7044 matches found
pyspider Cross-Site Request Forgery (CSRF) via the Flask endpoints
binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery CSRF via the Flask endpoints...
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
ImpactIn Synapse versions before 1.120.1, enabling the dynamicthumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing.This significantly expands t...
Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality
SummaryThe application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability...
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up toCVE-2024-39887 wi...
Synapse allows unsupported content types to lead to memory exhaustion
ImpactIn Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. PatchesSynapse 1.120.1 resolves the issue by denying...
Python package "zhmcclient" stores passwords in clear text in its HMC and API logs
ImpactThe Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs The 'ssc-master-pw' an...
Apache Superset: Error verbosity exposes metadata in analytics databases
Generation of Error Message Containing analytics metadata Information in Apache Superset.This issue affects Apache Superset: before 4.1.0.Users are recommended to upgrade to version 4.1.0, which fixes the issue...
Synapse allows a a malformed invite to break the invitee's `/sync`
ImpactSynapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. PatchesSynapse 1.120.1 rejects such invalid invites received over...
PyJWT Issuer field partial matches allowed
SummaryThe wrong string if check is run for iss checking, resulting in "acb" being accepted for "abc". DetailsThis is a bug introduced in version 2.10.0: checking the "iss" claimchanged from isinstanceissuer, list to isinstanceissuer,Sequence.diff- if isinstanceissuer, list:+ if isinstanceissuer,...
Denial of service (DoS) via deformation `multipart/form-data` boundary
SummaryWhen parsing form data, python-multipart skips line breaks CR \r or LF \n in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs.An attacker could...
Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API
SummaryThe user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the...
Django Filer Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.This issue affects django Filer: from 3 before 3....
pyspider Cross-site Scripting vulnerability
pyspider through 0.3.10 allows /update XSS. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...
OpenStack Neutron can use an incorrect ID during policy enforcement
In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change add and clear tags on network objects that do not belong to the tenant...
Tornado has an HTTP cookie parsing DoS vulnerability
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.See...
libre-chat Path Traversal vulnerability
An issue in the uploaddocuments method of libre-chat v0.0.6 allows attackers to execute a path traversal via supplying a crafted filename in an uploaded file...
check-jsonschema default caching for remote schemas allows for cache confusion
ImpactThe default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. https://example.org/schema.json will be stored as schema.json. This naming allows for conflicts. If an attacker can get a user to run check-jsonschema against a malicious schema URL,...
LLama Factory Remote OS Command Injection Vulnerability
SummaryA critical remote OS command injection vulnerability has been identified in the Llama Factory training process. This vulnerability arises from improper handling of user input, allowing malicious actors to execute arbitrary OS commands on the host system. The issue is caused by insecure usa...
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
SummaryA memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the building of each MatchInfoError producing a unique cache entry. ImpactIf the user is making use of any middlewares with aiohttp.web then it is advisab...
django CMS Attributes Field Cross-site Scripting
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in django CMS Association django CMS Attributes Fields allows Stored XSS.This issue affects django CMS Attributes Fields: before 4.0...
Litestar allows unbounded resource consumption (DoS vulnerability)
SummaryLitestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parsers to map request content to structured data types. Multiple of those parsers do not have size limits when reading the request body into memory, which allow...
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
SummaryThe Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ImpactIf a pure Python version of aiohttp is installed i.e. without the usual C extensions or AIOHTTPNOEXTENSIONS is enabled, then an attacker may...
Apache Airflow: Sensitive configuration values are not masked in the logs by default
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially...
OpenStack improperly deletes access rules
A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which are not associated with any application credentials...
changedetection.io path traversal using file URI scheme without supplying hostname
SummaryThe validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and ALLOWFILEURI false or not defined. DetailsThe check used for URL protocol, issafeurl, allows file: as a...
Cross-site Scripting (XSS) - DOM in janeczku/calibre-web
A Cross-site Scripting XSS vulnerability exists in janeczku/calibre-web, specifically in the file editbooks.js. The vulnerability occurs when editing book properties, such as uploading a cover or a format. The affected code directly inserts user input into the DOM without proper sanitization,...
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs in the file shelf.py at line 221, where the name of the shelf is exposed in an error message when a user attempts to remove a book from a shelf they d...
ansible-core Incorrect Authorization vulnerability
A flaw was found in Ansible. The ansible-core user module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user's home directory. If the...
Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see.When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored...
Salt preflight script could be attacker controlled
The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. If an attacker has access to the target VM and knows the path to the pre-flight script before it runs they can ensure Salt-SSH runs their script wi...
Ansible-Core vulnerable to content protections bypass
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playboo...
Missing ratelimit on passwrod resets in zenml
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the...
ReDoS in giskard's transformation.py (GHSL-2024-324)
ReDoS in Giskard text perturbation detectorA Remote Code Execution ReDoS vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation...
Improper Access Control in janeczku/calibre-web
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the createshelf method in shelf.py not verifying if the user has the necessary permissions to create a...
Flair allows arbitrary code execution
A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\models\clustering.py of the component Mode File Loader. The manipulation leads to code injection. It is possible to launch the attack remotely. The...
MPXJ has a Potential Path Traversal Vulnerability
ImpactThe patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not be picked up by the original fix and allow files to be written to arbitrary locations. PatchesThe issue is addressed in...
Langflow vulnerable to remote code execution
langflow =1.0.18 is vulnerable to Remote Code Execution RCE as any component provided the code functionality and the components run on the local machine rather than in a sandbox...
gradio Server Side Request Forgery vulnerability
In gradio =4.42.0, the gr.DownloadButton function has a hidden server-side request forgery SSRF vulnerability. The reason is that within the saveurltocache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resourc...
Access control vulnerable to user data deletion by anonynmous users
ImpactAnonymous users can delete the user data maintained by an AccessControl.userfolder.UserFolder which may prevent any privileged access. PatchesThe problem is fixed in version 7.2. WorkaroundsThe problem can be fixed by adding dataroles = to AccessControl.userfolder.UserFolder...
Lord of Large Language Models (LoLLMs) Server path traversal vulnerability in lollms_file_system.py
A path traversal vulnerability exists in the ParisNeo/lollms repository, specifically in the lollmsfilesystem.py file. The functions addragdatabase, togglemountragdatabase, and vectorizefolder do not implement security measures such as sanitizepathfromendpoint or sanitizepath. This allows an...
open-webui allows writing and deleting arbitrary files
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...
MySQL Connector/Python connector takeover vulnerability
Vulnerability in the MySQL Connectors product of Oracle MySQL component: Connector/Python. Supported versions that are affected are 9.0.0 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors...
changedetection.io Path Traversal
SummaryWhen a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked DetailsThe root cause is the payload source:file:///etc/passwdpasses the regex here and also passes the check here where ...
Werkzeug possible resource exhaustion when parsing file data in forms
Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.maxformmemorysize setting.The Request.maxcontentlength setting, as well as resource limits provided by deployment software and platforms, a...
Langchain SQL Injection vulnerability
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all data, breaches in multi-tenant securit...
Werkzeug safe_join not safe on Windows
On Python = 3.11, or not using Windows, are not vulnerable...
Starlette Denial of service (DoS) via multipart/form-data
SummaryStarlette treats multipart/form-data parts without a filename as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and...
open-webui Insecure Direct Object Reference (IDOR) vulnerability
An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...
OAuth2 client ID and secret exposed through the web browser
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data...
open-webui allows enumeration of file names and traversal of directories by observing the error messages
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...