Lucene search
+L

36057 matches found

Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process. An attacker can gain unauthorized read access by bypassing security measures. Exploit depends on conditions beyond the...

5.9CVSS6.1AI score0.00568EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized read access by bypassing security measures. Exploit depends on conditions beyond th...

5.9CVSS6.1AI score0.00568EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...

8.1CVSS6.2AI score0.00269EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...

6.1CVSS6.2AI score0.07076EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can bypass security measures and gain unauthorized read access by leveraging high privileges without...

7.6CVSS6.1AI score0.18028EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

SQL Injection

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to SQL Injection via the SQL query process. An attacker can execute arbitrary SQL commands and potentially gain elevated access or control over user accounts by sending crafte...

8.3CVSS6.3AI score0.19924EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process. An attacker can gain unauthorized read and write access by bypassing security measures remotely without user...

9.1CVSS6.1AI score0.00492EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript code in the context of another user's browser session by injecting malicious...

8.7CVSS6.2AI score0.00336EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized read and write access by bypassing security measures. Remediation Upgrade...

9.1CVSS6.1AI score0.00492EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Open Redirect

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Open Redirect via the redirect process. An attacker can redirect users to an external, attacker-controlled website by crafting a malicious URL and convincing a user to clic...

6.1CVSS6.1AI score0.00353EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Improper Encoding or Escaping of Output

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via improper encoding or escaping of output. An attacker can execute arbitrary code in the context of the current user by crafting...

10CVSS6.4AI score0.00912EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript in the context of another user's browser session by injecting malicious scripts...

6.1CVSS6.2AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Arbitrary File Upload

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload process. An attacker can execute arbitrary code in the context of the current user by uploading a file with a dangerous type and...

9.6CVSS6.4AI score0.17903EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Information Exposure

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Information Exposure in the process that handles sensitive data. An attacker can obtain limited sensitive information by sending crafted requests under specific conditions...

6.9CVSS6.1AI score0.00542EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization via incorrect ordering in the listener-rule generation process. An attacker can intercept, spoof, or deny traffic intended for another namespace by crafting a malicious HTTPRoute resource on a...

8.5CVSS6.1AI score0.00373EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Server-side Request Forgery (SSRF)

Overview awslabs.healthlake-mcp-server is an An AWS Labs Model Context Protocol MCP server for healthlake Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the nexttoken parameter in the pagination process. An attacker can exfiltrate AWS temporary security...

9.2CVSS6.1AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSO...

7.1CVSS6.1AI score0.00416EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Incorrect Authorization

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling...

7.1CVSS6.1AI score0.00416EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Malicious Package

Overview jsonfb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Malicious Package

Overview json-bigint-extend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Malicious Package

Overview moonskin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago2 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload in the move process. An attacker can write arbitrary files outside the intended directory and achieve remote code execution by uploading specially crafted filenames containing directory traversal sequences and...

8.7CVSS6.6AI score
Exploits0References3
Snyk
Snyk
added 3 days ago2 views

Missing Authentication for Critical Function

Overview netlicensing-mcp is a MCP server for the Labs64 NetLicensing license management API Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ApiKeyMiddleware process. An attacker can gain unauthorized access to critical operations by sending...

9.2CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the serviceAccountName field in the Kubernetes backend configuration. An attacker can gain elevated privileges by specifying an arbitrary ServiceAccount, allowing access to sensitive resources and potential ful...

8.2CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the allowprivate process. An attacker can access internal network resources and obtain sensitive information by setting the allowprivate parameter to true in webhook subscriptions, which disables SSRF...

8.8CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the lack of enforcement of certificate revocation in the mesh network. An attacker can maintain unauthorized access to internal services and peers by continuing to use a revoked...

8.6CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the lack of enforcement of certificate revocation in the mesh network. An attacker can maintain unauthorized access to internal services and peers by continuing to use a revoked...

8.6CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Operation on a Resource after Expiration or Release

Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the lack of enforcement of certificate revocation in the mesh network. An attacker can maintain unauthorized access to internal services and peers by continuing to use a revoked...

8.6CVSS5.4AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the POST /ui/hosts process not honoring configured enrollment token TTL settings and instead issuing tokens with a fixed 24-hour validity. An attacker can obtain enrollment tokens with a...

5.4CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the POST /ui/hosts process not honoring configured enrollment token TTL settings and instead issuing tokens with a fixed 24-hour validity. An attacker can obtain enrollment tokens with a...

5.4CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the POST /ui/hosts process not honoring configured enrollment token TTL settings and instead issuing tokens with a fixed 24-hour validity. An attacker can obtain enrollment tokens with a...

5.4CVSS5.3AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS in the GET /ui/oidc/login process. An attacker can exhaust server memory resources by sending repeated unauthenticated requests to this endpoint, causing unbounded in-memory state allocation and potential service...

6.9CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the server process. An attacker can access sensitive local files by connecting to the server over the network and issuing queries that create virtual tables referencing arbitrary file paths. Remediation Upgrade...

8.7CVSS6.2AI score
Exploits0References6
Snyk
Snyk
added 3 days ago1 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the server process. An attacker can access sensitive local files by connecting to the server over the network and issuing queries that create virtual tables referencing arbitrary file paths. Remediation Upgrade...

8.7CVSS6.2AI score
Exploits0References6
Snyk
Snyk
added 3 days ago1 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to storing session tokens in plaintext in the operatorsessions table. An attacker can gain unauthorized access to operator sessions by obtaining a copy of the database through backup, snapshot,...

7.1CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to storing session tokens in plaintext in the operatorsessions table. An attacker can gain unauthorized access to operator sessions by obtaining a copy of the database through backup, snapshot,...

7.1CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the StompSubframeDecoder process. An attacker can exhaust system memory and cause a server crash by sending a large number of short headers in a single STOMP frame, resulting ...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Cleartext Storage of Sensitive Information in Memory

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in Memory in the Build process. An attacker can recover sensitive cryptographic material by reading process memory through methods such as core dumps, swap files, or memory scraping. Remediatio...

8.7CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the server process. An attacker can access internal network resources and exfiltrate sensitive data by creating virtual tables that trigger outbound HTTP requests to internal or cloud metadata...

8.7CVSS6.1AI score
Exploits0References5
Snyk
Snyk
added 3 days ago1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the server process. An attacker can access internal network resources and exfiltrate sensitive data by creating virtual tables that trigger outbound HTTP requests to internal or cloud metadata...

8.7CVSS6.1AI score
Exploits0References5
Snyk
Snyk
added 3 days ago1 views

Missing Release of Resource after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the i18n.Middleware process, which processes the Accept-Language HTTP header without adequate filtering. An attacker can exhaust server CPU resources by sending specially...

8.7CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the handling of HTTP headers, specifically X-Forwarded-For and X-Real-IP. An attacker can impersonate arbitrary client IP addresses to...

8.5CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the handling of HTTP headers, specifically X-Forwarded-For and X-Real-IP. An attacker can impersonate arbitrary client IP addresses to...

8.5CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the caption-download process. An attacker can overwrite or create arbitrary files on the system by supplying a crafted file parameter to the MCP server, allowing modification of files outsid...

7.7CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the Authorizer process. An attacker can obtain sensitive access tokens by supplying OAuth 2.0 bearer tokens through a URL query parameter, which may lead to exposure or replay o...

7.1CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 3 days ago1 views

Server-side Request Forgery (SSRF)

Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the connecttoserver function. An attacker can access internal network resources by...

8.8CVSS6.1AI score0.00186EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Authorization Bypass Through User-Controlled Key

Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the appointments/store and appointments/update endpoints. An...

3.3CVSS6.1AI score0.00146EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Prototype Pollution

Overview compromise is a natural language processing in the browser. Affected versions of this package are vulnerable to Prototype Pollution via the nlp.extend function in the Public Root API. An attacker can modify object prototype attributes by supplying a crafted plugin argument, potentially...

6.5CVSS7AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Information Exposure

Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Information Exposure via the customers search endpoint. An attacker can access appointment hashes belonging to other...

7.1CVSS6.1AI score0.00185EPSS
Exploits0References2
Snyk
Snyk
added 3 days ago1 views

Authorization Bypass Through User-Controlled Key

Overview alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the oauthcallback process. An attacker can access and modify anoth...

3.1CVSS6.1AI score0.00129EPSS
Exploits0References2
Total number of security vulnerabilities36057