33181 matches found
Denial of Service attack on windows app using netty
Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. Details When the library netty is...
Ansible vulnerable to Insertion of Sensitive Information into Log File
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as includevars to load vaulted variables without setting the nolog: true parameter, resulting in sensitive data...
ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
Summary Applications using the zitadel-go v3 library next branch might be impacted by package vulnerabilities. The output of govulncheck suggests that only example code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency...
SQL injection in opencart
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed it does not have ...
Grafana Race condition allowing privilege escalation
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328. Release 9.2.4, latest patch, also containing security fix: - Download Grafana 9.2.4 Appropriate patches have been applied to Grafana Cloud and as always, we...
Pimcore TinyMCE Bundle - tinymce CVE-2024-29203, CVE-2024-29881
Impact The TineMCE Bundle uses tinymce version 6.7.3. CVEs for this version exists for 6.8.1: https://nvd.nist.gov/vuln/detail/CVE-2024-29203 https://nvd.nist.gov/vuln/detail/CVE-2024-29881 Patches The package should be updated to at least 6.8.1 to avoid XSS vulnerability. Workarounds Upgrade...
Drupal Core Remote Code Execution Vulnerability
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical -...
Moby (Docker Engine) started with non-empty inheritable Linux process capabilities
Impact A bug was found in Moby Docker Engine where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during...
Keycloak path traversal vulnerability in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. Thi...
ZITADEL's actions can overload reserved claims
Impact Under certain circumstances an action could set reserved claims managed by ZITADEL. For example it would be possible to set the claim urn:zitadel:iam:user:resourceowner:name json "urn:zitadel:iam:user:resourceowner:name": "ACME" if it was not set by ZITADEL itself. To compensate for this w...
Nuclei allows unsigned code template execution through workflows
Overview A significant security oversight was identified in Nuclei v3, involving the execution of unsigned code templates through workflows. This vulnerability specifically affects users utilizing custom workflows, potentially allowing the execution of malicious code on the user's system. This...
Users with `create` but not `override` privileges can perform local sync
Impact "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper...
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been...
Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field
TL;DR This vulnerability affects Kirby sites that use the URL field in any blueprint. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack cannot be automated. The vulnerability is als...
Rancher API Server Cross-site Scripting Vulnerability
Impact A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. The attack vector was identifi...
Talos Linux ships runc vulnerable to the escape to the host attack
Impact Snyk has discovered a vulnerability in all versions of runc =1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious...
Grafana path traversal
Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0. Release v8.3.1, only containing a security fix: - Download Grafana 8.3.1 - Release notes Release v8.2.7, only...
HashiCorp Vault Authentication bypass
HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1...
Grafana XSS in Dashboard Text Panel
Grafana 5.3.1 has XSS via the "Dashboard Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099...
Minor fix to previous patch for CVE-2022-35918
Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific condition...
Craft CMS Privilege Escalation
Impact This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft with certain user permissions setups. Patches This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. References...
Allocation of Resources Without Limits in Keycloak
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...
Withdrawn Advisory: Prometheus XSS Vulnerability
Withdrawn Advisory This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references. Original Description A stored, DOM based, cross-site scripting XSS flaw was found in Prometheus before version...
Unauthenticated db-file-storage views
Impact In Nautobot 1.x and 2.0.x, the URLs /files/get/?name=... and /files/download/?name=... are used to provide admin access to files that have been uploaded as part of a run request for a Job that has FileVar inputs. Under normal operation these files are ephemeral and are deleted once the Job...
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
Impact CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlistedcontenttype? determines Content-Type permissions by performing a partial match. If the contenttype argument of allowlistedcontenttype? is...
Duplicate Advisory: phpseclib vulnerable to denial of service
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2f25-pfq3-c7h8. This link is maintained to preserve external references. Original Description In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees in binary fields can lead to a denial...
In Reactor Netty HTTP Server a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured t...
Symfony possible session fixation vulnerability
Description SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token...
capsule-proxy service discloses Namespaces of colliding tenants to owners of different tenants with the same ServiceAccount name
Summary A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. Details - Tenant solar, owned by a ServiceAccount named tenant-owner in the Namespace solar - Tenant wind, owne...
Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews
Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Proof of Concept Step 1. Go to /admin and login. Step 2. In Documents, go to home - click on Sample Conten...
Ingress nginx annotation injection causes arbitrary command execution
Issue Details A security issue was identified in ingress-nginx where the nginx.ingress.kubernetes.io/configuration-snippet annotation on an Ingress object in the networking.k8s.io or extensions API group can be used to inject arbitrary commands, and obtain the credentials of the ingress-nginx...
SaToken privilege escalation vulnerability
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL...
Django Grappelli Open Redirect vulnerability
views/switch.py in django-grappelli aka Django Grappelli before 2.15.2 attempts to prevent external redirection with startswith"/" but this does not consider a protocol-relative URL e.g., //example.com attack...
Jeecg boot SQL Injection vulnerability
Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /jeecg-boot/jmreport/show...
OpenFGA Authorization Bypass
Overview Some end users of OpenFGA v1.3.0 or earlier are vulnerable to authorization bypass when calling the ListObjects API. This means that the API sometimes returns more objects than it should. Am I Affected? The vulnerability affects customers using ListObjects with specific models. The...
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Summary Bypassing the validatePath function can lead to potential Remote Code Execution Post-authentication, ALLOWADMINCHANGES=true Details In bootstrap.php, the SystemPaths path is set as below. php // Set the vendor path. By default assume that it's 4 levels up from here $vendorPath =...
Jenkins NodeJS Plugin improper credential masking vulnerability
Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in the Npm config file in...
matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
Impact It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Patches Please upgrade to 1.0.1. Workarounds You can set the matrixHandler.eventCacheSize config value to 0 to workaround this...
PyPDF2 quadratic runtime with malformed PDF missing xref marker
Impact An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. Patches https://github.com/py-pdf/pypdf/pull/808 Workarounds ...
org.xwiki.commons:xwiki-commons-xml's HTML sanitizer allows form elements in restricted
Impact The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add ...
Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability
Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.This vulnerability is considered low since it requires DAG code to use getsqlalchemyconnection and someone with access to connection resources...
Apache Airflow vulnerable to Privilege Context Switching Error
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow. This issue affects Apache Airflow: before 2.6.0...
Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints
Impact Mutagen command line operations, as well as the log output from mutagen daemon run, are susceptible to control characters that could be provided by remote endpoints. This can cause terminal corruption, either intentional or unintentional, if these characters are present in error messages,...
Improper input validation in github.com/gin-gonic/gin
Versions of the package github.com/gin-gonic/gin before version 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. Note: Although this issue does not pose a...
Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer
Impact There is an ext4 use-after-free flaw described in CVE-2022-1184 that is exploitable through versions of Apptainer 1.1.0 and installations that include apptainer-suid 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10...
Possible XSS injection through Validate::isCleanHTML method
Impact ValidateCore::isCleanHTML method of Prestashop misses hijickable events which can lead to XSS injection, allowed by the presence of pre-setup @keyframes methods. This XSS which hijacks HTML attributes will be triggered without any interaction of the visitor/administrator which makes it as...
configobj ReDoS exploitable by developer using values in a server-side configuration file
All versions of the package configobj are vulnerable to Regular Expression Denial of Service ReDoS via the validate function, using .+?.. Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file...
Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
Summary When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use Functions. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function...
Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process
A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules. Affected platforms: FreeBSD Patched Tailscale client versions: v1.38.2 or later What happened? A difference i...
Apache Tomcat vulnerable to Unprotected Transport of Credentials
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...