33227 matches found
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context...
HAXcms createSite SSRF Enables Arbitrary File Read
Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...
Algernon: handler.lua discovery walks parent directories above the server root
Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...
Algernon: Single-file mode unconditionally enables debug mode
Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow algernon foo.lua, algernon page.po2, algernon index.html, algernon mywebsite.alg — singleFileMode is set to true and debugMode is forcibly enabled with no opt-out: go //...
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString
Summary ArrayFunctions.InsertAt in Scriban allocates index - list.Count null entries in a tight C for loop with no bound on index. The function is exposed to template authors as array.insertat, and the fill loop ignores every existing safety control: LoopLimit, LimitToString, ObjectRecursionLimit...
Malware in @opensearch-project/opensearch
Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take...
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" N or "\u30fb" N + "\u6f22" utilize the validcontexto function prior to length rejection, and for high values of N will take a long time to process. Impact A speciall...
Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...
Keycloak: Session fixation in OIDC login flow that can lead to account takeover
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which...
Keycloak: Access token disclosure and implicit flow bypass via forged client data
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...
Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further...
Keycloak: Denial of Service via specially crafted SAML input
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language SAML endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service DoS where the server becomes...
Keycloak Protection API allows authenticated clients to access and modify resources owned by other Resource Servers
Keycloak's Authorization Services feature exposes a User-Managed Access Protection API that include an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resour...
Keycloak: Unauthorized account takeover via WebAuthn token replay
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn Web Authentication flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's...
Keycloak Account Resources user lookup contains broken access control
Keycloak's Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By sending crafted requests with arbitrary usernames or email values,...
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
TYPO3 sf_register extension allows unauthorized assignment of frontend user groups
The create and edit flows in the TYPO3 extension sfregister do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account...
TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)
The TYPO3 "Content Element Selector" ceselector extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code...
TYPO3 ke_search path traversal from arbitrary table configuration input
In TYPO3 faceted fulltext search kesearch, theadditionaltables configuration of the page and ttcontent indexers accept arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. This has...
TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)
The TYPO3 Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrati...
georgringer/news has SQL Injection in extension "News system" (news)
The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...
TYPO3 SQL Injection in extension "Address List" (tt_address)
In the TYPO3 extension ttaddress, the AddressRepository::getSqlQuery method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation...
Keycloak: Information Disclosure via evaluate-scopes Admin API
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...
TYPO3 ke_search path traversal due to lack of normalization on config directory from file indexer
In TYPO3 faceted fulltext search kesearch, the file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences. This has been patche...
TYPO3 ke_search XML External Entity Injection
In TYPO3 faceted fulltext search kesearch, the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being...
MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...
Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured
A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...
Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...
MLFlow Creates a Temporary File With Insecure Permissions
In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...
Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links
Summarize prior to 0.15.0 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthines...
Summarize contains a missing authorization vulnerability
Summarize prior to 0.15.0 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...
Summarize contains a missing authorization vulnerability
Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...
Summarize contains a path traversal vulnerability
Summarize prior to 0.15.0 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit...
ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.
An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options...
ImageMagick: Stack overflow in fx operation
Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument...
ImageMagick: Use-After-Free in MSL decoder.
A crafted MSL image can trigger a heap-use-after-free...
ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion...
ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression
When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check...
ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions
When reading multiple images with different dimensions an out of bounds heap write can occur...
ImageMagick: Policy Bypass in MNG coder could
Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use...
ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.
When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()
Summary ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw wi...
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI
Summary A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large values and adds the payload delimite...
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages
Summary Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated...
OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers
Summary OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total ioviter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. Details In...
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
Summary The custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. Details Th...
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure
Summary The Java TLS ioctl probe reads user-controlled ioctl pointers with bpfproberead instead of bpfprobereaduser. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry. Details The vulnerable path is in...