Improper Handling of Case Sensitivity

Improper Handling of Case Sensitivity in easyadmin-extension-bundle...

Flask is vulnerable to Denial of Service via incorrect encoding of JSON data

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. Th...

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

active-support ruby gem could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system...

Command Injection

active-support could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system...

Cross-site request forgery in Django

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged AJAX requests that leverage a "combination of browser plugins...

Cross-site scripting in django

Cross-site scripting XSS vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload...

Directory traversal in Django

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / slash character in a key in a session cookie, related to session replays...

Session manipulation in Django

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that...

Django Cross-Site Request Forgery vulnerability

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page...

Denial of service in django

The verifyexists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service resource consumption via a URL associated with...

Cross-site scripting in django

Cross-site scripting XSS vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken aka csrftoken cookie...

Improper query string handling in Django

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series...

Improper date handling in Django

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service resource consumption via a URL that...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Bootstrap, XSS is possible in the data-target property of scrollspy...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Bootstrap, XSS is possible in the data-container property of tooltip...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Bootstrap, XSS is possible in the collapse data-parent attribute...

Eve allows execution of arbitrary code

io/mongo/parser.py in Eve aka pyeve before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter...

Insufficiently Protected Credentials

The Jenkins AWS CodeBuild Plugin does not properly protect credentials in AWSClientFactory...

Information Exposure

The Jenkins AWS CodeDeploy Plugin contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher...

Insufficiently Protected Credentials

The Jenkins AWS CodeDeploy Plugin does not properly protect credentials in AWSCodeDeployPublisher...

Insufficiently Protected Credentials

The Jenkins AWS CodePipeline Plugin contains an Insufficiently Protected Credentials vulnerability...

Path Traversal

360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing .. in the url...

Path Traversal

22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url...

Path Traversal

node module suffers from a Path Traversal vulnerability due to lack of validation of files, which allows a malicious user to read content of any file with known path...

Path Traversal

11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url...

Cross-site Scripting

ag-grid is vulnerable to Cross-site Scripting XSS via Angular Expressions, if AngularJS is used in combination with ag-grid...

Improper Neutralization of HTTP Headers for Scripting Syntax

HTTP header injection vulnerability in the http package...

Incorrect header injection check

amphp/http isn't properly protected against HTTP header injection...

SQL Injection

adodb-php contains a SQLi vulnerability...

SQL Injection

adodb-php contains a SQLi vulnerability...

SQL Injection

The SelectLimit function has a potential SQL injection vulnerability through the use of the nrows and offset parameters which are not forced to integers...

Path Traversal

626 includes a path traversal vulnerability. It allows reading arbitrary files from the remote server...

Information Exposure

An issue was discovered in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error such as 'Too many connections' has occurred...

Command injection vulnerability

VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.targethost file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary...

Improper Link Resolution Before File Access ('Link Following')

lib/vlad/dba/mysql.rb in the VladTheEnterprising gem for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.targethost...

Padding Oracle Vulnerability in RSA Encryption

Padding Oracle Vulnerability in RSA Encryption...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in activesupport/lib/activesupport/coreext/string/outputsafety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper...

Exposure of Sensitive Information to an Unauthorized Actor

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts...

Directory traversal vulnerability in Action View in Ruby on Rails

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing...

High severity vulnerability that affects actionpack

actionpack/lib/actionview/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The cross-site scripting XSS prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a...

Improper Input Validation

The template selection functionality in actionpack/lib/actionview/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in the striptags helper in actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an inval...

Action Pack contains database-query restrictions bypass

actionpack/lib/actiondispatch/http/request.rb in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to...

actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request

actionpack/lib/actiondispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended...

actionpack Improper Authentication vulnerability

The decodecredentials method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access...

actionpack Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting XSS vulnerabilities in the mailto helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 name or 2 email value...

Improper Input Validation

The tos method in actionpack/lib/actiondispatch/middleware/remoteip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address...