36127 matches found
UNIX Symbolic Link (Symlink) Following
Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following through the WriteToCachedFile function when handling network cache files in certain configurations. An attacker can overwrite specific host files and change their ownership by planting a symbolic lin...
UNIX Symbolic Link (Symlink) Following
Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following through the WriteToCachedFile function when handling network cache files in certain configurations. An attacker can overwrite specific host files and change their ownership by planting a symbolic lin...
Deserialization of Untrusted Data
Overview composer is a Composer is a PyTorch library that enables you to train neural networks faster, at lower cost, and to higher accuracy. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the parsing process of checkpoints. An attacker can execute...
Directory Traversal
Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Directory Traversal through the validatePath function. An attacker can access or modify files outside the intended workspace boundaries by leveraging symlinks that point to locatio...
Improper Handling of Unexpected Data Type
Overview Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type via the Link::isAllowedUri function when processing Tiptap JSON containing an attrs.href field set to an array instead of a string. An attacker can cause persistent server-side crashes by...
Incomplete Filtering of Special Elements
Overview angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package...
Incomplete Filtering of Special Elements
Overview org.webjars.npm:angular is a WebJar for angular. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements in the $sceDelegate service's trustedResourceUrlList validation, where a regular expression intended to match the entire resource URL is only...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the git diff process. An attacker can overwrite critical files and disrupt service availability by supplying crafted input that bypasses directory restrictions. Details A Directory Traversal attack also known as...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the git diff process. An attacker can overwrite critical files and disrupt service availability by supplying crafted input that bypasses directory restrictions. Details A Directory Traversal attack also known as...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API endpoints responsible for managing repository settings. An attacker can modify admin-only repository configurations, such as disabling the native issue tracker or wiki, injecting external tracker or...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API endpoints responsible for managing repository settings. An attacker can modify admin-only repository configurations, such as disabling the native issue tracker or wiki, injecting external tracker or...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the handling of organization names containing path traversal sequences. An attacker can execute arbitrary code on the server by creating nested Git repositories that overwrite another repository's hooks...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the handling of organization names containing path traversal sequences. An attacker can execute arbitrary code on the server by creating nested Git repositories that overwrite another repository's hooks...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the authorization process for Git smart HTTP requests. An attacker can gain unauthorized write access to repositories configured as read-only by manipulating the service query string to bypass intended access...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the authorization process for Git smart HTTP requests. An attacker can gain unauthorized write access to repositories configured as read-only by manipulating the service query string to bypass intended access...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the UploadRepoFiles process. An attacker can write arbitrary files outside the intended repository working tree by uploading a multipart file with a filename containing a literal backslash, which, when combined...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the serveUpload process. An attacker can access and download content from private repositories belonging to other tenants by binding their own repository to an existing object...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the UploadRepoFiles process. An attacker can write arbitrary files outside the intended repository working tree by uploading a multipart file with a filename containing a literal backslash, which, when combined...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the serveUpload process. An attacker can access and download content from private repositories belonging to other tenants by binding their own repository to an existing object...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Use of a Key Past its Expiration Date
Overview Affected versions of this package are vulnerable to Use of a Key Past its Expiration Date due to the password-reset token generation process. An attacker can gain unauthorized access to user accounts by exploiting the extended validity period of reset tokens, even when a shorter expirati...
Malicious Package
Overview @kl-dolphin/jump is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...
Improper Handling of Exceptional Conditions
Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions via the internal/route/repo/wiki.go and internal/route/repo/view.go processes. An attacker can cause the web interface to become unusable and trigger HTTP 500 errors by creating a new file and...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Watch API handler. An attacker can gain unauthorized access to private repository activity by exploiting an inverted access check, allowing them to monitor commit messages, branch names, issue titles, and...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Watch API handler. An attacker can gain unauthorized access to private repository activity by exploiting an inverted access check, allowing them to monitor commit messages, branch names, issue titles, and...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the ENABLEREVERSEPROXYAUTHENTICATION process. An attacker can impersonate any user or trigger automatic account creation by forging the configured authentication header in client requests. This is only exploitable...
Improper Neutralization of Special Elements Used in a Template Engine
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the RenderIssueIndexPattern process. An attacker can cause a panic and disrupt service availability by configuring a specially crafted issue index pattern containi...
Improper Neutralization of Special Elements Used in a Template Engine
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the RenderIssueIndexPattern process. An attacker can cause a panic and disrupt service availability by configuring a specially crafted issue index pattern containi...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the webhook delivery process. An attacker can access internal network resources by supplying a webhook URL that follows redirects to hostnames within restricted local address ranges. Remediation Upgra...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the organization team member management process due to the lack of CSRF protection on GET requests. An attacker can gain organization owner–equivalent privileges by tricking a logged-in organization...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the organization team member management process due to the lack of CSRF protection on GET requests. An attacker can gain organization owner–equivalent privileges by tricking a logged-in organization...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/route/repo to versi...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/route/api/v1/repo t...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade gogs.io/gogs/internal/form to version...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade github.com/gogs/gogs/internal/form to...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade github.com/gogs/gogs/internal/route/repo ...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the SaveAddress function. An attacker can access unauthorized local repositories by providing a crafted repository address in the Mirror Settings. Remediation Upgrade...