33123 matches found
Exposure of SSH credentials in Rancher/Fleet
Impact This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories. A security vulnerability CVE-2022-29810 was discovered in go-getter library in versions prior to v1.5.11 that exposes SSH private keys in base64 format due to a...
Dom4j contains a XML Injection vulnerability
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or...
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
Impact What kind of vulnerability is it? Who is impacted? A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving the...
Next.js missing cache-control header may lead to CDN caching empty reply
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets...
Remote Code Execution in Red Discord Bot
Impact A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access...
Private key leak in Apache CXF
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...
Polymorphic deserialization of malicious object in jackson-databind
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Impact When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings i.e. the second argument passed to .replace. Your generated code is vulnerable if all the...
Apache Tomcat Open Redirect vulnerability
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may als...
Gitea Remote Code Execution
models/repomirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings, leading to remote code execution...
Cross-Site Scripting in markdown-it-katex
All versions of markdown-it-katex are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser by triggering an error. Recommendation No fix is currently available. Consider using a...
XML external entity injection in Terracotta Quartz Scheduler
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description...
cryptography mishandles SSH certificates
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options...
Withdrawn Advisory: ReDoS in py library when used with subversion
Withdrawn Advisory This advisory has been withdrawn because evidence does not suggest that CVE-2022-42969 is a valid, reproducible vulnerability. This link is maintained to preserve external references. Original Description The py library through 1.11.0 for Python allows remote attackers to condu...
Timing based private key exposure in Bouncy Castle
Bouncy Castle BC Java before 1.66, BC C .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of...
Cross-site scripting
Two kinds of XSS were found: 1. As mentioned in https://github.com/mongo-express/mongo-express/issues/577 when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however this needs admin interaction on cell. 2. Data cells identified as med...
Use after free in CefSharp
CVE-2020-16017: Use after free in site isolation - https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop11.html - https://vulners.com/cve/CVE-2020-16017 Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild. There is currently...
Grafana's datasource proxy API allows authorization checks to be bypassed
This vulnerability in Grafana's datasource proxy API allows authorization checks to be bypassed by adding an extra slash character in the URL path. Users with minimal permissions could gain unauthorized read access to GET endpoints in Alertmanager and Prometheus datasources. The issue primarily...
python-jose algorithm confusion with OpenSSH ECDSA keys
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217...
Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
Impact There are two separate security vulnerabilities here: 1 a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps 2 the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs Patches Both problems...
Vulnerable OpenSSL included in cryptography wheels
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt. If you are building...
PrestaShop eval injection possible if shop vulnerable to SQL injection
Impact Eval injection possible if the shop is vulnerable to an SQL injection. Patches The problem is fixed in version 1.7.8.7 Workarounds Delete the MySQL Smarty cache feature by removing these lines in the file config/smarty.config.inc.php lines 43-46 PrestaShop 1.7 or 40-43 PrestaShop 1.6: php ...
CRLF vulnerability in Fiber
Impact The filename that is given in c.Attachment is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to...
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs...
XML External Entity attack in log4net
Apache log4net before 2.0.10 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users...
Persistent XSS vulnerability in filename of attached file in PrivateBin
On 24th of December 2019 one of the property based unit tests reported a failure. Upon investigation, @elrido discovered that the failure was due to unescaped HTML, which allowed the user provided attachment file name to inject HTML under certain conditions leading to a persistent Cross-site...
HTTP Request Smuggling: Invalid Transfer-Encoding in Waitress
Impact Waitress would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead. According to the HTTP standard Transfer-Encoding should be a comma separated list, with the inner-most...
Deserialization of Untrusted Data in Apache Log4j
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. Users are advised to migrate from log4j:log4j to org.apache.logging.log4j:log4j for an updated version of the...
XXE vulnerability on Launch import with externally-defined DTD file
Impact Starting from version 3.1.0 we introduced a new feature of JUnit XML launch import. Unfortunately XML parser was not configured properly to prevent XML external entity XXE attacks. This allows a user to import a specifically-crafted XML file which imports external Document Type Definition...
Improper Certificate Validation in Puppet
Previously, Puppet operated on the model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for...
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2...
Context isolation bypass via contextBridge in Electron
Impact Apps using both contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Workarounds There are no app-side workaround...
LiteLLM has SQL Injection in Proxy API key verification
Impact A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route for example POST /chat/completions a...
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Summary We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting XSS in web pages where scriptless attacker-controlled HTML elements e.g., an img tag with an unsanitized name...
Bouncy Castle For Java LDAP injection vulnerability
Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the...
httparty has multipart/form-data request tampering vulnerability
Impact I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty. httparty/lib/httparty/request body.rb def generatemultipart...
elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE
Impact We recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. Patches The issues were addressed in our last release,...
Prototype pollution in chart.js
This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being...
Incorrect Provision of Specified Functionality in qutebrowser
Description After a certificate error was overridden by the user, qutebrowser displays the URL as yellow colors.statusbar.url.warn.fg. However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green colors.statusbar.url.successhttps. While the user...
Deserialization of Untrusted Data in jackson-databind
FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter...
SQL injection in phpMyAdmin
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature...
Privilege escalation via ApiTokensEndpoint
Impact An attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests. There is no evidence that the issue was exploited on https://sentry.io. For...
Incorrect parsing of nameless cookies leads to __Host- cookies bypass
Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =Host-test=bad for another subdomain. Werkzeug = 2.2.2 will parse the cookie =Host-test=bad as...
jsonwebtoken has insecure input validation in jwt.verify function
Overview For versions =8.5.1 of jsonwebtoken library, if a malicious actor has the ability to modify the key retrieval parameter referring to the secretOrPublicKey argument from the readme link of the jwt.verify function, they can gain remote code execution RCE. Am I affected? This security issue...
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management...
XSS vulnerability with translator
Flarum's translation system allowed for string inputs to be converted into HTML DOM nodes when rendered. This change was made after v0.1.0-beta.16 our last beta before v1.0.0 and was not noticed or documented. This allowed for any user to type malicious HTML markup within certain user input field...
OS Command Injection in Rake
There is an OS command injection vulnerability in Ruby Rake before 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |...
jackson-databind mishandles the interaction between serialization gadgets and typing
FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig aka anteros-core...
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
Summary Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to host...
jQuery vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting XSS vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag...