36343 matches found
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parselinktext function of mistune/inlineparser.py, which performs a regex search inside a loop that advances one character at a time when parsing fails, producing On² behavior...
Arbitrary Argument Injection
Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the SubtitleEncoder.ConvertTextSubtitleToSrtInternal process. An attacker can achieve...
Directory Traversal
Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Directory Traversal via the POST /ClientLog/Document endpoint, which uses unsanitized values from the Authorization header...
Cross-site Scripting (XSS)
Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the AuthenticateByName process. An attacker can execute arbitrary JavaScript in the context o...
Incomplete List of Disallowed Inputs
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the isPrivateIp logic in core/server/lib/request-external.js. An attacker can make Ghost send server-side requests to internal services by supplying an external...
Directory Traversal
Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Directory Traversal via the PathManager.GetAttachmentPath process. An attacker can achieve remote code execution by crafti...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in ghost/core/core/server/lib/request-external.js. An attacker can make the Ghost server connect to internal-network hosts by supplying an external URL that...
Server-side Request Forgery (SSRF)
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the populateImageSizes process in ghost/core/core/server/lib/mobiledoc.js. An authenticated staff user can trigger the server to make outbound requests to attacker-chos...
Improper Validation of Syntactic Correctness of Input
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the validation of filters on public API endpoints. An attacker can access private fields by sending specially crafted filter requests. Note: This is...
Arbitrary File Upload
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Arbitrary File Upload through the Admin API /files/upload endpoint in ghost/core/core/server/api/endpoints/files.js. An attacker can make uploaded files be served with an attacker-chosen content type by...
Information Exposure
Overview ghost is a publishing platform Affected versions of this package are vulnerable to Information Exposure via the members signin process. An attacker can enumerate registered email addresses by analyzing the differences in responses from the authentication endpoint. Remediation Upgrade gho...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ActivityPub client when processing posts shared by a maliciously customized ActivityPub server. An attacker can execute arbitrary JavaScript code in the context of the user by injecting malicious content...
Malicious Package
Overview @kl-dolphin/swim is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the filterToDefinedArgumentsOnly process. An attacker can inject arbitrary unvalidated arguments with the ot prefix, which are then set as environment variables and included in the template context, by...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation via the filterToDefinedArgumentsOnly process. An attacker can inject arbitrary unvalidated arguments with the ot prefix, which are then set as environment variables and included in the template context, by...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the ValidateArgumentType process. An attacker can gain unauthorized access to sensitive configuration details by sending unauthenticated requests to enumerate valid action binding IDs and their argument...
Unsynchronized Access to Shared Data in a Multithreaded Context
Overview Affected versions of this package are vulnerable to Unsynchronized Access to Shared Data in a Multithreaded Context in the parseTemplate process, which uses a shared tpl template instance across concurrent goroutines without synchronization. An attacker can cause process crashes,...
Improper Authorization
Overview org.openidentityplatform.openam:OpenFM is a Affected versions of this package are vulnerable to Improper Authorization. via the Liberty Web Services SOAP receiver. An attacker can write persistent entries into any user's LDAP entry and the shared root-realm Discovery branch by sending...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization via the Liberty Web Services SOAP receiver. An attacker can write persistent entries into any user's LDAP entry and the shared root-realm Discovery branch by sending anonymous requests to the relevant endpoint,...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization process of untrusted data in the WebAuthn authentication module. An attacker can execute arbitrary code in the context of the application server by supplying crafted serialized...
Deserialization of Untrusted Data
Overview feast is a Python SDK for Feast Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the ApplyFeatureView handler of registryserver.py, which calls FeatureView.fromproto and deserializes the feature view's embedded user-defined function before the appl...
Malicious Package
Overview normalize-plus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview runtime-query is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Buffer Overflow
Overview Affected versions of this package are vulnerable to Buffer Overflow in the sscanf process when parsing LUT data lines from .spi3d files. An attacker can cause arbitrary code execution or application crash by supplying a specially crafted .spi3d file containing excessively long input line...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to insufficient permission validation in the process. An attacker can obtain credential identifiers by leveraging global configuration privileges without having specific job configuration permissions. Remediati...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the connect process. An attacker can establish unauthorized connections to arbitrary URLs by supplying attacker-controlled credential IDs. Remediation Upgrade org.jenkins-ci.plugins:gitee to version...
Cross-site Request Forgery (CSRF)
Overview io.jenkins.plugins:mcp-server is a The MCP Model Context Protocol Server Plugin for Jenkins implements the server-side component of the Model Context Protocol. This plugin enables Jenkins to act as an MCP server, providing context, tools, and capabilities to MCP clients, such as...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the exwsAllocate process. An attacker can access arbitrary files on the controller file system and potentially execute code by supplying specially crafted path traversal sequences. Details A Directory Traversal...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the connect process. An attacker can initiate unauthorized connections to arbitrary URLs using credentials IDs of their choosing by tricking a user into performing unwanted actions while authenticated...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the global job priority configuration process. An attacker can modify configuration settings by tricking an authenticated user into submitting a malicious request. Remediation Upgrade...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due to build operations being performed on the Jenkins controller instead of the assigned agent. An attacker can execute arbitrary code on the Jenkins controller by obtaining Item/Configure permission. Remediati...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to missing permission checks in the process responsible for handling Contrast metadata. An attacker can enumerate the names of configured Contrast metadata by leveraging Overall/Read permission. Remediation...
Missing Authorization
Overview io.jenkins.plugins:mcp-server is a The MCP Model Context Protocol Server Plugin for Jenkins implements the server-side component of the Model Context Protocol. This plugin enables Jenkins to act as an MCP server, providing context, tools, and capabilities to MCP clients, such as...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization due to a missing permission check in the connect process. An attacker can initiate unauthorized connections to arbitrary URLs by supplying crafted credentials, potentially exposing sensitive information or...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process that handles external URL connections. An attacker can cause the system to connect to an arbitrary URL with attacker-controlled credentials by tricking an authenticated user into making a...
Cross-site Scripting (XSS)
Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Cross-site Scripting XSS through the Respond to Webhook binary response path in the webhook response handling code. An authenticated workflow editor can configure a public webhook to return...
User Impersonation
Overview @n8n/n8n-nodes-langchain is a Affected versions of this package are vulnerable to User Impersonation via the MicrosoftAgent365Trigger node failing to validate inbound requests. An attacker can execute workflows with attacker-controlled data by submitting forged payloads to the webhook UR...
Missing Authorization
Overview org.jenkins-ci.plugins:git-parameter is a plugin that allows you to assign git branch, tag, pull request or revision number as parameter in your builds. Affected versions of this package are vulnerable to Missing Authorization due to a missing permission check in the process. An attacker...
Exposure of Private Personal Information to an Unauthorized Actor
Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the display of historical job and agent configurations. An attacker can access sensitive encrypted secret values by obtaining Extended Read permission. Remediation...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the Pipeline Snippet Generator process. An attacker can gain unauthorized access to instantiate types related to job or system configuration by submitting crafted input to the generator. Remediation Upgrade...