33181 matches found
Missing input validation can lead to command execution in composer
The Composer method VcsDriver::getFileContent with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.or...
Unauthenticated user can list hidden document from multiple velocity templates in XWiki
Impact A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. Patches The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. Workarounds There is no known workaround for this problem. References...
Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors()
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors or getSelectorsBySpecificity is called with input from an attacker...
SQL Injection in Moodle
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default...
Deserialization of Untrusted Data in Apache Dubbo
Apache Dubbo prior to 2.6.9 and 2.7.10 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection AP...
Cross-site Scripting in FreeTAKServer-UI
FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting XSS vulnerability via the Callsign parameter...
Command injection in simple-git
The package simple-git before 3.3.0 is vulnerable to Command Injection via argument injection. When calling the .fetchremote, branch, handlerFn function, both the remote and branch parameters are passed to the git fetch subcommand. By injecting some git options, it was possible to get arbitrary...
Command Injection in CasaOS
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability via the component leave or join zerotier api...
Arbitrary file write in nats-server
This document is canonically: Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. JetStream is the optional RAFT-based resilient persistent feature of NATS. Problem Description The JetStream...
open redirect in pollbot
From https://bugzilla.mozilla.org/showbug.cgi?id=1753838 Summary: There was an open redirection vulnerability in the path of: https://pollbot.services.mozilla.com/ and https://pollbot.stage.mozaws.net/ Description: An attacker can redirect anyone to malicious sites. Steps To Reproduce: Type in th...
Improper Neutralization of Special Elements used in an OS Command in Jenkins Pipeline: Groovy Plugin
Jenkins Pipeline: Groovy Plugin prior to 2656.vf7ae7b75a457, 2.94.1, and 2.92.1 uses the same checkout directories for distinct SCMs when reading the script file typically Jenkinsfile for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controlle...
Improper Input Validation in Xerces
A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This iss...
"catalog's registry v2 api exposed on unauthenticated path in Harbor"
Impact Javier Provecho, member of the TCCT Telefonica Cloud & Cybersecurity Tech better known as ElevenPaths SRE team discovered a vulnerability regarding Harbor’s v2 API. The catalog’s registry v2 api is exposed on an unauthenticated path. The current catalog API path is served at the following...
Nil dereference in NATS JWT, DoS of nats-server
Problem Description The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not fully trust. A malicious Account...
OS Command Injection in node-key-sender
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute' function...
Improper Validation of Specified Quantity in Input in Eclipse Hono
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP...
Cross-site Scripting in markdown-it-highlightjs
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. js const markdownItHighlightjs = require"markdown-it-highlightjs"; const md = require'markdown-it'; const...
Incorrect Authorization in Apache Solr
Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 prevents some features considered dangerous which could be used for remote code execution to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such featur...
Division by zero in Tensorflow
Impact The implementation of FractionalMaxPool can be made to crash a TensorFlow process via a division by 0: python import tensorflow as tf import numpy as np tf.rawops.FractionalMaxPool value=tf.constantvalue=1, 4, 2, 3, dtype=tf.int64, poolingratio=1.0, 1.44, 1.73, 1.0, pseudorandom=False,...
Improper Input Validation in Apache Unomi
Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process...
Generation of Error Message Containing Sensitive Information in Keycloak
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack...
Memory leak in micronaut-core
Impact Sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. Patches The problem is patched in Micronaut 3.2.7 and above. Workarounds The default content type binder can be replaced in an existing Micronau...
Inefficient Regular Expression Complexity in marked
Impact What kind of vulnerability is it? Denial of service. The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following. javascript import as marked from "marked"; marked.parsex:$' '.repeat1500x $' '.repeat1500 x; Who is impacted? Anyone who run...
Cross-site Scripting in Apache Pluto
The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting XSS attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifact...
Open Redirect in Grav
Common/Grav.php in Grav before 1.6.23 has an Open Redirect...
Improper Authorization in Keycloak
A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled...
Authelia vulnerable to an authentication bypassed with malformed request URI on nginx
Impact This affects uses who are using nginx ngxhttpauthrequestmodule with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially suppo...
Improper Restriction of XML External Entity Reference in com.h2database:h2.
H2 is an embeddable RDBMS written in Java. The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity XXE Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML method. If it...
Invalid handling of `X509_verify_cert()` internal errors in libssl
Internally libssl in OpenSSL calls X509verifycert on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error for example out of memory. Such a negative return value is mishandled by OpenSSL and will cause an IO...
Path traversal in Matrix Synapse
Impact Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory. The last two directories and file name of the path are chosen randomly by Synapse and cannot be...
Exposure of sensitive information in Apache Ozone
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration...
Incorrect permissions in Apache Ozone
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block...
Improper Verification of Cryptographic Signature in starkbank-ecdsa
The verify function in the Stark Bank Python ECDSA library starkbank-ecdsa 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages...
FPE in convolutions with zero size filters
Impact The implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. Patches We have patched the issue in GitHub commit f2c3931113eaafe9ef558faaddd48e00a6606235. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on...
Prototype Pollution in node-jsonpointer
This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays...
Arbitrary command execution on Windows via qutebrowserurl: URL handler
Impact Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers it as a handler for certain URL schemes. With some applications such as Outlook Desktop, opening a specially crafted URL can lead to argument injection, allowing execution of qutebrowser commands, which in tu...
Cross-site Scripting in snipe-it
snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...
Authz Module Non-Determinism
Impact Consensus failure for 0.43.x and 0.44.0,1 users. Funds and balances are safe. Patches 0.44.2 Workarounds Manually patch the code. --- Full details posted in https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349...
Nameko Arbitrary code execution due to YAML deserialization
Impact Nameko can be tricked to perform arbitrary code execution when deserialising a YAML config file. Example: yaml malicious.yaml !!python/object/new:type args: 'z', !!python/tuple , 'extend': !!python/name:exec listitems: "import'os'.system'cat /etc/passwd'" shell $ nameko run --config...
Cross-site Scripting in LaraCMS
LaraCMS contains a stored cross-site scripting XSS vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content editor...
CSV injection in Craft CMS
Withdrawn Duplicate of GHSA-h7vq-5qgw-jwwq...
Cross-site Scripting in GilaCMS
A cross-site scripting XSS vulnerability in /admin/content/post of GilaCMS v1.11.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Tags field...
Inefficient Regular Expression Complexity in handsontable
The package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service ReDoS in Handsontable.helper.isNumeric function...
LiveQuery publishes user session tokens in parse-server
Impact For regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery...
Regular Expression Denial of Service in jsoneditor
JSON Editor is a web-based tool to view, edit, format, and validate JSON. It has various modes such as a tree editor, a code editor, and a plain text editor. The jsoneditor package is vulnerable to ReDoS regular expression denial of service. An attacker that is able to provide a crafted element a...
Traefik has an Improper Certificate Handling issue
configurationwatcher.go in Traefik 2.x before 2.1.4 and TraefikEE 2.0.0 mishandles the purging of certificate contents from providers before logging...
Use of Cryptographically Weak Pseudo-Random Number Generator in showdoc
showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator PRNG...
Malicious password-reset in Akaunting
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please...
Exposed phpinfo() leadked via documentation files
Impact The phpinfo can be exposed if the /vendor is not protected from public access. This is a rare situation today since the vendor directory is often located outside the web directory or protected via server rule .htaccess, etc. Patches Only the v6, v7 and v8 will be patched respectively in...
Data races in multiqueue
Affected versions of this crate unconditionally implemented Send for types used in queue implementations InnerSend, InnerRecv, FutInnerSend, FutInnerRecv. This allows users to send non-Send types to other threads, which can lead to data race bugs or other undefined behavior...