36053 matches found
Incorrect Authorization
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process. An attacker can gain unauthorized read access by bypassing security measures. Exploit depends on conditions beyond the...
Incorrect Authorization
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized read access by bypassing security measures. Exploit depends on conditions beyond th...
Cross-site Scripting (XSS)
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...
Cross-site Scripting (XSS)
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...
Incorrect Authorization
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can bypass security measures and gain unauthorized read access by leveraging high privileges without...
SQL Injection
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to SQL Injection via the SQL query process. An attacker can execute arbitrary SQL commands and potentially gain elevated access or control over user accounts by sending crafte...
Incorrect Authorization
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process. An attacker can gain unauthorized read and write access by bypassing security measures remotely without user...
Cross-site Scripting (XSS)
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...
Incorrect Authorization
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized read and write access by bypassing security measures. Remediation Upgrade...
Open Redirect
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Open Redirect via the redirect process. An attacker can redirect users to an external, attacker-controlled website by crafting a malicious URL and convincing a user to clic...
Improper Encoding or Escaping of Output
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via improper encoding or escaping of output. An attacker can execute arbitrary code in the context of the current user by crafting...
Cross-site Scripting (XSS)
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript in the context of another user's browser session by injecting malicious scripts...
Arbitrary File Upload
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload process. An attacker can execute arbitrary code in the context of the current user by uploading a file with a dangerous type and...
Information Exposure
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Information Exposure in the process that handles sensitive data. An attacker can obtain limited sensitive information by sending crafted requests under specific conditions...
Improper Isolation or Compartmentalization
Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization via incorrect ordering in the listener-rule generation process. An attacker can intercept, spoof, or deny traffic intended for another namespace by crafting a malicious HTTPRoute resource on a...
Server-side Request Forgery (SSRF)
Overview awslabs.healthlake-mcp-server is an An AWS Labs Model Context Protocol MCP server for healthlake Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the nexttoken parameter in the pagination process. An attacker can exfiltrate AWS temporary security...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSO...
Incorrect Authorization
Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling...
Malicious Package
Overview jsonfb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview json-bigint-extend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview moonskin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Arbitrary File Upload
Overview Affected versions of this package are vulnerable to Arbitrary File Upload in the move process. An attacker can write arbitrary files outside the intended directory and achieve remote code execution by uploading specially crafted filenames containing directory traversal sequences and...
Missing Authentication for Critical Function
Overview netlicensing-mcp is a MCP server for the Labs64 NetLicensing license management API Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ApiKeyMiddleware process. An attacker can gain unauthorized access to critical operations by sending...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the serviceAccountName field in the Kubernetes backend configuration. An attacker can gain elevated privileges by specifying an arbitrary ServiceAccount, allowing access to sensitive resources and potential ful...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the allowprivate process. An attacker can access internal network resources and obtain sensitive information by setting the allowprivate parameter to true in webhook subscriptions, which disables SSRF...
Operation on a Resource after Expiration or Release
Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the lack of enforcement of certificate revocation in the mesh network. An attacker can maintain unauthorized access to internal services and peers by continuing to use a revoked...
Operation on a Resource after Expiration or Release
Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the lack of enforcement of certificate revocation in the mesh network. An attacker can maintain unauthorized access to internal services and peers by continuing to use a revoked...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the POST /ui/hosts process not honoring configured enrollment token TTL settings and instead issuing tokens with a fixed 24-hour validity. An attacker can obtain enrollment tokens with a...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the POST /ui/hosts process not honoring configured enrollment token TTL settings and instead issuing tokens with a fixed 24-hour validity. An attacker can obtain enrollment tokens with a...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS in the GET /ui/oidc/login process. An attacker can exhaust server memory resources by sending repeated unauthenticated requests to this endpoint, causing unbounded in-memory state allocation and potential service...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the server process. An attacker can access sensitive local files by connecting to the server over the network and issuing queries that create virtual tables referencing arbitrary file paths. Remediation Upgrade...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the server process. An attacker can access sensitive local files by connecting to the server over the network and issuing queries that create virtual tables referencing arbitrary file paths. Remediation Upgrade...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to storing session tokens in plaintext in the operatorsessions table. An attacker can gain unauthorized access to operator sessions by obtaining a copy of the database through backup, snapshot,...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to storing session tokens in plaintext in the operatorsessions table. An attacker can gain unauthorized access to operator sessions by obtaining a copy of the database through backup, snapshot,...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the StompSubframeDecoder process. An attacker can exhaust system memory and cause a server crash by sending a large number of short headers in a single STOMP frame, resulting ...
Cleartext Storage of Sensitive Information in Memory
Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in Memory in the Build process. An attacker can recover sensitive cryptographic material by reading process memory through methods such as core dumps, swap files, or memory scraping. Remediatio...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the server process. An attacker can access internal network resources and exfiltrate sensitive data by creating virtual tables that trigger outbound HTTP requests to internal or cloud metadata...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the server process. An attacker can access internal network resources and exfiltrate sensitive data by creating virtual tables that trigger outbound HTTP requests to internal or cloud metadata...
Missing Release of Resource after Effective Lifetime
Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the i18n.Middleware process, which processes the Accept-Language HTTP header without adequate filtering. An attacker can exhaust server CPU resources by sending specially...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the handling of HTTP headers, specifically X-Forwarded-For and X-Real-IP. An attacker can impersonate arbitrary client IP addresses to...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the handling of HTTP headers, specifically X-Forwarded-For and X-Real-IP. An attacker can impersonate arbitrary client IP addresses to...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the caption-download process. An attacker can overwrite or create arbitrary files on the system by supplying a crafted file parameter to the MCP server, allowing modification of files outsid...
Use of GET Request Method With Sensitive Query Strings
Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the Authorizer process. An attacker can obtain sensitive access tokens by supplying OAuth 2.0 bearer tokens through a URL query parameter, which may lead to exposure or replay o...
Server-side Request Forgery (SSRF)
Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the connecttoserver function. An attacker can access internal network resources by...
Authorization Bypass Through User-Controlled Key
Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the appointments/store and appointments/update endpoints. An...
Prototype Pollution
Overview compromise is a natural language processing in the browser. Affected versions of this package are vulnerable to Prototype Pollution via the nlp.extend function in the Public Root API. An attacker can modify object prototype attributes by supplying a crafted plugin argument, potentially...
Information Exposure
Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Information Exposure via the customers search endpoint. An attacker can access appointment hashes belonging to other...
Authorization Bypass Through User-Controlled Key
Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the oauthcallback process. An attacker can access and modify anoth...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write via the apply function. An attacker can cause memory corruption and potentially crash the application by providing an output image with a mode that does not match the transform's declared output mode. Remediation...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the TGA RLE encoder process. An attacker can access sensitive heap data and potentially cause limited denial of service by crafting a specially designed image file. Remediation Upgrade pillow to version 12.3.0 or...