Lucene search
K

33588 matches found

Snyk
Snyk
•added 3 days ago•3 views

Insufficient Verification of Data Authenticity

Overview simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the processing of SAML responses wh...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the add and remove endpoints for timesheet favorites. An attacker can manipulate another user's favorite bookmark state by referencing the victim's timesheet identifier, allowing unauthorized addition or...

5.3CVSS6AI score
Exploits0References3
Snyk
Snyk
•added 3 days ago•3 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Data within XPath Expressions 'XPath Injection' through the XPath Transform process. An attacker can cause the application to become unresponsive or crash by sending specially crafted messages that exploit thi...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the HTTPArtifact::receive process. An attacker can gain unauthorized access to arbitrary user accounts by crafting a forged unsigned assertion from a malicious or lower-trust identity provider within t...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the newAttributes parameter in the bulk duplicate process. An attacker can overwrite existing elements...

7.1CVSS6AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Improper Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Improper Authorization through the Mysqls.add process. An attacker can create databases and users on unauthorized MySQL servers by supplying a disallowed server index in the API...

5.3CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Authorization Bypass Through User-Controlled Key

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the customeremail.php process. An attacker can access other users' allowed sender aliases by supplying arbitrary senderid values in...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization through the actionDeleteFolder process. An attacker can remove assets belonging to other users by exploiting insufficient permission checks during folder deletion...

7.7CVSS5.9AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Authorization Bypass Through User-Controlled Key

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the actionReplaceFile process. An attacker can delete assets in unauthorized volumes by supplying both assetId and sourceAssetId without...

5.4CVSS6AI score0.00265EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Access Control Bypass

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Access Control Bypass via the entries/move-to-section process. An attacker can relocate entries into unauthorized sections by exploiting insufficient permission checks, allowing them to bypas...

6CVSS6AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Improper Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Improper Authorization in the entries/save-entry process. An attacker can reassign content authorship to another user without proper authorization by submitting crafted requests containing...

7.6CVSS6AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the displaymap parser function when unescaped user input is passed to the overlays parameter. An attacker can execute arbitrary JavaScript in the context of users viewing the affected page by injecting...

8.8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
•added 3 days ago•3 views

Malicious Package

Overview animatecss-postcss-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Malicious Package

Overview tailwind-animates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•4 views

Malicious Package

Overview db-plog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Malicious Package

Overview cache-section-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•4 views

Malicious Package

Overview db-connector-log is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Malicious Package

Overview db-convertor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•4 views

Malicious Package

Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•2 views

Malicious Package

Overview @modhamanish/rn-mm-template is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the GetEndpoints process. An attacker can cause the server to allocate excessive memory by sending a GetEndpointsRequest with an extremely large endpointUrl field, delivered in...

7.5CVSS6AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•7 views

Malicious Package

Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace API endpoints. An authenticated attacker can bypass access controls by sending trace read, search, delete, update, linking, or assessment requests for experiments they do...

8.8CVSS7.2AI score0.00337EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization via the beforerequest handler in the trace A...

8.8CVSS7.3AI score0.00337EPSS
Exploits0References2
Snyk
Snyk
•added 3 days ago•3 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the FindServers process. An attacker can cause the server to allocate excessive memory by sending a FindServersRequest with an unbounded serverUris field, delivering a very large...

8.7CVSS6.2AI score0.00388EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via the preview view in wagtail/images/views/images.py. An attacker can preview images they do not have...

6.5CVSS6AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Allocation of Resources Without Limits or Throttling

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the previewrequest, imageid, filterspec view in wagtail/images/views/images.py. An authenticated admin can...

5.1CVSS5.8AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Prototype Pollution

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Prototype Pollution via the ConfigMerge and ConfigProto helpers in the configuration code. An attacker can mutate Object.prototype by supplying user-controlled...

6.5CVSS6.5AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Cross-site Scripting (XSS)

Overview jodit is a Jodit is awesome and usefully wysiwyg editor with filebrowser Affected versions of this package are vulnerable to Cross-site Scripting XSS via the safeHTML sanitizer in src/core/helpers/html/safe-html.ts and the clean-html plugin’s value-set/on-change sanitization paths. An...

7.2CVSS5.7AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Cross-site Scripting (XSS)

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. Details Cross-si...

5.4CVSS5.7AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Directory Traversal

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Directory Traversal via the preprocess method in the FileExplorer component. An attacker can read arbitrary files outside the configured rootdir by...

8.7CVSS6.5AI score0.0069EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the createconfig path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like ho...

6.8CVSS6AI score0.00101EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Deserialization of Untrusted Data

Overview software.amazon.jdbc:aws-advanced-jdbc-wrapper is an Amazon Web Services AWS Advanced JDBC Wrapper Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the CachedResultSet deserialization path in the RemoteQueryCachePlugin. An attacker can execute...

7.7CVSS6.7AI score0.00407EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•2 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via improper handling of user-supplied input in the Special:Drilldown process. An attacker can execute arbitrary SQL commands by injecting crafted input. Remediation Upgrade mediawiki/cargo to version 3.9.1 or higher...

8.3CVSS6.2AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•2 views

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the componentsCache process of the JSON:API and HAL item normalizers. An attacker can access attributes intended to be hidden from their user context by making requests that trigger cache...

8.2CVSS6AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•2 views

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the componentsCache process of the JSON:API and HAL item normalizers. An attacker can access attributes intended to be hidden from their user context by making requests that trigger cache...

8.2CVSS6AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Use of Cache Containing Sensitive Information

Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the componentsCache process of the JSON:API and HAL item normalizers. An attacker can access attribute...

8.2CVSS6AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' through the getResourceFromIri process. An attacker can assign a resource of an unintended...

7.1CVSS6AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Sensitive Cookie with Improper SameSite Attribute

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Sensitive Cookie with Improper SameSite Attribute via ThreadSafeCookieStore in ThreadSafeCookieStore.add.... An attacker can plant a cookie f...

6.3CVSS6AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•3 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe JavaBean materialization in com.mchange.v2.naming.JavaBeanObjectFactory. An attacker can trigger arbitrary class construction and property initialization by supplying a malicious JNDI Referen...

7.5CVSS6.1AI score0.00327EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•4 views

Weak Password Recovery Mechanism for Forgotten Password

Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password through the loginlink process. An attacker can gain unauthorized access to user accounts by reusing a previously issued password reset link after the password has been changed. Thi...

5.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
•added 4 days ago•4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Compose.php process. An attacker can access arbitrary files on the server by crafting image source URLs containing traversal sequences after a valid CKEditor path prefix, which bypasses prefix validation and...

7.1CVSS6.5AI score0.00379EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•2 views

Directory Traversal

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Directory Traversal in the audit device validation logic when the legacy file audit path option is enabled. An attacker can access unauthorized directories by...

5.9CVSS6.6AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•4 views

Timing Attack

Overview pay is a package for processing payments in Ruby on Rails apps Affected versions of this package are vulnerable to Timing Attack via the validsignature? function. An attacker can recover valid webhook signatures by sending multiple requests with crafted Paddle-Signature header values and...

9.1CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 4 days ago•4 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization in the checkSecurity process. An attacker can execute unauthorized filters, tags, or functions by manipulating the sandbox state between render...

8.7CVSS6AI score
Exploits0References3
Snyk
Snyk
•added 4 days ago•4 views

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the UnmarshalJSON function when processing attacker-controlled short ciphertexts. An attacker can cause the server to panic and disrupt service by submitting a specially crafted JSON payload with a...

5.3CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 4 days ago•5 views

External Control of File Name or Path

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to External Control of File Name or Path via the H5IOStore.verifydataset function and the fileeditor.py process. An attacker can access arbitrary files on the filesystem by...

6.8CVSS6.3AI score0.00127EPSS
Exploits0References2
Snyk
Snyk
•added 4 days ago•6 views

Deserialization of Untrusted Data

Overview ray is an A system for parallel and distributed Python that unifies the ML ecosystem. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the readwebdataset function. An attacker can execute arbitrary code on remote workers by supplying a specially...

8.8CVSS6.4AI score0.00483EPSS
Exploits0References2
Total number of security vulnerabilities33588