33181 matches found
svg-sanitizer has Cross-site Scripting Bypass
Update In 88 we have determined that the bypass this security advisory was created for, was a false positive and as such we have requested that the CVE be rejected. A bypass has been found that allows an attacker to upload an SVG with persistent XSS. HTML elements within CDATA needed to be...
Streamlit publishes previously-patched Cross-site Scripting vulnerability
Synopsis: Streamlit open source publicizes a prior security fix implemented in 2021. The vulnerability affected Streamlit versions between 0.63.0 and 0.80.0 inclusive and was patched on April 21, 2021. If you are using Streamlit with version before 0.63.0 or after 0.80.0, no action is required. 1...
Vega Expression Language `scale` expression function Cross Site Scripting
Summary The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. Details The scale expression function passes a user supplied argument gro...
Unsafe fall-through in getWhereConditions
Impact Providing an invalid value to the where option of a query caused Sequelize to ignore that option instead of throwing an error. A finder call like the following did not throw an error: ts User.findAll where: new Date, ; As this option is typically used with plain javascript objects, be awar...
java-xmlbuilder vulnerable to XML External Entity Reference
A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is...
Argo CD leaks repository credentials in user-facing error messages and in logs
Impact All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an...
Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set
A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFTATTESTPASSWORD environment variable. Impact The SYFTATTESTPASSWORD environment variable is for the syft attest command to generate attested SBOMs for the given container image...
Eta vulnerable to Code Injection via templates rendered with user-defined data
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution RCE by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data...
Cross-site request forgery in Jenkins Gerrit Trigger Plugin
A cross-site request forgery CSRF vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit...
thorsten/phpmyfaq is vulnerable to cross-site scripting (XSS)
Cross-site Scripting XSS - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10...
Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references. Original Description A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unkno...
.NET Denial of Service Vulnerability
Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to...
Keycloak vulnerable to session takeover with OIDC offline refreshtokens
An issue was discovered in Keycloak when using a client with the offlineaccess scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user. This iss...
Apache CXF Server-Side Request Forgery vulnerability
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type...
Snakeyaml vulnerable to Stack overflow leading to denial of service
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks DOS. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack...
Apache Pulsar Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Clients vulnerable to MITM attack
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or...
.NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 5.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Denial of Service vulnerability exists in .NET 6.0 and...
matrix-js-sdk subject to user impersonation due to key/device identifier confusion in SAS verification
Impact An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of th...
XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor
Impact Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects...
rdiffweb Missing Custom Error Page
rdiffweb version 2.4.1 is set to a default and leaks error information. Version 2.4.2 fixes this issue...
OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
lib/omniauth/failureendpoint.rb in OmniAuth before 1.9.2 and before 2.0 does not escape the messagekey value...
Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow
GraphQL behaviour Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion. graphql Infinite loop example query ...a fragmen...
OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
Impact SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to revert, given a target contract that doesn't implement EIP-1271 as expected. The contracts that may be affected are those that use...
Apache SkyWalking NodeJS Agent can lose availability if header includes illegal SkyWalking header
A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection...
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting XSS due to improper input sanitization and to improper escape of attributes when using objects during SSR Server-Side Rendering. Exploiting this vulnerability is possible via objects with a custom toString function...
Cross-site Scripting in Jenkins GitLab Plugin
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. GitLab Plugin 1.5.35 does not show user-provide...
CURLOPT_HTTPAUTH option not cleared on change of origin
Impact Authorization headers on requests are sensitive information. When using our Curl handler, it is possible to use the CURLOPTHTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we...
Possible information disclosure inside TreeGrid component with default data provider
Description The default configuration of a TreeGrid component uses Object::toString as a key on the client-side and server communication in Vaadin 14.8.5 through 14.8.9, 22.0.6 through 22.0.14, 23.0.0.beta2 through 23.0.8 and 23.1.0.alpha1 through 23.1.0.alpha4, resulting in potential information...
Incomplete validation in signal ops leads to crashes in TensorFlow
Impact The tf.compat.v1.signal.rfft2d and tf.compat.v1.signal.rfft3d lack input validation and under certain condition can result in crashes due to CHECK-failures. Patches We have patched the issue in GitHub commit 0a8a781e597b18ead006d19b7d23d0a369e9ad73 merging GitHub PR 55274. The fix will be...
Missing validation causes denial of service via `DeleteSessionTensor`
Impact The implementation of tf.rawops.DeleteSessionTensor does not fully validate the input arguments. This results in a CHECK-failure which can be used to trigger a denial of service attack: python import tensorflow as tf handle = tf.constant"", shape=0, dtype=tf.string...
Gravity Forms stored Cross-Site Scripting (XSS) vulnerability
A stored Cross-Site Scripting XSS vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role Administrator, Editor, etc...
Missing hostname validation in Email Extension Plugin
Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. Email Extension Plugin 2.76 validates the SMTP hostname when...
containernetworking/plugins vulnerable to MitM attacks
A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle MitM attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or...
libxslt Type Confusion vulnerability that affects Nokogiri
In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. Nokogiri prior to version 1.10.5 used a vulnerable...
Plone Code Injection vulnerability
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface...
Symfony Denial of Service Via Long Password Hashing
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service CPU consumption via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a...
Deserialization of Untrusted Data in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void...
curl FTP path confusion leads to NIL byte out of bounds write
curl can be coerced into writing a zero byte out of bounds. This bug can trigger when curl is told to work on an FTP URL, with the setting to only issue a single CWD command --ftp-method singlecwd or the libcurl alternative CURLOPTFTPFILEMETHOD. curl then URL-decodes the given path, calls strlen ...
Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)
The Enhanced Image aka image2 plugin for CKEditor in versions 4.5.10 through 4.9.1; fixed in 4.9.2, and as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, is vulnerable to cross-site scripting because it allows remote attackers to inject arbitrary web script through a...
Authlogic Information Exposure vulnerability
The Authlogic gem for Ruby on Rails prior to version 3.3.0 makes potentially unsafe findbyid method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secrettoken value, as demonstrated by a value...
ClassLoader manipulation in Apache Struts
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists...
ChakraCore information disclosure vulnerability
An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers, aka "Scripting Engine Information Disclosure Vulnerability." This affects ChakraCore, Internet Explorer 11, Microsoft Edge...
Keycloak Reflected XSS
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server...
ChakraCore RCE Vulnerability
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8267...
Improper Input Validation in Apache Tomcat
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a...
Apache Tomcat Improper Access Control vulnerability
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency...
Moodle Allows Modification of Constants
The MoodleQuickForm class in the Forms Library in lib/formslib.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant operations, which allows remote attackers to submit unexpected form content by modifying the values of constant...
Nokogiri gem, via libxml, is affected by DoS vulnerabilities
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities...
Rack arbitrary code execution via timing attack
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that doe...
Denial of Service in http-swagger
Impact Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system. Patches Yes. Please upgrade to v1.2.6. Workarounds A workaround is to restrict the path prefix to the "GET" method. As shown below func main r := mux.NewRouter...