33181 matches found
Partial authorization bypass on document save in xwiki-platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with SCRIPT right EDIT right before XWiki 7.4 can save a document with the right of the current user which allow accessing API requiring programming right if the current user has...
Unauthorized access to Class instance in Jinjava
Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...
Insufficient Session Expiration in Apache NiFi Registry
If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging ou...
Path traversal in Apache James
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based produc...
Missing Authorization in DayByDay CRM
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account employee type user, can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the...
Inadequate Encryption Strength in Apache NiFi
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced...
Cross-site scripting in Apache NiFi
A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers...
Infinite loop in Apache CFX
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior ...
Client-Side JavaScript Prototype Pollution in oro/platform
Summary By sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. Workarounds Configure WAF to dro...
Duplicate Advisory: Remote Code Execution in AjaxNetProfessional
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6r7c-6w96-8pvw. This link is maintained to preserve external references. Original Description All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of...
Cross Site Request Forgery in mailman
In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request using that token to set a new admin password or make other changes...
Code injection in FreeIPA
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function berscanf was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger...
Cookie persistence after password changes in symfony/security-bundle
Description ----------- Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login on...
Prototype Pollution in algoliasearch-helper
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters.parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the...
Apache Ozone exposes OM, SCM and Datanode metadata
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints...
Incorrect Authorization in Apache Ozone
In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins...
Authentication Bypass by CSRF Weakness
Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of solidusauthdevise are affected if protectfromforgery method is both: - Executed whether as: - A beforeaction callback the default - A prependbeforeaction option prepend: tr...
Heap OOB in `FusedBatchNorm` kernels
Impact The implementation of FusedBatchNorm kernels is vulnerable to a heap OOB: python import tensorflow as tf tf.rawops.FusedBatchNormGrad ybackprop=tf.constanti for i in range9,shape=1,1,3,3,dtype=tf.float32 x=tf.constanti for i in range2,shape=1,1,1,2,dtype=tf.float32 scale=1,1,...
Missing Authorization with Default Settings in Dashboard UI
Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote...
Improper Access Control in jupyterhub-firstuseauthenticator
Impact When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if createusers=True and the username is known or guessed. Patches Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch...
ASP.NET Core Denial of Service Vulnerability
Withdrawn This advisory was initially published and mapped incorrectly to nuget Microsoft.NETCore.App.Ref. We later reanalyzed this advisory and found it does not have a direct mapping to a NuGet package. Thus we have withdrawn this advisory. The underlying ASP.NET Core Denial of Service...
Cross-site scripting in demos/demo.mysqli.php in getID3
Cross-site scripting XSS vulnerability in demos/demo.mysqli.php in getID3 1.X and v2.0.0-beta allows remote attackers to inject arbitrary web script or HTML via the showtagfiles parameter...
Exposure of Sensitive Information in keycloak
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events...
Use of a Broken or Risky Cryptographic Algorithm
✍️ Description The function mtrand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are...
Deserialization of Untrusted Data in Neo4j
Neo4j through 3.4.18 with the shell server enabled exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains...
@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and t...
Data races in concread
An issue was discovered in the concread crate before 0.2.6 for Rust. Attackers can cause an ARCache data race by sending types that do not implement Send/Sync...
Heap OOB and CHECK fail in `ResourceGather`
Impact An attacker can trigger a crash via a CHECK-fail in debug builds of TensorFlow using tf.rawops.ResourceGather or a read from outside the bounds of heap allocated data in the same API in a release build: python import tensorflow as tf tensor =...
Division by 0 in most convolution operators
Impact Most implementations of convolution operators in TensorFlow are affected by a division by 0 vulnerability where an attacker can trigger a denial of service via a crash: python import tensorflow as tf tf.compat.v1.disablev2behavior tf.rawops.Conv2D input = tf.constant, shape=0, 0, 0, 0,...
Special Element Injection in notebook
Impact Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. Patches 5.7.11, 6.4.1 References OWASP Page on Injection Prevention For more information If you have any questions or comments about this advisory, or vulnerabilities ...
Archive package allows chmod of file outside of unpack target directory
Impact A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or s...
Access control flaw in Kiali
An incorrect access control flaw was found in the kiali-operator in versions before 1.33.0. This flaw allows an attacker with a basic level of access to the cluster to deploy a kiali operand to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access ...
Insufficient Verification of Data Authenticity in Pillow
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads after jumping to file offsets returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data...
plugin.yaml file allows for duplicate entries in helm
Impact During a security audit of Helm's code base, Helm maintainers identified a bug in which a Helm plugin can contain duplicates of the same entry, with the last one always used. If a plugin is compromised, this lowers the level of access that an attacker needs to modify a plugin's install...
Invalid validation in `QuantizeAndDequantizeV2`
Impact The validation in tf.rawops.QuantizeAndDequantizeV2 allows invalid values for axis argument: python import tensorflow as tf inputtensor = tf.constant0.0, shape=1, dtype=float inputmin = tf.constant-10.0 inputmax = tf.constant-10.0 tf.rawops.QuantizeAndDequantizeV2 input=inputtensor,...
CHECK-fail in SparseConcat
Impact An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat: python import tensorflow as tf import numpy as np indices1 = tf.constant514, 514, 514, 514, dtype=tf.int64 indices2 = tf.constant514, 530, 599, 877, dtype=tf.int64 indices = indices1, indices2 values1 =...
Denial of service (via resource exhaustion) due to improper input validation in third-party identifier endpoint
Impact Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion. Patches The issue is fixed by https://github.com/matrix-org/synapse/pull/9855. Workarounds There are no...
Information Exposure in jaeger
Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger before version 1.18.1 when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials...
Privilege Escalation in Cloud Native Computing Foundation Harbor
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform...
Cross-site Scripting in reveal.js
Insufficient validation in cross-origin communication postMessage in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks...
Authorization bypass in Strapi
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality...
Incorrect Authorization in Apache Solr
When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts...
Prototype Pollution in templ8
All versions of package templ8 up to and including 0.0.44 are vulnerable to Prototype Pollution via the parse function...
Prototype Pollution in madlib-object-utils
madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue...
Regular Expression Denial of Service in hosted-git-info
The npm package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service ReDoS via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity...
Authenticated path traversal in Umbraco CMS
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS = 8.9.1 or current, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package...
Cross-site Scripting in vis-timeline
This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application...
Command Injection in nuance-gulp-build-common
All versions of package nuance-gulp-build-common are vulnerable to Command Injection via the index.js file. PoC: js var a = require"nuance-gulp-build-common" a.run"touch JHU"...
Discovery uses the same AES/GCM Nonce throughout the session
Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...
Out-of-bounds write
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1107...