Lucene search
K
GitlabRecent

1518 matches found

GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•51 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A Cross Site Scripting XSS vulnerability exists in Nacos 2.0.3 in auth/users via the 1 pageSize and 2 pageNo parameters...

6.1CVSS3.2AI score0.00818EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•41 views

Path traversal in FreeTAKServer-UI

An issue in the ?filename= argument of the route /DataPackageTable in FreeTAKServer-UI v1.9.8 allows attackers to place arbitrary files anywhere on the system...

6.5CVSS5.2AI score0.00719EPSS
Exploits1References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•48 views

Exposure of Sensitive Information to an Unauthorized Actor in FreeTAKServer-UI

FreeTAKServer-UI v1.9.8 was discovered to leak sensitive API and Websocket keys...

7.5CVSS2.3AI score0.01073EPSS
Exploits1References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•31 views

Improper Authorization in Gogs

Improper Authorization in GitHub repository gogs/gogs prior to 0.12.5...

9.1CVSS2.7AI score0.01221EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•38 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting XSS vulnerability via the Callsign parameter...

5.4CVSS2.4AI score0.00479EPSS
Exploits1References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/12 12:0 a.m.•56 views

SSRF in repository migration

Server-Side Request Forgery SSRF in GitHub repository gogs/gogs prior to 0.12.5...

5.3CVSS2.2AI score0.03422EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/11 12:0 a.m.•27 views

Improper Authorization in Gitea

Improper Authorization in GitHub repository go-gitea/gitea prior to 1.16.4...

7.1CVSS2.8AI score0.00833EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/11 12:0 a.m.•33 views

Improper Authorization in cobbler

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places Web UI, CLI & XMLRPC-API. The same applies to user accounts with passwords set to be expired...

9.1CVSS8.5AI score0.02256EPSS
Exploits1References10Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/11 12:0 a.m.•54 views

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CasaOS before v0.2.7 was discovered to contain a command injection vulnerability via the component leave or join zerotier api...

9.8CVSS3.7AI score0.05967EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/11 12:0 a.m.•32 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A Cross Site Scripting XSS vulnerability exists in Nacos 2.0.3 in auth/users via the 1 pageSize and 2 pageNo parameters...

6.1CVSS3.2AI score0.00818EPSS
Exploits1References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/10 12:0 a.m.•24 views

Incorrect Authorization

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3...

9.1CVSS3.1AI score0.38133EPSS
Exploits7References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/08 12:0 a.m.•35 views

Duplicate of ./gem/activestorage/CVE-2022-21831.yml

The Active Storage module of Rails starting with version 5.2.0 are possibly vulnerable to code injection. This issue was patched in versions 5.2.6.2, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow-list on accepted transformation methods or...

9.8CVSS3AI score0.02742EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/03 12:0 a.m.•14 views

Execution with Unnecessary Privileges in arc-electron

When the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, whic...

1.9AI score
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/03/02 12:0 a.m.•62 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field...

5.4CVSS3.2AI score0.00682EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/24 12:0 a.m.•56 views

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement...

8.8CVSS3.1AI score0.04123EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/23 12:0 a.m.•27 views

Improper Authentication

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoin...

7.5CVSS1AI score0.01651EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•48 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•32 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•64 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•29 views

Use after free in Animation

Use after free in Animation. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other publi...

8.8CVSS2.2AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•30 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•68 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•74 views

Use after free in Animation

The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little other public information on the issue...

8.8CVSS2.5AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•52 views

Use after free in Animation

The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available. There is currently little...

8.8CVSS2AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/22 12:0 a.m.•43 views

Use after free in Animation

Use after free in Animation. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available...

8.8CVSS1.7AI score0.23546EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/21 12:0 a.m.•91 views

Incorrect Default Permissions in Cobbler

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobble...

7.1CVSS6.5AI score0.00311EPSS
Exploits0References13Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/20 12:0 a.m.•40 views

Improper Neutralization of Special Elements used in a Command ('Command Injection')

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function checkforinvalidimports can allow Cheetah code to import Python modules via the from MODULE import substring. Only lines beginning with import are blocked...

7.8CVSS4AI score0.00495EPSS
Exploits1References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/17 12:0 a.m.•36 views

Improper Certificate Validation

Hutool v5.7.18's HttpRequest was discovered to ignore all TLS/SSL certificate validation...

9.8CVSS1.2AI score0.01301EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/16 12:0 a.m.•38 views

Protection Mechanism Failure in Jenkins Doktor Plugin

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists...

5.5CVSS3.9AI score0.00591EPSS
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/16 12:0 a.m.•21 views

Improper Validation of Certificate with Host Mismatch in mellium.im/xmpp/websocket

If no TLS configuration is provided by the user, the websocket package constructs its own TLS configuration using recommended defaults...

2AI score
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/16 12:0 a.m.•81 views

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

9.8CVSS4.9AI score0.02117EPSS
Exploits1References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•31 views

Loop with Unreachable Exit Condition ('Infinite Loop')

An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 in YubiHSM SDK before 2021.04. The handler does not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send...

7.5CVSS0.8AI score0.01521EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•106 views

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that...

6.5CVSS3.6AI score0.01312EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•22 views

Cross-Site Request Forgery (CSRF)

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...

8.8CVSS6.6AI score0.01266EPSS
Exploits1References9Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•26 views

Cross-Site Request Forgery (CSRF)

A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...

8.8CVSS1.7AI score0.01266EPSS
Exploits1References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•29 views

Improper Input Validation

DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost or any other address...

5.5CVSS2.9AI score0.00512EPSS
Exploits1References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•34 views

Improper Authentication in Kubernetes

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally...

8.8CVSS1.8AI score0.03597EPSS
Exploits5References12Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•23 views

Session Fixation

Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron...

9.8CVSS3.5AI score0.03041EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•69 views

Improper Input Validation

docker2aci = 0.12.3 has an infinite loop when handling local images with cyclic dependency chain...

4CVSS0.9AI score0.00358EPSS
Exploits0References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•38 views

Vulnerability in Istio

Istio 1.1.x through 1.1.6 has Incorrect Access Control...

7.5CVSS3.1AI score0.01175EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•57 views

Authorization bypass in Istio

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes e.g. -some-suffix for source principals or namespace fields, callers will never be denied access, bypassing the intended policy...

6.8CVSS4.2AI score0.011EPSS
Exploits1References10Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•40 views

Improper Authentication

The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node or in the node's network namespace. Such a service is generally...

8.8CVSS2AI score0.03597EPSS
Exploits5References10Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•42 views

Improper Authentication

etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 is vulnerable to an improper authentication issue when role-based access control RBAC is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name CN which matches a valid RBAC username, a remote...

8.1CVSS4.7AI score0.04031EPSS
Exploits0References13Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•68 views

Arbitrary Command Injection

In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection...

9.8CVSS4.2AI score0.04107EPSS
Exploits0References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•25 views

Allocation of Resources Without Limits or Throttling

The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests...

5.3CVSS4.4AI score0.02428EPSS
Exploits0References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•61 views

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that...

6.5CVSS3.6AI score0.01312EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•42 views

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type...

6.5CVSS1.6AI score0.01631EPSS
Exploits0References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/15 12:0 a.m.•27 views

Authorization bypass in Istio

In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes e.g. -some-suffix for source principals or namespace fields, callers will never be denied access, bypassing the intended policy...

6.8CVSS4.2AI score0.011EPSS
Exploits1References10Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/12 12:0 a.m.•39 views

TLS certificate validation error

In mellium.im/xmpp, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification...

5.9CVSS2.8AI score0.00629EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2022/02/11 12:0 a.m.•17 views

Improper Neutralization

Improper Neutralization in github.com/aws/aws-sdk-go/service/s3/s3crypto...

2.3AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities1518