35565 matches found
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the IPAllowlist function in the accesscontrol.go component. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability by sending crafted requests remotely...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass via the IPAllowlist function in the accesscontrol.go component. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability by sending crafted requests remotely...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the rt.ReloadConfig function when processing the message.send argument. An attacker can cause unauthorized configuration reloads and potentially disrupt service integrity and availability by sending crafted...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the rt.ReloadConfig function when processing the message.send argument. An attacker can cause unauthorized configuration reloads and potentially disrupt service integrity and availability by sending crafted...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the rt.ReloadConfig function when processing the message.send argument. An attacker can cause unauthorized configuration reloads and potentially disrupt service integrity and availability by sending crafted...
Malicious Package
Overview @luminarycloudinternal/frodo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @luminarycloudinternal/lcvis-st is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...
Malicious Package
Overview cursed-ecto-d3ab00 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview unreal-horde-dashboard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview ue-jenkins-buildkite is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ue-automation-scripts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview robomerge is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview epic-internal-tools is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview searchresults is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview voyager-web is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @businessapp-microsites/apis is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview workspace-scripts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview workspace-lint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodemon-patch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodemon-gulp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nodepack-daemon is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview crypto-promiser is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview paperclip-adapter-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview vps-new-manager is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the WebFetchTool.Execute function in the Guarded Web Fetch Flow process. An attacker can make the server initiate arbitrary HTTP requests to internal or external resources by supplying crafted URLs...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MQTT Channel Handler process due to improper handling of the clientid argument. An attacker can gain unauthorized access and perform actions with insufficient authorization by sending crafted requests...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the MQTT Channel Handler process due to improper handling of the clientid argument. An attacker can gain unauthorized access and perform actions with insufficient authorization by sending crafted requests...
Symlink Attack
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Symlink Attack via the fs.link process. An attacker can gain unauthorized access to sensitive files or corrupt file contents by crafting an archive containing a hardlink...
Symlink Attack
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Symlink Attack in the symlink handling process. An attacker can create arbitrary symbolic links outside the intended extraction directory by crafting an archive with...
Directory Traversal
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the safeMakeDir function and extraction path validation process. An attacker can write arbitrary files outside the intended...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the admin.php configuration update process. An attacker can modify administrator settings by tricking a logged-in administrator into submitting a forged POST request, which disables the file...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ntitle parameter in the PFS module, which is processed through the TXT filter in pfs.main.php. An attacker can execute arbitrary scripts in the browser of users who view the affected folder listing by...
Unsafe Dependency Resolution
Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution when the gh codespace jupyter process opens a JupyterLab URL supplied by a process inside a Codespace without validating that it is a loopback HTTP or HTTPS address. An attacker can execute arbitrary command...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the validation process for BGP UPDATE messages containing an empty ASPATH attribute. An attacker can cause a panic and terminate the peer session by sending a malformed UPDATE with a zero-length...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the BGP OPEN capability parsing process. An attacker can influence peer AS validation and capability negotiation by sending a specially crafted BGP OPEN message with a malformed capability length, causing the parse...
External Control of File Name or Path
Overview psd-tools is a Python package for working with Adobe Photoshop PSD files as described in specification. Affected versions of this package are vulnerable to External Control of File Name or Path through the save and open functions. An attacker can write arbitrary files to attacker-chosen...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to improper validation in the threshold counting process. An attacker can bypass multi-log threshold requirements by compromising a single log and forging multiple entries or...
External Control of File Name or Path
Overview py-rattler is an A blazing fast library to work with the conda ecosystem Affected versions of this package are vulnerable to External Control of File Name or Path via the build string in package metadata during cache materialization. An attacker can cause files to be written outside the...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect in the redirect URL validation process. An attacker can cause users to be redirected to arbitrary external sites by crafting a specially formatted URL that bypasses host and schema checks using a double slash prefix in the...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization due to insufficient permission checks on the configuration-view/detail/create endpoint. An attacker can gain unauthorized access to create class definitions and potentially escalate privileges by sending crafted...
Weak Password Recovery Mechanism for Forgotten Password
Overview Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the resetPasswordUrl parameter in the password reset process. An attacker can gain unauthorized access to any administrator account and bypass two-factor authentication by...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the key parameter in the columnFilters array, which is directly interpolated into SQL queries with manual backtick wrapping. An attacker can extract sensitive database information, including password hashes, by injecti...
Malicious Package
Overview @kl-starfish/test-01 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Authorization Bypass Through User-Controlled Key
Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /api/v2/shop/payment-requests/hash, PUT /api/v2/shop/payment-requests/hash, and POST...