33396 matches found
Jellysweep uses uncontrolled data in image cache API endpoint
Impact The /api/images/cache which is used to download media posters from the server accepted an url parameter, which was directly passed to the cache package and that downloaded the poster from this URL. This URL parameter can be used to make the jellysweep server download arbitrary content. The...
Shaman has soundness issues and is unmaintained
shaman::cryptoutil::writeu64vle and other functions mentioned above cannot garantee memory safety of getunchecked later if both length are zero. shaman is unmaintained...
lakeFS affected by unauthenticated access to API usage metrics
Impact Missing authentication in the /api/v1/usage-report/summary endpoint allows anyone to retrieve aggregate API usage counts. While no sensitive data is disclosed, the endpoint may reveal information about service activity or uptime. Patches Upgrade to v1.70.1 Workarounds Any ONE of these is...
motionEye vulnerable to RCE via unsanitized motion config parameter
Summary A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution RCE by supplying malicious values in configuration fields exposed via the Web UI. Because MotionEye writes user-supplied values directly into Motion configuration files without sanitization,...
OpenMage vulnerable to XSS in Admin Notifications
Summary OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an admin with direct database access or the admin notification feed source to inject malicious scripts into vulnerable fields. Malicious JavaScript may be execute...
MantisBT unauthorized disclosure of private project column configuration
Impact Due to insufficient access-level checks, any non-admin user having access to manageconfigcolumnspage.php typically project managers having MANAGER role can use the Copy From action to retrieve the columns configuration from a private project they have no access to. Access to the reverse...
MantisBT lacks verification when changing a user's email address
When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. Impact This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person'...
@react-native-community/cli has arbitrary OS command injection
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes tested with 4,788,761 characters. Once such a note is added: Impact - The entire activity stream becomes unviewable UI fails to render. - New...
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
Due to an incorrect use of loose == instead of strict === comparison in the authentication code1, PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. 1:...
Liferay Portal and DXP do not check permissions of images in a blog entry
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions does not check permission of images in a blog entry, which allows remote attackers ...
Liferay Portal and DXP use an incorrect cache-control header
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions uses an incorrect cache-control heade...
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
Multiple cross-site scripting XSS vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary we...
Agno session state overwrites between different sessions/users
Impact Under certain conditions under high concurrency, when sessionstate is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a sessionstate to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed t...
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
Reflected cross-site scripting XSS vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the...
Ansible does not collect garbage after playbook run
A flaw was found in Ansible Base when using the awsssm connection plugin as its garbage collector is not happening after the playbook run is completed. Files would remain in the bucket exposing the data. This issue directly affects data confidentiality...
cryptidy allows code execution via untrusted data due to pickle.loads
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aesdecryptmessage in symmetricencryption.py...
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation
Scrapy versions up to 2.13.3 are vulnerable to a denial of service DoS attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of...
Liferay Portal is vulnerable to XSS in the Blogs widget
Cross-site scripting XSS vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allow...
sqls-server/sqls is vulnerable to command injection in the config command
sqls-server/sqls 0.2.28 is vulnerable to command injection in the config command because the openEditor function passes the EDITOR environment variable and config file path to sh -c without sanitization, allowing attackers to execute arbitrary commands. This issue has been patched via commit...
Liferay Portal is vulnerable to DNS rebinding attacks
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allow...
Duplicate Advisory: Keras keras.utils.get_file API is vulnerable to a path traversal attack
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjqc-jx6g-rwp9. This link is maintained to preserve external references. Original Description The keras.utils.getfile API in Keras, when used with the extract=True option for tar archives, is vulnerable to a pat...
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
Impact Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This affects: - Control panel users with permission to create or edit Collections and...
node-tar has a race condition leading to uninitialized memory exposure
Summary Using .t aka .list with sync: true to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. Details See: https://github.com/isaacs/node-tar/issues/445 https://github.com/isaacs/node-tar/pull/446 Regression happene...
gnark-crypto allows unchecked memory allocation during vector deserialization
The issue has been reported by @raefko from @fuzzinglabs. Excerpts from the report: A critical vulnerability exists in the gnark-crypto library's Vector.ReadFrom function that allows an attacker to trigger arbitrary memory allocation by crafting malicious input data. An attacker can cause the...
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
Summary When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases. GET...
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
Impact A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigg...
Byaidu PDFMathTranslate vulnerable to open redirect
An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect users to arbitrary external websites via the file parameter to the /gradioapi endpoint. This vulnerability could be exploited for phishing attacks or ...
Apache Airflow's create action can upsert existing Pools/Connections/Variables
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
Apache Airflow `/api/v2/dagReports` executes DAG Python in API
API users via /api/v2/dagReports could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available...
Apache Airflow has a command injection vulnerability in "example_dag_decorator"
An example dag exampledagdecorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production not default or the example dag code copied to build your own...
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth OAuth2 & OpenID Connect allows Authentication Bypass. This issue affects Simple OAuth OAuth2 & OpenID Connect: from 6.0.0 before 6.0.7...
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting XSS. This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0...
Drupal Acquia DAM allows Forceful Browsing
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing. This issue affects Acquia DAM: from 0.0.0 before 1.1.5...
Liferay Portal vulnerable to password enumeration
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers t...
Drupal Plausible tracking is vulnerable to XSS
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal Plausible tracking allows Cross-Site Scripting XSS. This issue affects Plausible tracking: from 0.0.0 before 1.0.2...
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This issue affects Reverse Proxy Header: from 0.0.0 before 1.1.2...
Drupal JSON Field is vulnerable to XSS
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal JSON Field allows Cross-Site Scripting XSS. This issue affects JSON Field: from 0.0.0 before 1.5...
Drupal Access code allows Brute Force Attempts
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: from 0.0.0 before 2.0.5...
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal Umami Analytics allows Cross-Site Scripting XSS. This issue affects Umami Analytics: from 0.0.0 before 1.0.1...
Drupal CivicTheme Design System allows Forceful Browsing
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing. This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0...
Drupal Currency allows Cross Site Request Forgery
Cross-Site Request Forgery CSRF vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 before 3.5.0...
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
Summary LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. Details /langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py...
Zitadel May Bypass Second Authentication Factor
Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. Impact Zitadel provides an API for managing sessions, enabling custom login experiences in a dedicated UI or direct integration into applications. Session Tokens...
Zitadel allows brute-forcing authentication factors
Summary A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user. Impact An attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like...
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an...
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability
Patch This is fixed with commit b953092, with the fix available in OpenUSD 25.11 and onwards. Summary We have been advised by Zero Day Initiative that our usage of the USD framework may constitute a Use-After-Free Remote Code Execution Vulnerability. They have sent us the attached file illustrati...
uv allows ZIP payload obfuscation through parsing differentials
Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem: 1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields...
CKAN vulnerable to fixed session IDs
Impact Session ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers...
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
Summary The default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. Description An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads...