35669 matches found
Missing Authentication for Critical Function
Overview github.com/dgraph-io/dgraph/edgraph is a Dgraph is a horizontally scalable and distributed GraphQL database with a graph backend. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of authentication or authorization on the...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of authentication or authorization on the public gRPC port :9080 for the external snapshot import process. An attacker can overwrite and replace the database contents by sendi...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of authentication or authorization on the public gRPC port :9080 for the external snapshot import process. An attacker can overwrite and replace the database contents by sendi...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of authentication or authorization on the public gRPC port :9080 for the external snapshot import process. An attacker can overwrite and replace the database contents by sendi...
Directory Traversal
Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Directory Traversal via the ScopedFs process. An attacker can create files outside of the intended user scope by exploiting dangling symlinks during file creation when...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ScopedFs process. An attacker can create files outside of the intended user scope by exploiting dangling symlinks during file creation when possessing Create and Modify permissions. Details A Directory...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ScopedFs process. An attacker can create files outside of the intended user scope by exploiting dangling symlinks during file creation when possessing Create and Modify permissions. Details A Directory...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ScopedFs process. An attacker can create files outside of the intended user scope by exploiting dangling symlinks during file creation when possessing Create and Modify permissions. Details A Directory...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the handling of the X-Amz-Copy-Source header in the S3 API gateway. An attacker can access objects from unauthorized buckets by submitting specially crafted requests containing dot-dot path segments. Details A...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the S3Tables / Iceberg REST management API due to improper authorization handling of SigV4-signed requests. An attacker can access administrator-owned table bucket names and ARNs by sending authenticated...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the S3Tables / Iceberg REST management API due to improper authorization handling of SigV4-signed requests. An attacker can access administrator-owned table bucket names and ARNs by sending authenticated...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the S3Tables / Iceberg REST management API due to improper authorization handling of SigV4-signed requests. An attacker can access administrator-owned table bucket names and ARNs by sending authenticated...
Incorrect Authorization
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Incorrect Authorization in the evaluation test runs controller, where three state-changing endpoints authorize actions against the workflow:read permission instead of the action-appropriate...
User Impersonation
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to User Impersonation in the ZendeskTrigger node, which does not validate the HMAC-SHA256 signature on incoming webhook requests from Zendesk. An attacker can trigger workflows with forged payloads by...
Incorrect Authorization
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Incorrect Authorization in the Public API execution retry endpoint, which authorizes the request against the workflow:read permission instead of workflow:execute. A user with only workflow:read acce...
Files or Directories Accessible to External Parties
Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the remote repository URL validation in src/core/git/gitRemoteParse.ts and the public website pac...
Incorrect Authorization
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Incorrect Authorization in workflow creation folder assignment, which does not verify that the requested target folder belongs to a project the requester is allowed to access. A user with workflow...
Cross-site Scripting (XSS)
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the resize process of Markdown image handling. An attacker can inject arbitrary CSS into the styleAttributes of an...
Malicious Package
Overview ams-ssk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview common-tg-service is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview promo-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @vite-ln/build-ts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authorization
Overview ironic is an OpenStack Bare Metal Provisioning Affected versions of this package are vulnerable to Missing Authorization in the sendraw process. An attacker can gain unauthorized control over hardware or cause a system outage by sending arbitrary IPMI commands to the BMC. This is only...
Insufficient Granularity of Access Control
Overview ironic is an OpenStack Bare Metal Provisioning Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the process of reparenting Volume Connectors and Volume Targets to nodes in a different project, crossing project authorization boundaries. An...
Command Injection
Overview check-peer-dependencies is a Checks peer dependencies of the current package. Offers solutions for any that are unmet. Affected versions of this package are vulnerable to Command Injection in the shelljs.exec function of the peerDependencies component in packageUtils.js. An attacker can...
Heap-based Buffer Overflow
Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the parsing process of a tar archive containing a PAX extended header with a malformed SUN.holesdata sparse-file attribute. An attacker can cause a heap overflow and out-of-bounds read by supplying a...
Malicious Package
Overview mci-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview na-rony-test-karem is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview na-rony-test is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview rony-testing is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview karem-dp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview na-rony is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview nam-os-a-man is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview vite-json-pwa is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview gas-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Improper Following of Specification by Caller
Overview Affected versions of this package are vulnerable to Improper Following of Specification by Caller due to the GSSAPIStrictAcceptorCheck process when the server operates in a Windows Active Directory environment. An attacker can bypass intended authentication checks by exploiting this...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper enforcement of the minimum authentication delay in the sshd process. An attacker can increase the rate of authentication attempts by exploiting this timing issue...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal in the sftp process when the command sftp server:/path . is executed with a server under attacker control. An attacker can write files outside the intended directory by manipulating file paths sent from the serve...
Use of Less Trusted Source
Overview Affected versions of this package are vulnerable to Use of Less Trusted Source due to improper validation of the interaction between DisableForwarding and PermitTunnel settings. An attacker can enable unauthorized tunneling by exploiting a misconfiguration where DisableForwarding does no...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the scp process. An attacker can cause files to be placed outside the intended directory by crafting a copy operation between two remote destinations. Remediation A fix was pushed into the master branch but n...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of the MaxAuthTries parameter during the authentication process. An attacker can exhaust server resources by repeatedly attempting authentication using GSSAPI...
Improper Validation of Specified Quantity in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input due to improper handling of command-line arguments in the internal-sftp process. An attacker can bypass intended security restrictions by supplying more than nine arguments, causing...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the ssh process when a server changes its host key during a key re-exchange. An attacker can potentially execute arbitrary code or cause a denial of service by triggering a use-after-free condition on the client side...
Malicious Package
Overview nodemon-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-await is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the TTGetVarDesign process. An attacker can cause the application to access memory outside the intended buffer by providing crafted input to the affected process. Remediation A fix was pushed into the master branch...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the gorch service when unproxied orchestrator and detector metrics ports are exposed on the cluster network. An attacker can gain unauthorized access to sensitive metrics by directly...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via exposed HTTP endpoints in the cluster network. An attacker can gain unauthorized access to sensitive data and potentially manipulate AI models by sending requests from any co-located pod without authentication...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the gorch service when unproxied orchestrator and detector metrics ports are exposed on the cluster network. An attacker can gain unauthorized access to sensitive metrics by directly...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via exposed HTTP endpoints in the cluster network. An attacker can gain unauthorized access to sensitive data and potentially manipulate AI models by sending requests from any co-located pod without authentication...