33187 matches found
Server Side Template Injection in MCMS
MCMS v5.2.5 was discovered to contain a Server Side Template Injection SSTI vulnerability via the Template Management module...
url-parse Incorrectly parses URLs that include an '@'
A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, js parse"http://@/127.0.0.1" Will return: yaml slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth:...
Improper Certificate Validation in Hutool
Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation...
Denial of service in Grafana
The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Specific Go Packages Affected github.com/grafana/grafana/pkg/middleware...
Improper file handling in matrix-react-sdk
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...
Withdrawn Advisory: OS Command Injection in effect
Withdrawn Advisory This advisory has been withdrawn because the npm package effect, for which alerts were issued, does not correspond with https://github.com/Javascipt/effect, the repository with the vulnerable code. https://github.com/Javascipt/effect is not in any supported ecosystem...
`CHECK`-failures in `TensorByteSize` in Tensorflow
Impact A malicious user can cause a denial of service by altering a SavedModel such that TensorByteSize would trigger CHECK failures. cc int64t TensorByteSizeconst TensorProto& t // numelements returns -1 if shape is not fully defined. int64t numelems = TensorShapet.tensorshape.numelements; retur...
Reachable Assertion in Tensorflow
Impact When decoding a resource handle tensor from protobuf, a TensorFlow process can encounter cases where a CHECK assertion is invalidated based on user controlled arguments. This allows attackers to cause denial of services in TensorFlow processes. Patches We have patched the issue in GitHub...
Prototype Pollution in js-data
All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the deepFillIn function...
Improper privilege handling in Apache Accumulo
Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the 'canFlush' and...
Prototype Pollution in keyget
The package keyget from 0.0.0 are vulnerable to Prototype Pollution via the methods set, push, and at which could allow an attacker to cause a denial of service and may lead to remote code execution. Note: This vulnerability derives from an incomplete fix to CVE-2020-28272...
Cross-site Scripting in livehelperchat
Stored XSS is found in SettingsLive help configurationPersonal Themestatic content. Under the NAME field put a payload constructor.constructor'alert1' while creating content, and you will see that the input gets stored, and every time the user visits, the payload gets executed...
SQL injection in Moodle
A flaw was found in Moodle in versions 3.11 to 3.11.4. An SQL injection risk was identified in the h5p activity web service responsible for fetching user attempt data...
Server Side Twig Template Injection
PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds...
Cross-Site Request Forgery (CSRF) in livehelperchat
livehelperchat is vulnerable to Cross-Site Request Forgery CSRF...
Improper Privilege Management in shelljs
Impact Output from the synchronous version of shell.exec may be visible to other users on the same system. You may be affected if you execute shell.exec in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec as the root user. Other shelljs functions including the asynchronous...
Cross-site Scripting in django-cms
Django CMS 3.7.3 does not validate the plugintype parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting XSS vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user...
Incorrect Permission Assignment for Critical Resource in Jenkins Credentials Binding Plugin
Jenkins Credentials Binding Plugin prior to 1.27.1 and 1.24.1 does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file. Credentials...
CSRF vulnerability and missing permission checks in Jenkins Publish Over SSH Plugin
A cross-site request forgery CSRF vulnerability in Jenkins Publish Over SSH Plugin 1.22 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials...
Use of Hard-coded Credentials in Apache Kylin
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their passwor...
Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman
A flaw was found in podman. The podman machine function used to create and manage Podman virtual machine containing a Podman process spawns a gvproxy process on the host system. The gvproxy API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall...
Server-side request forgery (SSRF) in Apache Batik
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests...
Cross-site scripting in Apache NiFi
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers...
Infinite loop in Apache CFX
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior ...
Cross Site Request Forgery in mailman
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request using that token to set a new admin password or make other changes...
Deserialization of Untrusted Data in topthink/framework
ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php...
Code Injection in jackson-databind
This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource aka Anteros-DBCP...
Code injection in FreeIPA
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function berscanf was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger...
Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.
Withdrawn This advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue. Original CVE based description Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP...
Crash in `tf.math.segment_*` operations
Impact The implementation of tf.math.segment operations results in a CHECK-fail related abort and denial of service if a segment id in segmentids is large. python import tensorflow as tf tf.math.segmentmaxdata=np.ones1,10,1, segmentids=1676240524292489355 tf.math.segmentmindata=np.ones1,10,1,...
Cross-Site Request Forgery in firefly-iii
firefly-iii is vulnerable to Cross-Site Request Forgery CSRF...
CSV Injection Vulnerability
Impact In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel. If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open tha...
Cross-site Scripting in Froala Editor
Froala Editor 3.2.6 is affected by Cross Site Scripting XSS. Under certain conditions, a base64 crafted string leads to persistent Cross-site scripting XSS vulnerability within the hyperlink creation module...
ASP.NET Core Denial of Service Vulnerability
Withdrawn This advisory was initially published and mapped incorrectly to nuget Microsoft.NETCore.App.Ref. We later reanalyzed this advisory and found it does not have a direct mapping to a NuGet package. Thus we have withdrawn this advisory. The underlying ASP.NET Core Denial of Service...
Incorrect handling of H2 GOAWAY + SETTINGS frames
Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. Impact This can lead to a DoS in the presence of untrusted upstream servers. Patches 0.15.1 contains an upgraded envoy binary with this vulnerability patched...
Arbitrary file upload in Fork CMS
Arbitrary file upload vulnerability in Fork CMS 5.9.2 allows attackers to create or replace arbitrary files in the /themes directory via a crafted zip file uploaded to the Themes panel...
Improper Authentication
Traefik 2.x, in certain configurations, allows HTTPS sessions to proceed without mutual TLS verification in a situation where ERRBADSSLCLIENTAUTHCERT should have occurred...
XSS in Image Optimization API for Next.js
Impact - Affected: All of the following must be true to be affected - Next.js between version 10.0.0 and 11.1.0 - The next.config.js file has images.domains array assigned - The image host assigned in images.domains allows user-provided SVG - Not affected: The next.config.js file has images.loade...
Improper Resource Shutdown or Release in TYPO3 extension
Wrong usage of the TYPO3 FAL API results in copies of processed files being saved to the /var/transient/ folder of a TYPO3 website on every frontend request. This can result in Denial of Service, since the webspace may be filled up with image files simply by crafting a large amount of requests to...
Cross-site scripting in imgURL
imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header...
Unauthorized property update in CheckboxGroup component in Vaadin 12-14 and 15-20
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 Vaadin 12.0.0 prior to 14.0.0, 2.0.0 prior to 3.0.0 Vaadin 14.0.0 prior to 14.5.0, 3.0.0 through 4.0.1 Vaadin 15.0.0 through 17.0.11, 14.5.0 through 14.6.7 Vaadin 14.5.0 through 14.6.7, and 18.0.0...
Improper Neutralization of Formula Elements in a CSV File in pimcore/pimcore
Impact Data Object CSV import allows formular injection. Patches Problem is patched in 10.1.1 Workarounds Apply https://github.com/pimcore/pimcore/pull/9992.patch References https://cwe.mitre.org/data/definitions/1236.html...
Memory corruption in array-tools
An issue was discovered in the array-tools crate before 0.3.2 for Rust. Affected versions of this crate don't guard against panics, so that partially uninitialized buffer is dropped when user-provided T::clone panics in FixedCapacityDequeLike::clone. This causes memory corruption...
Uninitialized buffer use in marc
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Record::read. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialize...
Authenticated server-side request forgery in file upload via URL.
Impact Authenticated server-side request forgery in file upload via URL. Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workaround...
Privilege escalation via form generator
Impact It is possible for untrusted users to gain administrator rights with the form generator. Installations are only affected if there are untrusted back end users with access to the form generator. Patches Update to Contao 4.4.56, 4.9.18 or 4.11.7. Workarounds Disable the form generator or...
JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Impact Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. Patches Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21. References OWASP Page on Restricting Form Submissions For more information If you have...
Incorrect TCR calculation in batchLiquidateTroves() during Recovery Mode
TCR is temporarily miscalculated in the batchLiquidateTroves function during Recovery Mode. The bug lies in batchLiquidateTroves of TroveManager. When calculating system's entire collateral, we should also exclude the liquidated trove's surplus collateral, since liquidation closes the trove and...
Command injection in gitlogplus
All versions of package gitlogplus are vulnerable to Command Injection via the main functionality, as options attributes are appended to the command to be executed without sanitization...
Incorrect Authorization in TeamPass
The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function...