36127 matches found
Insecure Temporary File
Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Insecure Temporary File via the...
Unsafe Dependency Resolution
Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the handling of configDependencies from pnpm-workspace.yaml, where installDeps.ts resolves and spawns a repository-selected native install engine without verifying that the repository is authorized to...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the SNS callback process. An attacker can trigger class loading and object construction with attacker-controlled data by sending specially crafted SNS callbacks after the in-memory dispatcher entry f...
Insufficient Session Expiration
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Session Expiration via the Registration Access Token process. An attacker can gain unauthorized...
Authorization Bypass Through User-Controlled Key
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the addChild endpoint in the Admin REST API when...
Cross-site Scripting (XSS)
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the client URI validation process. An attacker can execute arbitrary scripts in...
Directory Traversal
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Directory Traversal via the keystore parameter when creating a key provider component. An attacker can...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the keystore parameter when creating a key provider component. An attacker can determine the existence and readability of files on the server by submitting crafted filesystem paths. This is only exploitable if th...
Cross-site Scripting (XSS)
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email address field on the ticket confirmation page. An attacker can execute arbitrary scripts in the context of a user's browser by injecting...
Cross-site Scripting (XSS)
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting XSS via the layout specification process of PDF ticket or badge layouts. An attacker can execute arbitrary JavaScript in the browser context of another backend...
Cross-site Scripting (XSS)
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting XSS via the redirection process. An attacker can inject malicious HTML content into the page displayed during redirection to an untrusted destination, potential...
Cross-site Scripting (XSS)
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting XSS via the PDF rendering process. An attacker can cause the server to make arbitrary HTTP requests and potentially leak internal network information by injecti...
Authentication Bypass by Alternate Name
Overview org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the shiro-guice module when...
Authentication Bypass by Alternate Name
Overview Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name in the shiro-guice module when deployed in a web servlet context. An attacker can gain unauthorized access by sending specially crafted HTTP requests. Remediation Upgrade...
Replay Attack
Overview Affected versions of this package are vulnerable to Replay Attack due to the server not verifying the expiration of the RememberMe cookie. An attacker can maintain unauthorized access by intercepting and reusing a valid cookie beyond its intended expiration. This is only exploitable if t...
Replay Attack
Overview org.apache.shiro:shiro-core is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Replay Attack due to the server not verifying the expiration of the...
Replay Attack
Overview org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Replay Attack due to the server not verifying the expiration of the...
Inefficient Algorithmic Complexity
Overview shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse finalizes the token list with Array.prototype.concat inside a reduce, copying the...
Inefficient Algorithmic Complexity
Overview org.webjars.npm:shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the parseInternal function of parse.js, where parse finalizes the token list with Array.prototype.concat inside a...
Exposure of Sensitive System Information to an Unauthorized Control Sphere
Overview org.jenkins-ci.plugins:github-branch-source is a multibranch projects and organization folders from GitHub. Maintained by CloudBees, Inc. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via a missing permissio...
Credential Exposure
Overview org.jenkins-ci.plugins:fitnesse is a Jenkins fitnesse plugin. Affected versions of this package are vulnerable to Credential Exposure due to a job in that store passwords unencrypted. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins...
LDAP Injection
Overview Affected versions of this package are vulnerable to LDAP Injection via the Windows native ADSI authentication path, does not escape the user name before building the LDAP search filter. This allows unauthenticated attackers to inject LDAP wildcard characters into the user name, enabling...
Command Injection
Overview org.jenkins-ci.plugins:git-client is a Jenkins git client plugin. Affected versions of this package are vulnerable to Command Injection via improper neutralization of workspace directory names in the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to not performing permission checks in several HTTP endpoints that used to validate cloud configurations. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using...
Unsafe Dependency Resolution
Overview org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users. Affected versions of this package are vulnerable to Unsafe Dependency Resolution via Groovy AST transformation annotations during...
Improper Control of Dynamically-Managed Code Resources
Overview org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via incomplete sandbox...
Malicious Package
Overview pathfix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview easy-time-format is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview easy-time666 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ccl-component-resources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview build-tracker-n5p1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview event-metrics-q3x7 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview boardflow is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview block-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ts-grok is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview axl-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview loadninja-shared is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nolimit-x is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview atlassian-forge-skills is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview signup-embedder is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview poc-publish-test-su-doughnym is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @su-doughnym/react-dlb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview @su-doughnym/metrics-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview @su-doughnym/loginui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview nabisco is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview @su-doughnym/hubspot-loginui-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview two-factor-prompt-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview hs-locale-management is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview data-fetching-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @helpcentre/tesco-help is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...