Lucene search
K
OsvMost viewed

907959 matches found

OSV
OSV
•added 2023/09/07 4:11 p.m.•49 views

GO-2023-2042 Arbitrary code execution via go.mod toolchain directive in cmd/go

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules...

9.8CVSS9.2AI score0.01424EPSS
Exploits0References3
OSV
OSV
•added 2023/09/04 6:15 p.m.•49 views

PYSEC-2023-167

Vyper is a Pythonic Smart Contract Language. For the following probably non-exhaustive list of expressions, the compiler evaluates the arguments from right to left instead of left to right. unsafeadd, unsafesub, unsafemul, unsafediv, powmod256, |, &, ^ bitwise operators, bitwiseor deprecated,...

5.3CVSS6.7AI score0.00418EPSS
Exploits1References1
OSV
OSV
•added 2023/08/29 4:46 p.m.•49 views

CVE-2023-41037 Cleartext Signed Message Signature Spoofing in openpgpjs

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

4.3CVSS4.6AI score0.00309EPSS
Exploits1References4
OSV
OSV
•added 2023/08/01 12:0 a.m.•49 views

ASB-A-253043490

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed...

6.8CVSS6.7AI score0.00125EPSS
Exploits0References2
OSV
OSV
•added 2023/08/01 12:0 a.m.•49 views

ALSA-2023:4377 Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: ipvlan: out-of-bounds write caused by unclear skb-cb CVE-2023-3090 kernel: clsflower: out-of-bounds write in flsetgeneveopt CVE-2023-35788 kernel: KVM: x86/mmu: race condition in...

7.8CVSS6.8AI score0.01377EPSS
Exploits6References12
OSV
OSV
•added 2023/07/13 2:46 a.m.•49 views

RSEC-2023-2 Denial of Service (DoS) vulnerability

The readxl R package is exposed to a vulnerability owing to its underlying use of libxls library version 1.6.2. The vulnerability originates in the xlsgetWorkSheet function within xls.c in libxls. Attackers can exploit this flaw by utilizing a specially crafted XLS file, leading to a Denial of...

6.5CVSS6.2AI score0.01122EPSS
Exploits0References4
OSV
OSV
•added 2023/07/11 3:31 p.m.•49 views

GHSA-F44M-65H3-99VC tarteaucitron.js vulnerable to Cross-site Scripting

Cross-site Scripting XSS - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1...

4.6CVSS4.9AI score0.00469EPSS
Exploits1References5
OSV
OSV
•added 2023/05/24 6:30 p.m.•49 views

GHSA-G7VW-43XG-8M4H SQL injection in Liferay Portal

SQL injection vulnerability in the upgrade process for SQL Server in Liferay Portal 7.3.1 through 7.4.3.17, and Liferay DXP 7.3 before update 6, and 7.4 before update 18 allows attackers to execute arbitrary SQL commands via the name of a database table's primary key index. This vulnerability is...

8.1CVSS7.6AI score0.00549EPSS
Exploits0References3
OSV
OSV
•added 2023/05/16 12:0 a.m.•49 views

ALSA-2023:3087 Important: mysql:8.0 security, bug fix, and enhancement update

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon mysqld and many client programs and libraries. The following packages have been upgraded to a later upstream version: mysql 8.0.32. BZ2177734, BZ2177735, BZ2177736 Security Fixes: mysql: Server:...

7.5CVSS6.4AI score0.43131EPSS
Exploits0References76
OSV
OSV
•added 2023/05/09 12:0 a.m.•49 views

ALSA-2023:2417 Moderate: php:8.1 security update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php 8.1.14. Security Fixes: XKCP: buffer overflow in the SHA-3 reference implementation CVE-2022-37454 php: standard insecure cookie could b...

9.8CVSS8.8AI score0.49336EPSS
Exploits6References12
OSV
OSV
•added 2023/04/24 10:42 p.m.•49 views

GHSA-XV3H-4844-9H36 HTTP Multiline Header Termination

Impact Affected versions of Laminas Diactoros accepted a single line feed LF / \n character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due ...

7.5CVSS6.2AI score0.00965EPSS
Exploits0References6
OSV
OSV
•added 2023/04/19 8:15 p.m.•50 views

PYSEC-2023-20

Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur...

7.5CVSS7AI score0.00784EPSS
Exploits0References4
OSV
OSV
•added 2023/04/05 6:2 p.m.•49 views

GO-2023-1546 Denial of service in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp

The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack. The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength, http.server.responsecontentlength, and http.server.duration...

7.5CVSS9.4AI score0.05994EPSS
Exploits1References1
OSV
OSV
•added 2023/02/16 7:49 p.m.•49 views

GO-2023-1568 Path traversal on Windows in path/filepath

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative if invalid path into an absolute path could enable a directory traversal...

7.5CVSS7.4AI score0.01678EPSS
Exploits0References3
OSV
OSV
•added 2023/02/07 6:16 p.m.•49 views

GHSA-56GJ-MVH6-RP75 URI validation failure on SVG parsing. Bypass of CVE-2023-23924

Summary Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Details Dompdf parses the href attribute of image tags with the following code: src/Image/Cache.php line 135-150 php function $parser, $name,...

10CVSS9.5AI score0.0249EPSS
Exploits3References4
OSV
OSV
•added 2023/01/23 12:0 a.m.•49 views

ALSA-2023:0339 Moderate: sqlite security update

SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL databas...

7.5CVSS7.4AI score0.19193EPSS
Exploits2References4
OSV
OSV
•added 2023/01/03 10:25 p.m.•49 views

GO-2022-1201 Timing attack in github.com/openshift/osin

Client secret checks are vulnerable to timing attacks, which could permit an attacker to determine client secrets...

5.9CVSS5.8AI score0.00676EPSS
Exploits0References2
OSV
OSV
•added 2022/12/31 12:0 a.m.•49 views

DLA-3252-1 cacti - security update

Bulletin has no description...

9.8CVSS8.4AI score0.99826EPSS
Exploits74
OSV
OSV
•added 2022/12/22 9:1 p.m.•49 views

GO-2022-1178 JWT leak in github.com/bradleyfalzon/ghinstallation

Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests...

5CVSS4.7AI score0.00382EPSS
Exploits1References3
OSV
OSV
•added 2022/12/19 3:30 p.m.•49 views

GHSA-3FHJ-WPVJ-X5W8 laravel-jqgrid vulnerable to SQL Injection

A vulnerability classified as critical was found in laravel-jqgrid. Affected by this vulnerability is the function getRows of the file src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php. The manipulation leads to sql injection. The name of the patch is...

9.8CVSS7.7AI score0.00646EPSS
Exploits0References5
OSV
OSV
•added 2022/11/14 7:15 a.m.•49 views

PYSEC-2022-42979

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data Data Amplification...

7.5CVSS2.5AI score0.01184EPSS
Exploits0References6
OSV
OSV
•added 2022/11/10 12:0 p.m.•50 views

RUSTSEC-2022-0076 Bug in Wasmtime implementation of pooling instance allocator

Bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration, the virtual memory mapping for WebAssembly memories did not meet the compiler-required configuration...

7.4CVSS6.4AI score0.00577EPSS
Exploits0References4
OSV
OSV
•added 2022/11/09 10:15 p.m.•49 views

CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability...

8.1CVSS4.2AI score0.02772EPSS
Exploits0References2
OSV
OSV
•added 2022/11/08 6:29 a.m.•49 views

RLSA-2022:7793 Moderate: rsync security and enhancement update

The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool. Security Fixes:...

7CVSS8.9AI score0.1593EPSS
Exploits1References3
OSV
OSV
•added 2022/10/25 12:0 p.m.•49 views

RUSTSEC-2022-0083 evm incorrect state transition

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the isstatic parameter to determine if the call is executed in a static context via STATICCALL, and thus decide if stateful operations should be done. Prior to version 0.36.0, th...

7.5CVSS6.3AI score0.00538EPSS
Exploits0References3
OSV
OSV
•added 2022/09/23 4:32 p.m.•49 views

GHSA-WF7G-7H6H-678V Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console

An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOADSCRIPTS feature is disabled...

7.2CVSS7.6AI score0.00834EPSS
Exploits0References6
OSV
OSV
•added 2022/09/13 7:36 a.m.•49 views

RLSA-2022:6449 Moderate: nodejs:16 security and bug fix update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs-ansi-regex: Regular expression denial of service ReDoS matching ANSI escape codes CVE-2021-3807 nodejs: DNS rebinding in --inspect via...

7.5CVSS7.4AI score0.77278EPSS
Exploits4References8
OSV
OSV
•added 2022/08/29 5:35 p.m.•49 views

CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby

kirby is a content management system CMS that adapts to many different projects and helps you build your own ideal interface. Cross-site scripting XSS is a type of vulnerability that allows execution of any kind of JavaScript code inside the Panel session of the same or other users. In the Panel,...

5.9CVSS5.6AI score0.00694EPSS
Exploits0References5
OSV
OSV
•added 2022/08/24 12:0 a.m.•49 views

GHSA-XC4W-28G8-VQM5 Path Traversal in Gravitee API Management

HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request...

6.1CVSS6.4AI score0.00616EPSS
Exploits0References3
OSV
OSV
•added 2022/08/18 12:0 a.m.•49 views

DSA-5212-1 chromium - security update

Bulletin has no description...

8.8CVSS8AI score0.30265EPSS
Exploits1
OSV
OSV
•added 2022/08/17 12:0 a.m.•49 views

DLA-3073-1 webkit2gtk - security update

Bulletin has no description...

8.8CVSS7.5AI score0.06463EPSS
Exploits0
OSV
OSV
•added 2022/07/13 6:31 a.m.•49 views

RLSA-2022:5564 Important: kernel security, bug fix, and enhancement update

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: race condition in perfeventopen leads to privilege escalation CVE-2022-1729 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other...

7.4CVSS7.4AI score0.0031EPSS
Exploits0References2
OSV
OSV
•added 2022/07/05 12:0 p.m.•49 views

RUSTSEC-2022-0033 Heap memory corruption with RSA private key operation

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X8664 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a...

10CVSS8.9AI score0.44881EPSS
Exploits3References3
OSV
OSV
•added 2022/06/06 12:0 a.m.•49 views

DLA-3044-1 glib2.0 - security update

Bulletin has no description...

7.5CVSS6.9AI score0.04193EPSS
Exploits2
OSV
OSV
•added 2022/05/24 4:52 p.m.•49 views

GHSA-FF7R-7RRM-WX6W Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to the editor can...

5.4CVSS5.3AI score0.00566EPSS
Exploits0References6
OSV
OSV
•added 2022/05/14 3:59 a.m.•49 views

GHSA-CMXJ-WX9V-52QR Improper Validation of Certificate with Host Mismatch in Not Yet Commons SSL

Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

6.8CVSS9.1AI score0.00932EPSS
Exploits0References6
OSV
OSV
•added 2022/05/10 8:11 a.m.•49 views

ALSA-2022:1986 Moderate: python3 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

7.5CVSS7.1AI score0.11586EPSS
Exploits1References3
OSV
OSV
•added 2022/05/10 12:0 a.m.•49 views

CVE-2022-1629 Buffer Over-read in function find_next_quote in vim/vim

Buffer Over-read in function findnextquote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution...

6.6CVSS7.5AI score0.01864EPSS
Exploits1References10
OSV
OSV
•added 2022/04/25 10:15 p.m.•49 views

PYSEC-2022-193

flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he captcha.validate function would return None if passed no value e.g. by submitting an having an empty form. If implementing users...

5.3CVSS2.5AI score0.01126EPSS
Exploits0References4
OSV
OSV
•added 2022/04/20 12:21 p.m.•49 views

ALSA-2022:1445 Important: java-17-openjdk security and bug fix update

The java-17-openjdk packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit. Security Fixes: OpenJDK: Improper ECDSA signature verification Libraries, 8277233 CVE-2022-21449 OpenJDK: Defective secure validation in Apache Santuario Libraries, 82780...

7.5CVSS6.9AI score0.46677EPSS
Exploits6References7
OSV
OSV
•added 2022/04/18 7:15 p.m.•49 views

PYSEC-2022-194

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content...

6.2CVSS2.7AI score0.01279EPSS
Exploits1References4
OSV
OSV
•added 2022/04/07 3:20 p.m.•49 views

GHSA-3HJG-VC7R-RCRW Denial of Service vulnerability in @podium/layout and @podium/proxy

Impact An attacker using the Trailer header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. Patches @podium/layout which is the main way developers/users are vulnerable to this...

7.5CVSS7.4AI score0.01594EPSS
Exploits0References6
OSV
OSV
•added 2022/03/06 12:0 a.m.•49 views

DLA-2931-1 cyrus-sasl2 - security update

Bulletin has no description...

8.8CVSS8.3AI score0.04123EPSS
Exploits0
OSV
OSV
•added 2022/03/03 8:28 p.m.•49 views

GHSA-FMX4-26R3-WXPF Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. An integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16MAX columns. The impact of this heap corruption ranges from Information...

8.8CVSS9.2AI score0.0145EPSS
Exploits0References6
OSV
OSV
•added 2022/03/02 9:30 p.m.•49 views

GHSA-XVM2-9XVC-HX7F Improper Restriction of XML External Entity Reference in com.monitorjbl:xlsx-streamer

Impact Prior to xlsx-streamer 2.1.0, the XML parser that was used did not apply all the necessary settings to prevent XML Entity Expansion issues. Patches Upgrade to version 2.1.0. Workarounds No known workaround. References...

9.8CVSS9.5AI score0.01446EPSS
Exploits0References4
OSV
OSV
•added 2022/02/15 1:57 a.m.•49 views

GHSA-RGJG-66CX-5X9M Grafana Authentication Bypass

Grafana before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generate a valid "remember me" cookie knowing only a username of an LDAP or OAuth user. Specific Go Packages Affected github.com/grafana/grafana/pkg/api...

9.8CVSS9.5AI score0.64284EPSS
Exploits0References7
OSV
OSV
•added 2022/01/25 12:0 a.m.•49 views

DSA-5062-1 nss - security update

Bulletin has no description...

6.5CVSS8.2AI score0.0063EPSS
Exploits0
OSV
OSV
•added 2022/01/25 12:0 a.m.•49 views

DSA-5059-1 policykit-1 - security update

Bulletin has no description...

7.8CVSS7.3AI score0.94921EPSS
Exploits151
OSV
OSV
•added 2022/01/14 12:0 a.m.•49 views

DSA-5046-1 chromium - security update

Bulletin has no description...

9.6CVSS8.5AI score0.36238EPSS
Exploits41
OSV
OSV
•added 2022/01/08 12:22 a.m.•49 views

GHSA-WXGW-QJ99-44C2 Prototype Pollution in node-forge util.setPath API

Impact forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself. Patches The forge.util.setPath API and related functions were removed in 0.10.0. Workarounds Don't call forge.util.setPath directly or indirectly with untruste...

8.2AI score
Exploits0References1
Total number of security vulnerabilities5000