Authentication Bypass by Capture-replay

An issue was discovered in IO FinNet tss-lib before 2.0.0. The parameter ssid for defining a session id is not used through the MPC implementation, which makes replaying and spoofing of messages easier. In particular, the Schnorr proof of knowledge implemented in sch.go does not utilize a session...

Observable Discrepancy

io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. bnb-chain/tss-lib and...

Exposure of Sensitive Information in OpenGoofy Hippo4j

Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 allows attacker toescalate privileges via the AddUser method of the UserController function in Tenant Management module...

Uncontrolled Resource Consumption

This advisory has been marked as a false positive...

Exposure of Sensitive Information to an Unauthorized Actor

Helm is a tool that streamlines installing and managing Kubernetes applications.getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS...

Improper Neutralization of Equivalent Special Elements

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

A vulnerability was found in docconv up to 1.2.0. It has been declared as critical. This vulnerability affects the function ConvertPDFImages of the file pdfocr.go. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. Upgrading to version 1.2.1...

Out-of-bounds Write

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks DOS. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow...

Path Traversal in file editor on Windows in Gogs

Impact The malicious user is able to delete and upload arbitrary files. All installations on Windows with repository upload enabled default are affected. Patches Path cleaning has accommodated for Windows. Users should upgrade to 0.12.9 or the latest 0.13.0+dev. Workarounds N/A References...

Django Allows Arbitrary URL Generation

The django.http.HttpRequest.gethost function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values...

Django Image Field Vulnerable to Image Decompression Bombs

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service memory consumption by uploading an image file...

Improper Validation of Array Index

The html package aka x/net/html through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" index out of range in insertionModeStack.pop in node.go, called from inHeadIM, during an html.Parse call...

NULL Pointer Dereference

The html package aka x/net/html through 2018-09-17 in Go mishandles , leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call...

URL Redirection to Untrusted Site ('Open Redirect')

Flask-AppBuilder is an application development framework, built on top of the Flask web framework. Flask-AppBuilder contains an open redirect vulnerability when using database authentication login page on versions below 3.4.5. This issue is fixed in version 3.4.5. There are currently no known...

Server-Side Request Forgery (SSRF)

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability...

Improper Authentication in FreeTAKServer

An access control issue in the component /ManageRoute/postRoute of FreeTAKServer v1.9.8 allows unauthenticated attackers to cause a Denial of Service DoS via an unusually large amount of created routes, or create unsafe or false routes for legitimate users...

Improper Authorization in Gitea

Improper Authorization in GitHub repository go-gitea/gitea prior to 1.16.4...

Authorization bypass in Istio

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes e.g. -some-suffix for source principals or namespace fields, callers will never be denied access, bypassing the intended policy...

Vulnerability in Istio

Istio 1.1.x through 1.1.6 has Incorrect Access Control...

Allocation of Resources Without Limits or Throttling

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests...

Observable Response Discrepancy in Flask-AppBuilder

User enumeration in database authentication in Flask-AppBuilder 3.4.4. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in...

URL Redirection to Untrusted Site ('Open Redirect')

The Auth0 Next.js does not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue...

Cobbler before 3.3.0 allows log poisoning

Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations...

Weak Password Recovery Mechanism for Forgotten Password

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please...

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs aka Go Git Service 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in models/issue.go in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Helm is open-source software which is essentially "The Kubernetes Package Manager". Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. In Helm from version 3.0 and before version 3.5.2, there a few cases where data loaded from potentially untrusted...

Missing Authorization

routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks...

Uncontrolled Resource Consumption

The PostgreSQL adapter in Active Record suffers from a regular expression denial of service REDoS vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the...

Out-of-bounds Write

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page...

Cross-site Scripting

Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believ...

Improper Input Validation

xmlquery lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service SIGSEGV at xmlquery.Node.InnerText or possibly have unspecified other impact...

Use After Free

GNU Bison has a use-after-free in obstackfree in lib/obstack.c called from gramlex when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was...

Insufficiently Protected Credentials

Jenkins Applatix Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system...

DOS by filling session store

The session backends created a new empty record in the session storage anytime request.session was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sendi...

Incorrect Default Permissions

The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with jinja2 in /tmp...

Caching of anonymous pages could reveal CSRF token

Django incorrectly cache certain pages that contain CSRF cookies. An attacker can possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions...

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...

Exposure of Sensitive Information to an Unauthorized Actor

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss or another extension to a URL...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack...

Improper Control of Generation of Code ('Code Injection')

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature...

hutool Buffer Overflow vulnerability

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath...

Exposure of Sensitive Information to an Unauthorized Actor

KubePi is an opensource kubernetes management panel. The endpoint /kubepi/api/v1/users/search?pageNum=1&&pageSize=10 leak password hash of any user including admin. A sufficiently motivated attacker may be able to crack leaded password hashes. This issue has been addressed in version 1.6.5. Users...

CasaOS contains weak JWT secrets

Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances...

Insecure Default Initialization of Resource

Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires t...

Flask-AppBuilder vulnerable to possible disclosure of sensitive information on user error

An authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256...

api-platform/core's secured properties may be accessible within collections

API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON...

Use of Hard-coded Credentials

KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermor...

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Due to improper path santization, archives containing relative file paths can cause files to be written or overwritten outside of the target directory...