32391 matches found
Malicious Package
Overview @immobiliarelabs/backstage-plugin-gitlab is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package in a...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-ldap-auth-backend is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-ldap-auth is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package in a...
Malicious Package
Overview @immobiliarelabs/backstage-plugin-gitlab-backend is a malicious package. linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this package...
Directory Traversal
Overview @pnpm/installing.env-installer is an Installer for configurational dependencies Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names wi...
Directory Traversal
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the patch-remove process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the patch-remove process. An attacker can cause deletion of arbitrary files outside the intended directory by crafting a patch entry that resolves outside the configured patches directory...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules directory by crafting a...
External Control of File Name or Path
Overview @pnpm/installing.deps-resolver is a Resolves dependency graph of a package Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules...
External Control of File Name or Path
Overview @pnpm/installing.deps-restorer is a Fast installation using only pnpm-lock.yaml Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodul...
External Control of File Name or Path
Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...
External Control of File Name or Path
Overview @pnpm/fs.symlink-dependency is a Symlink a dependency to nodemodules Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended nodemodules director...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path via the stage download process. An attacker can overwrite arbitrary files outside the intended directory by crafting a manifest with malicious...
External Control of File Name or Path
Overview @pnpm/releasing.commands is a Commands for deploy, pack, and publish Affected versions of this package are vulnerable to External Control of File Name or Path via the stage download process. An attacker can overwrite arbitrary files outside the intended directory by crafting a manifest...
External Control of File Name or Path
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed bin names during global package operations. An attacker can cause deletion of critical directories...
External Control of File Name or Path
Overview @pnpm/bins.resolver is a Returns bins of a package Affected versions of this package are vulnerable to External Control of File Name or Path through the handling of reserved or malformed bin names during global package operations. An attacker can cause deletion of critical directories...
Unsafe Dependency Resolution
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during the build lifecycle by crafting a dependency source...
Unsafe Dependency Resolution
Overview @pnpm/building.policy is a Create a function for filtering out dependencies that are not allowed to be built Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the approval process for dependency sources. An attacker can execute unauthorized code during...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the Live Preview process. An attacker can submit unauthorized content and generate shareable preview URLs by leveraging insufficient permission checks. Remediation Upgrade statamic/cms to version 5.74.0, 6.20....
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the export process. An attacker can execute arbitrary spreadsheet formulas by submitting specially crafted form values that begin with formula trigger characters, which are then interpreted as live formulas when the...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Glide process. An attacker can cause the server to make unauthorized HTTP requests to internal network addresses by supplying a crafted URL that exploits DNS rebinding. Remediation Upgrade...
Directory Traversal
Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the patch application process. An attacker can overwrite or delete arbitrary files on the filesystem by submitting a malicious .patch file containing crafted...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade github.com/golang/image/tiff to...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the tiff decoder. An attacker can cause a panic and potentially disrupt service by providing a specially crafted image file with an out-of-bounds strip offset. Remediation Upgrade golang.org/x/image/tiff to versio...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Control Panel fieldtype endpoints. An attacker can access metadata and content for resources without proper permissions by sending crafted requests as an authenticated user. Remediation Upgrade statamic/c...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy process. An attacker can access internal network resources and cloud metadata endpoints by exploiting a race condition between DNS validation and the actual HTTP request, using DNS rebinding...
Unlock of a Resource that is not Locked
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...
Unlock of a Resource that is not Locked
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...
Uncontrolled Recursion
Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...
Allocation of Resources Without Limits or Throttling
Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...
Insertion of Sensitive Information into Log File
Overview web-auth/webauthn-symfony-bundle is a FIDO2/Webauthn Security Bundle For Symfony. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the onAuthenticationSuccess and onAuthenticationFailure processes. An attacker can obtain sensitive...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling in the ServerConnection process. An attacker can bypass application-level size limits or cause incorrect application behavior by sending HTTP/2 DATA frames with a total byte count that does not match the declared...
NULL Pointer Dereference
Overview muhammara is a Create, read and modify PDF files and streams. A drop in replacement for hummusjs PDF library Affected versions of this package are vulnerable to NULL Pointer Dereference in the CreateFilterForStream process when handling PDF streams with /Filter /LZWDecode and a...
Information Exposure
Overview pterodactyl/panel is a game management panel. Affected versions of this package are vulnerable to Information Exposure via the email update process. An attacker can determine whether specific email addresses are registered by sending repeated requests and observing the system's responses...
Allocation of Resources Without Limits or Throttling
Overview python-socketio is a Socket.IO server and client for Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the process that stores binary EVENT and ACK messages in memory while awaiting their binary attachments. An attacke...
Allocation of Resources Without Limits or Throttling
Overview python-engineio is a Python implementation of the Engine.IO realtime client and server. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the heartbeat mechanism. An attacker can exhaust system resources by repeatedly triggering...
Allocation of Resources Without Limits or Throttling
Overview python-engineio is a Python implementation of the Engine.IO realtime client and server. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the handling of incoming messages when using ASGI with the long polling transport for POST...
Exposed Dangerous Method or Function
Overview nx is a The core Nx plugin contains the core functionality of Nx like the project graph, nx commands and task orchestration. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the local HTTP server's permissive CORS policy, which sends...
Missing Authorization
Overview pagekit/pagekit is a modular and lightweight CMS built with Symfony components and Vue.js. Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the saveAction function of UserApiController. An attacker can gain elevated privileg...
Brute Force
Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Brute Force due to insufficient access control in the unlock process. An attacker can regain access to a locked account by exploiting the default unlock...
Directory Traversal
Overview extract-zip is an unzip a zip file into a directory using 100% javascript Affected versions of this package are vulnerable to Directory Traversal via the extraction process. An attacker can access or modify arbitrary files by crafting a malicious zip archive containing symlinks that poin...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the StaticDirectoryHandler process. An attacker can gain unauthorized access to static files by sending requests with encoded slashes %2F in the URL, which bypasses route-level access controls due to inconsistent...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the StaticDirectoryHandler process. An attacker can gain unauthorized access to static files by sending requests with encoded slashes %2F in the URL, which bypasses route-level access controls due to inconsistent...
Directory Traversal
Overview github.com/labstack/echo/v4/middleware is a middleware package for echo. Affected versions of this package are vulnerable to Directory Traversal via the StaticDirectoryHandler process. An attacker can gain unauthorized access to static files by sending requests with encoded slashes %2F i...
Directory Traversal
Overview github.com/labstack/echo/v5/middleware is a middleware package for echo. Affected versions of this package are vulnerable to Directory Traversal via the StaticDirectoryHandler process. An attacker can gain unauthorized access to static files by sending requests with encoded slashes %2F i...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the inopentelemetry process. An attacker can cause excessive memory consumption by sending a large HTTP request or a highly compressed payload that decompresses to a very large...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free via the model quantization engine. An attacker can access and extract sensitive data from the server's heap memory by sending unauthenticated remote requests. Remediation There is no fixed version for...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ins3 process. An attacker can cause excessive memory consumption by uploading a highly compressed file that decompresses to a large size, leading to resource exhaustion and...