Lucene search
K
GitlabRecent

1518 matches found

GitLab Advisory Database
GitLab Advisory Database
•added 2018/06/07 12:0 a.m.•41 views

Path Traversal

node module suffers from a Path Traversal vulnerability due to lack of validation of files, which allows a malicious user to read content of any file with known path...

7.5CVSS3.8AI score0.02038EPSS
Exploits1References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/06/07 12:0 a.m.•38 views

Path Traversal

22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url...

7.5CVSS5.2AI score0.02005EPSS
Exploits1References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/06/07 12:0 a.m.•33 views

Path Traversal

360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing .. in the url...

7.5CVSS5.2AI score0.02005EPSS
Exploits1References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/06/07 12:0 a.m.•36 views

Path Traversal

11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url...

7.5CVSS5.2AI score0.02005EPSS
Exploits1References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/06/04 12:0 a.m.•36 views

Cross-site Scripting

ag-grid is vulnerable to Cross-site Scripting XSS via Angular Expressions, if AngularJS is used in combination with ag-grid...

6.1CVSS2.8AI score0.01185EPSS
Exploits1References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/03/15 12:0 a.m.•17 views

Improper Neutralization of HTTP Headers for Scripting Syntax

HTTP header injection vulnerability in the http package...

1.1AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/03/15 12:0 a.m.•15 views

Incorrect header injection check

amphp/http isn't properly protected against HTTP header injection...

0.6AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/03/06 12:0 a.m.•12 views

SQL Injection

adodb-php contains a SQLi vulnerability...

2AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/03/06 12:0 a.m.•14 views

SQL Injection

The SelectLimit function has a potential SQL injection vulnerability through the use of the nrows and offset parameters which are not forced to integers...

4.6AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/03/06 12:0 a.m.•12 views

SQL Injection

adodb-php contains a SQLi vulnerability...

5.8AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/02/26 12:0 a.m.•13 views

Path Traversal

626 includes a path traversal vulnerability. It allows reading arbitrary files from the remote server...

4.5AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/02/19 12:0 a.m.•38 views

Information Exposure

An issue was discovered in config/error.php. The error log is exposed at an errors.log URI, and contains MySQL credentials if a MySQL error such as 'Too many connections' has occurred...

9.8CVSS1.8AI score0.72272EPSS
Exploits4References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/01/10 12:0 a.m.•30 views

Command injection vulnerability

VladTheEnterprising Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/my.cnf.targethost file they can overwrite arbitrary files, gain access to the MySQL root password, or inject arbitrary...

7CVSS6.6AI score0.00284EPSS
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2018/01/10 12:0 a.m.•21 views

Improper Link Resolution Before File Access ('Link Following')

lib/vlad/dba/mysql.rb in the VladTheEnterprising gem for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.targethost...

5.5CVSS5.5AI score0.00431EPSS
Exploits0References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/11/20 12:0 a.m.•13 views

Padding Oracle Vulnerability in RSA Encryption

Padding Oracle Vulnerability in RSA Encryption...

3.8AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•41 views

Exposure of Sensitive Information to an Unauthorized Actor

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts...

5CVSS6.3AI score0.02232EPSS
Exploits1References12Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•35 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper...

4.3CVSS5.9AI score0.03022EPSS
Exploits1References17Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•34 views

Improper Input Validation

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery CSRF protection for requests to applications that rely on this protection, as demonstrated using text/plain...

6.8CVSS7AI score0.0808EPSS
Exploits1References20Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•27 views

Cross site scripting that affects rails

Cross-site scripting XSS vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary web script or HTML by placing malformed Unicode strings into a form helper...

4.3CVSS7.8AI score0.03022EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•39 views

Exposure of Sensitive Information to an Unauthorized Actor

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts...

5CVSS6.3AI score0.02232EPSS
Exploits1References12Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•35 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting XSS vulnerabilities in the mailto helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 name or 2 email value...

4.3CVSS5.9AI score0.0235EPSS
Exploits1References15Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•33 views

Cross-Site Request Forgery (CSRF)

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged 1 AJAX or 2 API requests that...

6.8CVSS6.9AI score0.01407EPSS
Exploits1References13Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•29 views

High severity vulnerability that affects actionpack

actionpack/lib/actionview/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not properly implement filters associated with the list of available templates, which allows remote attackers to bypass intended access restrictions via an action...

7.5CVSS5.6AI score0.02498EPSS
Exploits1References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•33 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The cross-site scripting XSS prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a...

4.3CVSS5.5AI score0.01962EPSS
Exploits0References12Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•40 views

Improper Input Validation

The template selection functionality in actionpack/lib/actionview/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping...

5CVSS5.8AI score0.01813EPSS
Exploits0References14Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•33 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in the striptags helper in actionpack/lib/actioncontroller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an inval...

4.3CVSS4.2AI score0.02492EPSS
Exploits0References17Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•44 views

Improper Input Validation

The tos method in actionpack/lib/actiondispatch/middleware/remoteip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address...

4.3CVSS4.5AI score0.06661EPSS
Exploits1References11Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•39 views

actionpack Improper Authentication vulnerability

The decodecredentials method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access...

5CVSS6AI score0.01905EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•50 views

Action Pack contains database-query restrictions bypass

actionpack/lib/actiondispatch/http/request.rb in Ruby on Rails before 2.3.16, 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to...

6.4CVSS7.4AI score0.046EPSS
Exploits1References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•65 views

actionpack allows remote attackers to bypass database-query restrictions, perform NULL checks via crafted request

actionpack/lib/actiondispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended...

4.3CVSS7.4AI score0.03931EPSS
Exploits2References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•44 views

actionpack Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 2.3.16, 3.0.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML...

4.3CVSS5.2AI score0.01977EPSS
Exploits1References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•33 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting XSS vulnerabilities in the mailto helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 name or 2 email value...

4.3CVSS5.9AI score0.0235EPSS
Exploits1References16Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•39 views

Directory traversal vulnerability in Action View in Ruby on Rails

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing...

7.5CVSS6.2AI score0.95537EPSS
Exploits11References11Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•41 views

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the 1 :limit and 2 :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer...

7.5CVSS8.9AI score0.0303EPSS
Exploits1References21Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•51 views

activerecord vulnerable to SQL Injection

The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...

7.5CVSS7.1AI score0.02924EPSS
Exploits2References7Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•58 views

Active Record contains SQL Injection

SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in...

7.5CVSS7.7AI score0.04458EPSS
Exploits2References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•46 views

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument...

7.5CVSS6.3AI score0.02173EPSS
Exploits1References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•41 views

activerecord vulnerable to SQL Injection

Multiple SQL injection vulnerabilities in the quotetablename method in the ActiveRecord adapters in activerecord/lib/activerecord/connectionadapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a...

7.5CVSS8.1AI score0.02375EPSS
Exploits0References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•36 views

Improper Input Validation

Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs...

6.4CVSS7.1AI score0.0225EPSS
Exploits0References9Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•57 views

SQL Injection in Active Record

SQL injection vulnerability in activerecord/lib/activerecord/connectionadapters/postgresqladapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting...

7.5CVSS7.9AI score0.04278EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•37 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The cross-site scripting XSS prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a...

4.3CVSS5.5AI score0.01962EPSS
Exploits0References12Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/24 12:0 a.m.•34 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting XSS vulnerability in activesupport/lib/activesupport/coreext/string/outputsafety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a...

4.3CVSS4AI score0.02492EPSS
Exploits0References16Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/10/04 12:0 a.m.•13 views

Directory Traversal

360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...

5.3AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/09/29 12:0 a.m.•12 views

Directory Traversal

22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...

5.3AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/09/28 12:0 a.m.•13 views

Directory Traversal

11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...

5.3AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/09/14 12:0 a.m.•11 views

Fake package, execution of benign malware

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.. These packages contain the exact same code as their upstream package thus their functionali...

1.6AI score
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/08/28 12:0 a.m.•15 views

Arbitrary File Download

This package is vulnerable to Arbitrary File Download. A client can use backslashes to escape the directory the files where exposed from. Note: Only if the host server is a windows-based operating system...

1.8AI score
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/07/17 12:0 a.m.•24 views

OS Command Injection

Akeneo PIM is vulnerable to shell injection in the mass edition, resulting in remote code execution...

9.8CVSS3.3AI score0.03932EPSS
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/07/10 12:0 a.m.•41 views

Uncontrolled Resource Consumption

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is...

7.5CVSS1.9AI score0.048EPSS
Exploits0References1Affected Software1
GitLab Advisory Database
GitLab Advisory Database
•added 2017/05/15 12:0 a.m.•16 views

Code Injection

pygmentize contains a Remote Code Execution vulnerability...

2.9AI score
Exploits0References1Affected Software1
Total number of security vulnerabilities1518