33367 matches found
Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure Summary A user enumeration and email disclosure vulnerability exists in Grav v1.7.49.5 with Admin plugin v1.10.49.1. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their...
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
Summary The MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host...
Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/accounts/groups/Grupo endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datareadableName parameter. The injected scripts are stored on the server and...
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadermetadata, dataheadertaxonomycategory, and dataheadertaxonomytag parameters. These...
Grav Exposes Password Hashes Leading to privilege escalation
Exposure of Password Hashes Leading to privilege escalation Severity Rating: Medium Vector: Privilege Escalation CVE: XXX CWE: 200 - Exposure of Sensitive Information CVSS Score: 6.2 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L Analysis It was observed that if a users is given read...
Grav is vulnerable to a DOS on the admin panel
DOS on the admin panel Severity Rating: Medium Vector: Denial Of Service CVE: XXX CWE: 400 - Uncontrolled Resource Consumption CVSS Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Analysis A Denial of Service DoS vulnerability has been identified in the application related to...
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
Summary Due to a broken access control vulnerability in the /admin/pages/pagename endpoint, an editor user with full permissions to pages can change the functionality of a form after submission. Details Due to improper authorization checks when modifying critical fields on a POST request to...
Grav is vulnerable to Arbitrary File Read
Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav user account files - /grav/user/accounts/.yaml. This file stores hashed user password, 2FA secret, and the password reset token. - This can allow an adversar...
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
Summary Grav CMS is vulnerable to a Server-Side Template Injection SSTI that allows any authenticated user with editor permissions to execute arbitrary code on the remote server, bypassing the existing security sandbox. Details Grav CMS uses a custom sandbox to protect the powerful Twig methods...
Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
Summary A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new...
Keycloak has debug default bind address
A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...
Snipe-IT allows stored XSS via the Locations "Country" field
Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session...
maxminddb's `Reader::open_mmap` unsoundly marks unsafe memmap operation as safe
maxminddb prior to version 0.27 declared Reader::openmmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active...
Werkzeug safe_join() allows Windows special device names
Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. sendfromdirectory uses safejoin to safely serve files at user-specified paths under a director...
rtvm-interpreter lacks sufficient checks in public API
The affected function is unsound due to insufficient checks on public struct field...
Snipe-IT is vulnerable to stored cross-site scripting
Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation...
Mattermost fails to validate user permissions when deleting comments in Boards
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users...
Better Auth affected by external request basePath modification DoS
Summary Affected versions of Better Auth allow an external request to configure baseURL when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users. This issue is only exploitable when baseURL is not explicitly...
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. Details According to RFC 5322, nested group structures a group inside another group are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested...
Spotipy has a XSS vulnerability in its OAuth callback server
Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. Details Vulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGET The...
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
Summary The fonttools varLib or python3 -m fontTools.varLib script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main code path of fontTools.varLib, used by the fonttools varLib CLI and...
Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic
Impact CiliumNetworkPolicys which use egress.toGroups.aws.securityGroupsIds to reference AWS security group IDs that do not exist or are not attached to any network interface may unintentionally allow broader outbound access than intended by the policy authors. In such cases, the toCIDRset sectio...
XWiki Jetty Package (XJetty) allows accessing any application file through URL
Impact In an instance which is using the XWiki Jetty package XJetty, a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials, like http://myhots/webapps/xwiki/WEB-INF/xwiki.cfg,...
Withdrawn Advisory: express improperly controls modification of query properties
Withdrawn Advisory This advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact. This link is maintained to preserve external references. Original Description Impact when using the extended query parser in express 'query parser': 'extended...
Apache Struts is Vulnerable to DoS via File Leak
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue...
FeehiCMS is vulnerable to reverse tabnabbing
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function...
FeehiCMS is vulnerable to cross-site scripting via the id parameter of the User Update function
Cross Site Scripting XSS vulnerability in FeehiCMS 2.1.1 via the id parameter of the User Update function ?r=user%2Fupdate...
FeehiCMS fails to enforce server-side immutability
FeehiCMS version 2.1.1 fails to enforce server-side immutability for parameters that are presented to clients as "read-only." An authenticated attacker can intercept and modify the parameter in transit and the backend accepts the changes. This can lead to unintended username changes...
NutzBoot Incorrect Privilege Assignment vulnerability
A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Transaction API. The manipulation...
NutzBoot vulnerable to information disclosure
A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-web3j/src/main/java/io/nutz/demo/simple/module/EthModule.java of the component Ethereum Wallet Handler...
NutzBoot vulnerable to deserialization
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-literpc/src/main/java/org/nutz/boot/starter/literpc/impl/endpoint/http/HttpServletRpcEndpoint.java of the component LiteRpc-Serializer. Executing...
yungifez Skuul School Management System vulnerable to XSS via SVG
A weakness has been identified in yungifez Skuul School Management System up to 2.6.5. This vulnerability affects unknown code of the file /dashboard/schools/1/edit of the component SVG File Handler. This manipulation causes cross site scripting. The attack is possible to be carried out remotely...
Skuul School Management System has a Sensitive Data Exposure Vulnerability in Uploaded Images
A security vulnerability has been detected in yungifez Skuul School Management System up to 2.6.5. This issue affects some unknown processing of the file /user/profile of the component Image Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The...
trytond does not enforce access rights for the route of the HTML editor.
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...
trytond does not enforce access rights for data export
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...
Tryton sao allows XSS via an HTML attachment
Tryton sao aka tryton-sao before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67...
Tryton sao allows XSS because it does not escape completion values
Tryton sao aka tryton-sao before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69...
trytond allows remote attackers to obtain sensitive trace-back (server setup) information
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back server setup information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...
LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. This is fixed in a forked release: at.yawk.lz4:lz4-java version 1.8.1. The original project has been archived:...
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references. Original Description Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.getfile function when extractin...
Mustangproject allows exfiltrating files via XXE attacks
Mustang before 2.16.3 allows exfiltrating files via XXE attacks...
Peppol-py is vulnerable to XXE attacks due to Saxon configuration
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...
ThingsBoard allows an authenticated user to upload malicious SVG images
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...
Mattermost fails to to verify the token used during code exchange
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email...
Mattermost fails to sanitize team email addresses
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication
Mattermost versions 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12, 11.0.x = 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of...
Apache SkyWalking has a stored XSS vulnerability
There is an Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Apache SkyWalking. This issue affects Apache SkyWalking versions = 10.2.0. Users are recommended to upgrade to version 10.3.0, which fixes the issue. Version 10.3.0 has not been uploaded to th...
pretix has Email Content Injection Through Maliciously Formatted Names
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength function that does not take into account Unicode variation selectors \uFE0F, \uFE0E appearing in a sequence which lead to improper string length...
Ray's New Token Authentication is Disabled By Default
Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces including the dashboard and Jobs API is disabled unless explicitly enabled by setting RAYAUTHMODE=token. In the default unauthenticated state, a remote attacker with...