33227 matches found
n8n has Unauthenticated Expression Evaluation via Form Node
Impact A second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this could escalate to remote code...
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute
Summary A stored Cross-site Scripting XSS vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of...
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerability its Identity Name
Summary A stored Cross-site Scripting XSS vulnerability was identified in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the Web...
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Metadata
Summary A stored Cross-site Scripting XSS vulnerability was identified in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebU...
Mautic is Vulnerable to SQL Injection through Contact Activity API Sorting
Summary This advisory addresses a SQL Injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not strictly validate...
ImageMagick has a heap Buffer Over-read in its DJVU image format handler
A heap Buffer Over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride row size for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads...
ImageMagick: Heap Buffer Over-read in WaveletDenoise when processing small images
A heap buffer over-read vulnerability occurs when processing an image with small dimension using the -wavelet-denoise operator. ==3693336==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x511000001280 at pc 0x5602c8b0cc75 bp 0x7ffcb105d510 sp 0x7ffcb105d500 READ of size 4 at...
hexchat crate has a Use After Free vulnerability
All versions of this crate have function deregistercommand which can result in use after free. This is unsound. In addition, all versions since 0.3.0 have "safe" macros, which are documented as unsafe to use in threads. In addition, the hexchat crate is no longer actively maintained. If users rel...
CIRCL has an incorrect calculation in secp384r1 CombinedMult
The CombinedMult function in the CIRCL ecc/p384 package secp384r1 curve produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3...
ImageMagick: Heap-based Buffer Overflow in GetPixelIndex due to metadata-cache desynchronization
OpenPixelCache updates image channel metadata before attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer that calls GetPixelIndex...
ImageMagick: Memory Leak in multiple coders that write raw pixel data
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed. Direct leak of 160 bytes in 1 objects allocated from:...
ImageMagick: Memory leak in coders/txt.c without freetype
If a texture attribute is specified for a TXT file, an attempt will be made to read it via texture=ReadImagereadinfo,exception;. Later, when retrieving metrics via the GetTypeMetrics function, if this function fails i.e., status == MagickFalse, the calling function will exit immediately but fail ...
ImageMagick: SVG-to-MVG Command Injection via coders/svg.c
An attacker can inject arbitrary MVG Magick Vector Graphics drawing commands in an SVG file that is read by the internal SVG decoder of ImageMagick. The injected MVG commands execute during rendering...
ImageMagick: Malicious PCD files trigger 1‑byte heap Out-of-bounds Read and DoS
The PCD coder’s DecodeImage loop allows a crafted PCD file to trigger a 1‑byte heap out-of-bounds read when decoding an image Denial of service and potential disclosure of adjacent heap byte...
mageMagick has a possible use-after-free write in its PDB decoder
A use-after-free vulnerability exists in the PDB decoder that will use a stale pointer when a memory allocation fails and that could result in a crash or a single zero byte write. ==4033155==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 pc 0x5589c1971b24 bp...
ImageMagick has a possible heap Use After Free vulnerability in its meta coder
A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at...
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
A stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious...
changedetection.io is Vulnerable to SSRF via Watch URLs
Summary Changedetection.io is vulnerable to Server-Side Request Forgery SSRF because the URL validation function issafevalidurl does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user or any user when no password is...
changedetection.io Vulnerable to Reflected XSS in RSS Single Watch Error Response
Summary Three security vulnerabilities were identified in changedetection.io through source code review and live validation against a locally deployed Docker instance. All vulnerabilities were confirmed exploitable on the latest version 0.53.6 it was additionally validated at scale against 500...
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Impact A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection SSTI. Patches Flask-Reuploaded has been patched in version 1.5.0 Workarounds 1. Do not...
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Impact The ConfigKeyCache uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only user can receive the cached full master key, or a regular user can receive the cached read-only master key. Patches The...
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...
Parse Dashboard is Missing Authorization for its Agent Endpoint
Impact The AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and c...
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS) through Custom Rule Function
Summary A stored Cross-site Scripting XSS vulnerability was identified in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of...
Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
Summary A critical unsafe eval vulnerability in Budibase's view filtering implementation allows any authenticated user including free tier accounts to execute arbitrary JavaScript code on the server. This vulnerability ONLY affects Budibase Cloud SaaS - self-hosted deployments use native CouchDB...
AVideo has Authenticated Server-Side Request Forgery via downloadURL in aVideoEncoder.json.php
Vulnerability Type Authenticated Server-Side Request Forgery SSRF Affected Product/Versions AVideo versions prior to 22 tested on AVideo 21.x. Root Cause Summary The aVideoEncoder.json.php API endpoint accepts a downloadURL parameter and fetches the referenced resource server-side without proper...
Rucio WebUI has Username Enumeration via Login Error Message
Summary The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Details When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on th...
Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
Summary A reflected Cross-site Scripting vulnerability was located in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Details The WebUI error message renders ExceptionMessage...
Parse Dashboard has incomplete authentication on AI Agent endpoint
Impact The AI Agent API endpoint POST /apps/:appId/agent lacks authentication. Unauthenticated remote attackers can send requests to the endpoint and perform arbitrary database operations against any connected Parse Server using the master key. Patches The fix adds authentication middleware to th...
c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property
Impact c3p0 is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to v0.12.0, that property was...
OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function
An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...
OpenKruise PodProbeMarker is Vulnerable to SSRF via Unrestricted Host Field
Summary PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers. The webhook validation does not restrict the Host field in these probe configurations. Since kruise-daemon runs with hostNetwork=true, it executes probes from the node network namespace. An attacker with...
ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation
Impact The RSASHA256Algorithm and RSASHA1Algorithm contracts fail to validate PKCS1 v1.5 padding structure when verifying RSA signatures. The contracts only check if the last 32 or 20 bytes of the decrypted signature match the expected hash. This enables Bleichenbacher's 2006 signature forgery...
mchange-commons-java: Remote Code Execution via JNDI Reference Resolution
Impact mchange-commons-java includes code that mirrors early implementations of JNDI functionality, including support for remote factoryClassLocation values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously...
Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
Summary A bug in Astro's image pipeline allows bypassing image.domains / image.remotePatterns restrictions, enabling the server to fetch content from unauthorized remote hosts. Details Astro provides an inferSize option that fetches remote images at render time to determine their dimensions. Remo...
OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
Summary An OS command injection vulnerability in NetworkPathMonitor.performTraceroute allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. Details The vulnerability exists in...
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Summary When using the AWS Lambda adapter hono/aws-lambda behind an Application Load Balancer ALB, the getConnInfo function incorrectly selected the first value from the X-Forwarded-For header. Because AWS ALB appends the real client IP address to the end of the X-Forwarded-For header, the first...
Sliver has Potential Zip Bomb Denial of Service in GzipEncoder
Summary GzipEncoder does not limit output size when processing compressed data. This allows unauthenticated remote attackers to crash sliver server by sending a http request with highly compressed gzip data aka zip bomb. Details In util/encoders/gzip.go, Decode method decompresses given data by...
@enclave-vm/core is vulnerable to Sandbox Escape
Summary It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution RCE. The issue has been fixed in version 2.11.1. --- Details It is possible to obtain the native Object constructor instead of the SafeObject wrapper. This can be...
OliveTin: OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks
Summary OliveTin's shell mode safety check checkShellArgumentSafety blocks several dangerous argument types but not password. A user supplying a password-typed argument can inject shell metacharacters that execute arbitrary OS commands. A second independent vector allows unauthenticated RCE via...
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. Patches This has been fixed in pypdf==6.7.2. Workarounds If users cannot upgrade yet, consider applying the changes from PR 3655...
TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload
I. Summary A Stored Cross-Site Scripting XSS vulnerability exists in the file upload module of TypiCMS. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attacker can upload a...
Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering
Summary An unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. Details When Pygments returns more lines than it was given a known upstream quirk...
repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Impact The RepoCard component is vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability occurs because the component uses React's dangerouslySetInnerHTML to render the repository name repo prop during the loading state without any sanitization. If a developer using this package passe...
FileBrowser Quantum: Password Protection Not Enforced on Shared File Links
Summary When users share password-protected files, the recipient can completely bypass the password and still download the file. Details This happens because the API returns a direct download link in the details of the share, which is accessible to anyone with JUST THE SHARE LINK, even without th...
Fickling has safety check bypass via REDUCE+BUILD opcode sequence
Assessment It is believed that the analysis pass works as intended, REDUCE and BUILD are not at fault here. The few potentially unsafe modules have been added to the blocklist https://github.com/trailofbits/fickling/commit/0c4558d950daf70e134090573450ddcedaf10400. Original report Summary All 5 of...
ImageMagick: Integer Overflow in PSB (PSD v2) RLE decoding path causes heap Out of Bounds reads for 32-bit builds
An integer overflow in the PSB PSD v2 RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files. ================================================================= ==3298==ERROR: AddressSanitizer:...
esm.sh is vulnerable to full-response SSRF
Summary esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Details Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.goL511 If the intern...
Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory
The CreateNewDAG API endpoint POST /api/v1/dags does not validate the DAG name before passing it to the file store. While RenameDAG calls core.ValidateDAGName to reject names containing path separators line 273 in dags.go, CreateNewDAG skips this validation entirely and passes user input directly...
Fickling: OBJ opcode call invisibility bypasses all safety checks
Assessment The interpreter so it behaves closer to CPython when dealing with OBJ, NEWOBJ, and NEWOBJEX opcodes https://github.com/trailofbits/fickling/commit/ff423dade2bb1f72b2b48586c022fac40cbd9a4a. Original report Summary All 5 of fickling's safety interfaces -- islikelysafe, checksafety, CLI...