33181 matches found
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the artifactlocation parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component in the artifact location URI to read arbitrary files on the...
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
Impact A specially crafted argument to the idna.encode function could consume significant resources. This may lead to a denial-of-service. Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7. Workarounds Domain names cannot excee...
Server Side Template Injection (SSTI) via Twig escape handler
Summary Due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Details https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.phpL99 php / Defines a new escaper to be used via the esca...
Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass
Summary Grav CMS is vulnerable to a Server-Side Template Injection SSTI, which allows any authenticated user editor permissions are sufficient to execute arbitrary code on the remote server bypassing the existing security sandbox. Details The Grav CMS implements a custom sandbox to protect the...
Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator'. Users are recommended to upgrade to version...
Jenkins Delphix Plugin has SSL/TLS certificate validation disabled by default
In Jenkins Delphix Plugin 3.0.1, a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections is disabled by default...
CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability
Summary Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. Details The web application lacks control over the login attempts i.e. why attacker can use a password brute force attack to find and get full access...
Rancher 'Audit Log' leaks sensitive information
Impact A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. Rancher Audit Logging is an opt-in feature, only deployments that have it enabled and have AUDITLEVEL set to 1 or above are impacted by this issue. The leaks might be caught in the...
Allegro AI ClearML vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously uploaded artifact to run arbitrary code on an end user’s system when interacted with...
Duplicate Advisory: Exposure of sensitive information in ClickHouse
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8ph-74m6-8m7r. This link is maintained to preserve external references. Original Description Exposure of sensitive information in exceptions in ClickHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and...
Winter CMS Stored XSS through Backend ColorPicker FormWidget
Impact Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. By default, only the Brand Settings backend.managebranding and Mail Brand Settings...
Password stored in a recoverable format by Jenkins OpenId Connect Authentication Plugin
Jenkins OpenId Connect Authentication Plugin stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator...
Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key
Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token...
PDM Trojan Lockfile
Summary It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. Details Project foo can be targeted by creating the project foo-2 and uploading the fil...
Pimcore Demo Allows GraphQL Introspection
Introspection is enabled on demo.pimcore.fun. The demo site has graphql as a feature for users, but allows users to run instropection queries, which presents a potential schema information disclosure vulnerability...
Jenkins Cross-site Scripting vulnerability
ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote. This results in a stored...
Improper Control of Generation of Code ('Code Injection') in jai-ext
Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Patches Version 1.2.22...
OpenRefine Remote Code execution in project import with mysql jdbc url attack
Summary An remote Code exec vulnerability allows any unauthenticated user to exec code on the server. Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can ge...
Argo CD repo-server Denial of Service vulnerability
Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious,...
Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Impact The Flarum forum software is affected by a vulnerability that allows an attacker to conduct a Blind SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofing the MIME type, an attacker can manipulat...
Aerospike Java Client vulnerable to unsafe deserialization of server responses
GitHub Security Lab GHSL Vulnerability Report: GHSL-2023-044 The GitHub Security Lab team has identified a potential security vulnerability in Aerospike Java Client. We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively...
mlflow vulnerable to OS Command Injection
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0...
SQL injection in jeecg-boot
jeecg-boot v3.5.1 was discovered to contain a SQL injection vulnerability via the title parameter at /sys/dict/loadTreeData...
Obfuscated email addresses should not be sorted
Impact The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps. Patches This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1. Workarounds The workaround is t...
langchain arbitrary code execution vulnerability
An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method...
vm2 vulnerable to Inspect Manipulation
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node inspect method and edit options for console.log. Impact A threat actor can edit options for console.log. Patches This vulnerability was patched in the release of version 3.9.18 of vm2. Workarounds After...
Flask-AppBuilder Has No Rate Limiting on Login AUTH DB
Impact Lack of rate limiting will allow an attacker to brute-force user credentials. Patches Ability to enable rate limiting on Flask-AppBuilder = 4.3.0. Use AUTHRATELIMITED = True and RATELIMITENABLED = True set the limit itself by using AUTHRATELIMIT. Will apply only to database authentication...
matrix-react-sdk Prototype pollution vulnerability
Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. Patches...
directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or...
Cross-Site-Scripting attack on `<RichTextField>`
Impact All React applications built with react-admin and using the are affected. outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting XSS attack. Proof of concept: jsx import...
Froxlor vulnerable to Command Injection
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8...
Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator
wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead...
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
Overview Versions =8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm...
FeehiCMS Cross Site Scripting vulnerability
Cross Site Scripting XSS vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file...
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209. - Versions affected: ALL - Not affected: NONE - Fixed versions: 1.4.4 Impact A possible XSS vulnerability with certain configurations of...
Unchecked return value from xmlTextReaderExpand
Summary Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Readerattributehash. This can lead to a null pointer exception when invalid markup is being parsed. For applications using XML::Reader to parse untrusted inputs, this may...
GitPython vulnerable to Remote Code Execution due to improper user input validation
All versions of package gitpython are vulnerable to Remote Code Execution RCE due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git...
Tailscale Windows daemon is vulnerable to RCE via CSRF
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code. Affected platforms: Windows Patched Tailscale client versions: v1.32.3 or later, v1.33.257 or later unstable What...
@keystone-6/core's NODE_ENV defaults to development with esbuild
Impact @keystone-6/[email protected] || 3.0.1 users that use NODEENV in their own code not dependencies to trigger security-sensitive functionality in a production build are vulnerable to NODEENV being inlined to "development" for user code. If your dependencies use NODEENV to trigger particular...
Gogs vulnerable to Cross-site Scripting
In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting XSS that leads to an account takeover...
Dompdf allows remote file inclusion because URI validation failure does not halt font registration
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule...
Apache Batik Server-Side Request Forgery
Server-Side Request Forgery SSRF vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14...
nftables binding to an already bound chain
Impact An issue was discovered in net/netfilter/nftablesapi.c in the Linux kernel. A denial of service can occur upon binding to an already bound chain. Affected by this vulnerability is the function nftverdictinit of the file net/netfilter/nftablesapi.c. The manipulation with an unknown input...
XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
Impact All rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects class and property name must be known, though...
ThinkPHP deserialization vulnerability
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload...
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification
An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to...
x/crypto/ssh vulnerable to panic via malformed packets
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic...
React Editable Json Tree vulnerable to arbitrary code execution via function parsing
Impact Our library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function was used to execute strings that begin with "function" as Javascript. This was an oversight that unfortunately allows arbitrary code to be...
Bots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution
Impact py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the application.commands scope without the bot scope. Currently, it appears that all public bots that use slash commands are...
Flask-AppBuilder before v4.1.3 allows inference of sensitive information through query strings
Impact An authenticated Admin user could craft HTTP requests to filter users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes...