1518 matches found
Out-of-bounds Write
CImg suffers from integer overflows leading to heap buffer overflows in loadpnm that can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity...
XML Entity Expansion
go-yaml is vulnerable to a Billion Laughs Attack...
Command Injection
active-support could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system...
Improper query string handling in Django
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoints lack authentication entirely, allowing anyone to create, read, update, and delete provider connections. Additionally, /api/usage/stats exposes full plaintext API keys, and...
9router: Missing Authorization and OS Command Injection
POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches...
Nginx-UI Settings API Exposes Protected Secrets
The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is completely...
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
When the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive...
H2O Vulnerable to Arbitrary File Overwrite via File Export
In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a...
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients...
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients...
Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC
An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption...
Vapor contains an integer overflow in URI leading to potential host spoofing
Vapor's vaporurlparserparse function uses uint16t indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI ty...
Path traversal in ZIPFoundation
An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file...
Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11...
SwiftTerm Code Injection vulnerability
Attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A vulnerability classified as critical was found in IBAX go-ibax. Affected by this vulnerability is an unknown functionality of the file /api/v2/open/tablesInfo. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be...
Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.1.9...
Improper Validation of Certificate with Host Mismatch in mellium.im/xmpp/websocket
If no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross Site Scripting XSS vulnerability exits in Anchor CMS =0.12.7 in posts.php. Attackers can use the posts column to upload the title and content containing malicious code to achieve the purpose of obtaining the administrator cookie, thereby achieving other malicious operations...
Remote Code Execution in AjaxNetProfessional
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication sharin...
Key Caching behavior in the DynamoDB Encryption Client.
Impact This advisory concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions were changed at the key provider, time-based key reauthorization logic in...
Improper Link Resolution Before File Access ('Link Following')
lib/vlad/dba/mysql.rb in the VladTheEnterprising gem for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.targethost...
Nested attributes rejection proc bypass
When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allowdestroy: false option to the acceptsnestedattributesfor method. The allowdestroy flag prevents the :rejectif proc from being called because it assumes that the recor...
decolua 9router vulnerable to authorization bypass
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...
Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController e.g., embedded WebViews lacking Input Events Level 2 support. The StringPiece.fromJSON...
apko has a path traversal in apko dirFS which allows filesystem writes outside base
A Path Traversal vulnerability was discovered in apko's dirFS filesystem abstraction. An attacker who can supply a malicious APK package e.g., via a compromised or typosquatted repository could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink...
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability
Allowlist module contains a bypass vulnerability...
H2O Deserialization of Untrusted Data Vulnerability
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are...
HAPI FHIR XML External Entity (XXE) vulnerability
An XML External Entity XXE vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities...
Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java BC Java before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of th...
yyjson has a Double Free vulnerability
The pool series allocator poolmalloc/poolfree/poolrealloc by yysjon has a Double Free vulnerability, which may lead to arbitrary address writing and Denial of Service DoS attacks. Arbitrary address writing, combined with other legitimate or illegitimate operations of programs using this library,...
Improper Access Control
Improper Access Control in GitHub repository admidio/admidio prior to 4.2.9...
Out-of-bounds Read
An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is a bz3decodeblock out-of-bounds read...
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Silverstripe Form Capture provides a method to capture simple silverstripe forms and an admin interface for users. Starting in version 0.2.0 and prior to versions 1.0.2, 1.1.0, 2.2.5, and 3.1.1, improper escaping when presenting stored form submissions allowed for an attacker to perform a...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...
Deserialization of Untrusted Data
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting XSS vulnerability in the Apache Solr Search solr extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
Server-Side Request Forgery (SSRF)
In Apache Traffic Control Traffic Ops, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach...
Externally Controlled Reference to a Resource in Another Sphere
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack...
ActiveRecord Gem :limit / :offset SQL Injection
The issue is due to the program not properly sanitizing user-supplied input related to the :limit and :offset functions. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data...
Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection
AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection...
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
The nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the...
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
The @aborruso/ckan-mcp-server MCP server provides tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network service...
AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion
AutoMapper is vulnerable to a Denial of Service DoS attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memor...
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid...
Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. Filesystem List Parameter Plugin 0.0.15 ensur...
Adguard Home arbitrary file read vulnerability
An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Admidio v4.2.12 and below is vulnerable to Cross Site Scripting XSS...
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SS...