1255 matches found
Heap-based Buffer Overflow in mruby/mruby
mruby is vulnerable to Heap-based Buffer Overflow...
Improper Certificate Validation in twitter-stream
In voloko twitter-stream 0.1.16, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library because eventmachine is misused...
stack overflow in mrb_str_len_to_dbl in src/string.c
In mruby 2.1.0, there is a stack-based buffer overflow in mrbstrlentodbl in string.c...
smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
An authentication bypass flaw was found in the smartproxydynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context...
kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List Local Plaintext Password Disclosure
kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered as the program exposes the MySQL or PostgreSQL password in the process list. This may allow a local attacker to gain access to password information...
kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure
kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information...
echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command Execution
Echor Gem for Ruby contains a flaw in backplane.rb in the performrequest function that is triggered when a semi-colon ; is injected into a username or password. This may allow a context-dependent attacker to inject arbitrary commands if the gem is used in a rails application...
Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands...
ftpd Gem for Ruby Shell Character Handling Remote Command Injection
ftpd Gem for Ruby contains a flaw that is triggered when handling a specially crafted option or filename that contains a shell character. This may allow a remote attacker to inject arbitrary commands...
Net::IMAP: Denial of Service via incomplete raw argument validation
Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will...
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Summary Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. Details Net::IMAP's...
OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames
Summary OpenC3 COSMOS contains a design flaw in the savetoolconfig function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path...
Possible arbitrary path traversal and file access via yard server
Impact A path traversal vulnerability was discovered in YARD = 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in GHSA-xfhh-rx56-rxcr wa...
Decidim's comments API allows access to all commentable resources
Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
ARC broadcaster treats failure statuses as successful broadcasts Summary BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLESPENDATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINEDINSTALEBLOCK, or any ORPHAN-containing extraInfo / txStatus are silently...
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...
Rails has a possible XSS vulnerability in its Action View tag helpers
Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Application...
Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
Summary Rack::Multipart::Parser stores non-file form fields parts without a filename entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request hundreds of megabytes or more can consume equivalent process memory, potentially leading to out-of-memory OOM...
JWE is missing AES-GCM authentication tag validation in encrypted JWE
Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. Impact - JWEs can be modified to decrypt to an arbitrary value - JWEs can be decrypted by observing parsing differences - The...
Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class
Impact There is an arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data...
Pitchfork HTTP Request/Response Splitting vulnerability
Impact HTTP Response Header Injection in Pitchfork Versions 0.11.0 when used in conjunction with Rack 3 Patches The issue was fixed in Pitchfork release 0.11.0 Workarounds There are no known work arounds. Users must upgrade...
Phusion Passenger denial of service
The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method...
OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)
Summary A path traversal vulnerability inside of LocalMode's openlocalfile method allows an authenticated user with adequate permissions to download any .txt via the ScreensControllershow on the web server COSMOS is running on depending on the file permissions. Note: This CVE affects all OpenC3...
OpenC3 stores passwords in clear text (`GHSL-2024-129`)
Summary OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting see GHSL-2024-128. Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition Impa...
Elasticsearch Logstash allows remote attackers to execute arbitrary commands
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in 1 zabbix.rb or 2 nagiosnsca.rb in outputs/...
Command injection in cocoapods-downloader
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...
High severity vulnerability that affects rwiki
The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors...
Savon::Model evaluates WSDL operation names as Ruby source
Savon::Model generated SOAP operation methods by interpolating operation names into Ruby source passed to moduleeval. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the .alloperations class method provide...
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. Details Raw...
OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender
Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Summary Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted...
Rails Active Storage has possible content type bypass via metadata in direct uploads
Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...
Rails Active Storage has possible Path Traversal in DiskService
Impact Active Storage's DiskServicepathfor does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences e.g. ../ is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are...
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
Summary Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line CRLFCRLF. The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of...
Google Sign-In for Rails allowed redirect to protocol-relative URI
Summary It is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is set to a protocol-relative URL, it improperly...
Google Sign-In for Rails allowed redirects to malformed URLs
Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is malformed, it's possible for the user to be...
Spree Commerce is vulnerable to RCE through Search API
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...
Active Storage allowed transformation methods that were potentially unsafe
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where...
Ruby SAML DOS vulnerability with large SAML response
Summary A denial-of-service vulnerability exists in ruby-saml even with the messagemaxbytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. Details ruby-saml...
HashiCorp Vagrant has code injection vulnerability through default synced folders
An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant versions 2.4.6 and below when using the default synced folder configuration. By design, Vagrant automatically mounts the host system’s project directory into the guest VM under /vagrant or C:\vagrant on Windows. Thi...
OpenC3 COSMOS Vulnerable to Directory Traversal via /script-api/scripts/ endpoint
An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal...
CKEditor cross-site scripting vulnerability in AJAX sample
Affected packages The vulnerability has been discovered in the AJAX sample available at the samples/old/ajax.html file location. All integrators that use that sample in the production code can be affected. Impact A potential vulnerability has been discovered in one of CKEditor's 4 samples that ar...
Business Logic Errors in Publify
Publify formerly known as Typo prior to version 9.2.7 is vulnerable to business logic errors...
echor Gem for Ruby Process Listing Local Plaintext Credential Disclosure
echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the system process listing. This may allow a local attacker to gain access to plaintext credential information...
Wicked Gem for Ruby contains a flaw
Wicked Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed via the 'thestep' parameter upon submission to the renderredirect.rb script. This may allow a remote attacker to gain access to arbitrary files...
Dynamic Client Registration feature creates public clients with client_secret
Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...
Session cookies can be replayed after user logout
Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Summary Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. Details Symbol arguments represent IMAP "system flags", which are formatted as "atoms" with no quoting with a "" prefix. Vulnerable versions of Net::IMAP...
OpenC3 COSMOS - Hijacked session token can be used to reset password for persistence
Summary The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to ga...