35936 matches found
Missing Authorization
Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Missing Authorization in the process that manages temporary destinations. An attacker can gain unauthorized access to consume messages from another...
Missing Authorization
Overview org.apache.activemq:apache-activemq is a Message Broker and Client implementations. Affected versions of this package are vulnerable to Missing Authorization in the process that manages temporary destinations. An attacker can gain unauthorized access to consume messages from another user...
Memory Allocation with Excessive Size Value
Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the STOMP NIO codec process. An attacker can cause the broker to buffer unbounded header data,...
Memory Allocation with Excessive Size Value
Overview org.apache.activemq:apache-activemq is a Message Broker and Client implementations. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value. via the STOMP NIO codec process. An attacker can cause the broker to buffer unbounded header data, leading ...
Allocation of Resources Without Limits or Throttling
Overview org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the OpenWire process. An attacker can exhaust system memory...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the STOMP NIO codec process. An attacker can cause the broker to buffer unbounded header data, leading to exhaustion of the JVM heap by sending header bytes that never terminate over a STO...
Allocation of Resources Without Limits or Throttling
Overview org.apache.activemq:apache-activemq is a Message Broker and Client implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the OpenWire process. An attacker can exhaust system memory by repeatedly sending BrokerInfo...
Allocation of Resources Without Limits or Throttling
Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the OpenWire process. An attacker can exhaust system memory by repeatedly sending BrokerInf...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of the browse page in the web console, where message IDs are displayed without proper sanitization. An attacker can execute arbitrary HTML or JavaScript code in the browser of an administrator b...
Cross-site Scripting (XSS)
Overview org.apache.activemq:apache-activemq is a Message Broker and Client implementations. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of the browse page in the web console, where message IDs are displayed without proper sanitization. An attacke...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the FuzzyMatchV2 function. An attacker can cause the application to terminate unexpectedly by supplying a specially crafted input of approximately 2.2 million bytes with a 999-byte pattern to a running...
Incorrect Privilege Assignment
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the Identity Provider mapper process. An attacker can gain unauthorized...
Inefficient Algorithmic Complexity
Overview org.webjars.npm:brace-expansion is a WebJar for brace-expansion. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted strin...
Inefficient Algorithmic Complexity
Overview brace-expansion is a Brace expansion as known from sh/bash Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the expand function. An attacker can cause excessive CPU consumption and block the event loop by supplying a specially crafted string...
Authorization Bypass Through User-Controlled Key
Overview @keycloakify/keycloak-admin-ui is a Repackaged Keycloak Admin UI a href="https://github.com/keycloakify/keycloak-adm Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the BruteForceUsersResource process. An attacker can access sensiti...
Directory Traversal
Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Directory Traversal via the resourcename parameter in the load or find functions. An attacker can access arbitrary files on the system by...
Improper Neutralization of Special Elements in Data Query Logic
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the checkUserPassword process. An attacker can execute arbitrary queries on the backend database by injecting specially crafted input into the password field of a Graph...
Improper Neutralization of Special Elements in Data Query Logic
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the checkUserPassword process. An attacker can execute arbitrary queries on the backend database by injecting specially crafted input into the password field of a Graph...
Cross-site Scripting (XSS)
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the number guess process. An attacker can execute arbitrary...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to incorrect control flow in the RewriteValv...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to incorrect control flow in the RewriteValve process. An attacker can bypass intended rewrite rules by crafting...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to incorrect control flow in the RewriteValve process. An attacker can bypass...
Improper Authorization
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat:tomcat-util is a Common code shared by multiple Tomcat components. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the incomplete logging of the effective web.xml when special roles and empty authorization...
Improper Authorization
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default servlet when certain HTTP methods or method omissions are configure...
Improper Authorization
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default servlet when certain HTTP methods or...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the incomplete logging of the effective web.xml when special roles and empty authorization constraints are...
Always-Incorrect Control Flow Implementation
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the incomplete logging of the effective...
Missing Critical Step in Authentication
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the JNDIRealm process when configured to authenticate binds using GSSAPI. An attacker can gain unauthorized access by...
Missing Critical Step in Authentication
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the JNDIRealm process when configured to...
Missing Critical Step in Authentication
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the JNDIRealm process when configured to authenticate binds using GSSAPI. An attacker can...
Improper Authentication
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Improper Authentication in the EncryptionInterceptor process of the cluster component. An...
Detection of Error Condition Without Action
Overview org.apache.tomcat:tomcat-util is a Common code shared by multiple Tomcat components. Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to improper handling of invalid certificate revocation list CRL configurations in the FFM connector. An...
Detection of Error Condition Without Action
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to improper handling of invalid certificate revocation list CRL configurations in the FFM connector. An attacker...
Detection of Error Condition Without Action
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to improper handling of invalid certificate...
Improper Authentication
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication in the EncryptionInterceptor process of the cluster component. An attacker can gain unauthorized access or...
Improper Authentication
Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication in the EncryptionInterceptor process of the cluster component. An attacker can gain unauthorized access or perform unauthorized actions b...
Use of a Broken or Risky Cryptographic Algorithm
Overview @strapi/plugin-users-permissions is a headless CMS Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to improper restriction of accepted JWT algorithms in the plugin::users-permissions.jwt.algorithm configuration. An attacker can...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the alloperations process. An attacker can execute arbitrary Ruby code in the application process by supplying crafted operation names in a WSDL file. Remediation Upgrade savon to version 2.17.2 or higher...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the readremotefile function. An attacker can access internal network resources or disclose arbitrary local files by supplying a crafted CSS file containing a malicious @import url... directive, which...
Cross-site Scripting (XSS)
Overview secureheaders is a library that manages application of security headers with many safe defaults. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the overridecontentsecuritypolicydirectives process. An attacker can inject arbitrary Content Security Policy...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the clear function. An attacker can access or manipulate memory contents from another buffer by triggering the reuse of a memory page after it has been returned to the shared pool, leading to unintended disclosure or...
Server-side Request Forgery (SSRF)
Overview snowflake-cli is a Snowflake CLI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the !source or !load directives, which allow referencing remote URLs that are fetched at runtime without sufficient restriction on the request destination. An attacke...
SQL Injection
Overview snowflake-cli is a Snowflake CLI Affected versions of this package are vulnerable to SQL Injection via improper neutralization of parameters in the secret creation and spcs service log commands. An attacker can execute unintended SQL statements by supplying crafted input to vulnerable...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/dump and api/restore endpoints when the adminapikey is empty. An attacker can access and exfiltrate the entire database, including sensitive user records and feedback data, or...
Authorization Bypass Through User-Controlled Key
Overview modoboa is a Mail hosting made simple Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PUT /api/v1/accounts/pk/password/ endpoint. An attacker can gain unauthorized access to privileged accounts by bypassing object-level access...
Use of Less Trusted Source
Overview libretranslate is a Free and Open Source Machine Translation API. Self-hosted, no limits, no ties to proprietary services. Affected versions of this package are vulnerable to Use of Less Trusted Source via the getremoteaddress function. An attacker can bypass per-IP rate limiting and flo...
Sensitive Cookie Without "HttpOnly" Flag
Overview Affected versions of this package are vulnerable to Sensitive Cookie Without "HttpOnly" Flag via missing HttpOnly and Secure attributes on the pinpointJwt session cookie. An attacker can access session tokens by exploiting stored or reflected cross-site scripting to exfiltrate the cookie...
Sensitive Cookie Without "HttpOnly" Flag
Overview Affected versions of this package are vulnerable to Sensitive Cookie Without "HttpOnly" Flag via missing HttpOnly and Secure attributes on the pinpointJwt session cookie. An attacker can access session tokens by exploiting stored or reflected cross-site scripting to exfiltrate the cookie...
Missing Authorization
Overview mythic is an Interact with Mythic C2 Framework Instances Affected versions of this package are vulnerable to Missing Authorization in the c2profileconfigcheckwebhook, c2profileredirectruleswebhook, c2profilegetiocwebhook, and c2profilesamplemessagewebhook endpoints due to missing...