36343 matches found
Exposure of Resource to Wrong Sphere
Overview apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper handling of the session token cookie path. An attacker can gain unauthorized access ...
Authorization Bypass Through User-Controlled Key
Overview effectify is an Utility library that bridges Effect-ts with various utilities and projects, such as Astro! Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the getUsers process. An attacker can access sensitive owner account...
Malicious Package
Overview n8n-nodes-csv-parse is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview es-lint-builder is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal through a discrepancy in path normalization between protocol handlers and internal routing. An attacker can bypass folder-level permissions or escape the boundaries of a configured virtual folder by crafting specific...
Stack-based Buffer Overflow
Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the parse function due to using a recursive revive phase to resolve circular references in deserialized JSON. An attacker can cause a stack overflow and crash the process by supplying a crafted payload with...
Malicious Package
Overview add-react-displayname is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior Th...
Malicious Package
Overview transform-minify-booleans is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavio...
Access of Uninitialized Pointer
Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the MSL decoder. An attacker can cause the application to access freed memory by submitting a malicious MSL file. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Commit...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Integer Overflow or Wraparound
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Use After Free
Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Use After Free
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Malicious Package
Overview gbc-viewer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview vue-cli-plugin-changelog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Template Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the map filter in Twig templates when processing text fields that accept Twig input in the control panel settings or through the System Messages utility. An attacker ca...
Template Injection
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the create function. An attacker can execute arbitrary code on the server by supplying a crafted payload that instantiates dangerous classes, such as...
Replay Attack
Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...
Improper Encoding or Escaping of Output
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Regular Expression Denial of Service (ReDoS)
Overview minimatch is a minimal matching utility. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS in the AST class, caused by catastrophic backtracking when an input string contains many characters in a row, followed by an unmatched character. Detail...
Arbitrary File Upload
Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the uploadTemplate.do component. An attacker can upload arbitrary files by sending crafted requests to the affected endpoint. Remediation There is no fixed version for net.mingsoft:ms-mcms. References - GitHub...
Improper Certificate Validation
Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to Improper Certificate Validation. Go Vulnerability Report: During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated betwe...
Allocation of Resources Without Limits or Throttling
Overview std/net/url is a Go standard library package std/net/url Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: The net/url package does not set a limit on the number of query parameters in a query. While the...
Malicious Package
Overview evocateurlibpnpmpublish is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview easy-transify is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview acribus-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview cassadasdasdasdwad is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview api-cache-worker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview bytes-guide is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @douinfe/semi-illustrations is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Release of Invalid Pointer or Reference
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the LivewireFilemanagerComponent.php process due to missing file type and MIME validation. An attacker can execute arbitrary code by uploading a malicious PHP file and accessing it via the /storage/ URL. This...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview quill is a modern rich text editor built for compatibility and extensibility. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' due to the improper sanitazation in the getHTML function. An...
Malicious Package
Overview mona-speedy-components is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview semi-adimation is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Deserialization of Untrusted Data
Overview react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsaf...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview next is a react framework. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Trainer component. An attacker can execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data by providing specially crafted serialized input. Details...
Out-of-bounds Read
Overview net.jpountz.lz4:lz4 is a package for LZ4 compression for Java Affected versions of this package are vulnerable to Out-of-bounds Read due to the use of the insecure LZ4decompressfast in the underlying lz4 library, which lacks bounds checks. An attacker can cause denial of service or acces...
Eval Injection
Overview litdb is an A literature database tool with GPT integration. Affected versions of this package are vulnerable to Eval Injection via the parseschemadsl function in the extract.py file, which unsafely uses the eval function. This allows an attacker to execute arbitrary Python code on the...
Unverified Ownership
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when...
Inadequate Encryption Strength
Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength via the SMTP process. An attacker can intercept sensitive information by performing a man-in-the-middle attack that prevents the use of TLS, causing data to be sent over an unencrypted connection...
CRLF Injection
Overview Affected versions of this package are vulnerable to CRLF Injection via insufficient input validation in the DefaultSmtpRequest process. An attacker can inject arbitrary SMTP commands by supplying malicious parameters containing CRLF sequences, allowing the sending of forged emails that...
HTTP Request Smuggling
Overview Microsoft.AspNetCore.Server.Kestrel.Core is a core components of ASP.NET Core Kestrel cross-platform web server. Affected versions of this package are vulnerable to HTTP Request Smuggling via the interpretation of chunked HTTP requests. An attacker can bypass security restrictions and...
Cross-site Scripting (XSS)
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper neutralisation of input during web page generation. An attacker can execute arbitrary...
Allocation of Resources Without Limits or Throttling
Overview org.bouncycastle:bcprov-ext-jdk15to18 is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption...