access user messages and secrets. Patches This has bee...
Persistent XSS in shopping worlds
Impact Persistent XSS in shopping worlds Patches We recommend updating to the current version 5.6.9. You can get the update to 5.6.9 regularly via the Auto-Updater or directly via the download overview. For older versions you can use the Security Plugin:...
systeminformation command injection vulnerability
Impact command injection vulnerability Patches Problem was fixed with a shell string sanitation fix. Please upgrade to version = 4.27.11 Workarounds If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite References Are there any links use...
Potential access control security issue in apollo-adminservice
Impact If users expose apollo-adminservice to internetwhich is not recommended, there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have built-in access control. Malicious hackers may access apollo-adminservice apis directly to access/edit...
Denial of Service in mongodb
Versions of mongodb prior to 3.1.13 are vulnerable to Denial of Service. The package fails to properly catch an exception when a collection name is invalid and the DB does not exist, crashing the application. Recommendation Upgrade to version 3.1.13 or later...
Missing Origin Validation in browserify-hmr
Versions of browserify-hmr prior to 0.4.0 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement HMR are not validated...
Cross-Site Scripting in dojo
Affected versions of dojo are susceptible to a cross-site scripting vulnerability in the dijit.Editor and textarea components, which execute their contents as Javascript, even when sanitized. Recommendation Update to version 1.1.0 or later...
Prototype Pollution in express-fileupload
This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution...
Remote code execution in turn extension for TYPO3
The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution...
Buffer overflow in Pillow
In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c...
Improper Input Validation in sails-hook-sockets
Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request...
ECDSA signature vulnerability of Minerva timing attack in jsrsasign
Impact ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign. Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits ...