Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isSSRFSafeURL process. An attacker can access internal network resources or sensitive information by exploiting DNS rebindi...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the set.json.php process. An attacker can disable a user's two-factor authentication by tricking a logged-in user into...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of the modeYoutubeLive.php template, where user-supplied input is echoed directly into an HTML class attribute without...

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection via improper handling of user-supplied input in the onpublish.php process. An attacker can execute arbitrary operating system commands by injecti...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the discovery document retrieval process via uripukidpenc and uripukidpsig properties. An attacker can intercept and modify the TLS connection to substitute a forged discovery document...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the discovery document retrieval process via uripukidpenc and uripukidpsig properties. An attacker can intercept and modify the TLS connection to substitute a forged discovery document...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to disabled TLS certificate validation in production environments. An attacker can intercept sensitive SOAP traffic, including patient identifiers, authentication operations, document content, and...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to disabled TLS certificate validation in production environments. An attacker can intercept sensitive SOAP traffic, including patient identifiers, authentication operations, document content, and...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to disabled TLS certificate validation in production environments. An attacker can intercept sensitive SOAP traffic, including patient identifiers, authentication operations, document content, and...

External Control of File Name or Path

Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to External Control of File Name or Path through the tar.extractall function in legacy-bundle probing on Windows systems running Python versions earlier than 3.12. An attacker can overwrite arbitrary fil...

Weak Authentication

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Weak Authentication in the uploadRecordedVideo.json.php process. An attacker can gain unauthorized access to any user account, including administrative accounts, b...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the FileSystemTicketStore process. An attacker can read and unserialize files outside the intended directory, and conditionally delete files, by supplying crafted path traversal sequences in public CAS validation...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generic download endpoint when the disk and path parameters are supplied in the request. An attacker can access unrelated files stored on configured storage disks by manipulating...

Missing Authorization

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the PUT /api/datasources/:datasourceId route. An attacker can overwrite datasource connection parameters such as host, port, and url by sending crafted requests, which...

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server,...

Server-side Request Forgery (SSRF)

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP...

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processUrlFile function. An attacker can access internal network resources and sensitive cloud metadata by supplying crafted URLs that target internal or...

Cross-site Request Forgery (CSRF)

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF when building an errorURL in parseGenericState, when the storeStateStrategy is set to "cookie" and PKCE is disabled. An...

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization of escape sequences in log output from commands run with the --log and --log-failed options. An attacker can inject malicious content in workflow logs, which are then rendered unsanitized in some terminal...

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization of escape sequences in log output from commands run with the --log and --log-failed options. An attacker can inject malicious content in workflow logs, which are then rendered unsanitized in some terminal...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verify process. An attacker can cause trust confusion by submitting a commit object with duplicate tree headers, resulting in different interpretations between git-core and go-git,...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verify process. An attacker can cause trust confusion by submitting a commit object with duplicate tree headers, resulting in different interpretations between git-core and go-git,...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verify process. An attacker can cause trust confusion by submitting a commit object with duplicate tree headers, resulting in different interpretations between git-core and go-git,...

Cross-site Scripting (XSS)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Cross-site Scripting XSS in the search preview process. An attacker can execute arbitrary HTML or CSS in the authenticated editor interface ...

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through improper handling of Unicode characters in the splitPos function. An attacker can execute arbitrary code by uploading a file with a specially crafted name containing non-ASCII bytes or Unico...

Directory Traversal

Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Directory Traversal via the downloadfile function in the GET /files/filename:path endpoint when the process is started with the --folder flag. An attacker can...

Cross-site Scripting (XSS)

Overview nukeviet/nukeviet is a the first opensource CMS in Vietnam. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient server-side input sanitization in the Request class. An attacker can execute arbitrary scripts in the context of another user's browse...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the logout process. An attacker can redirect users to arbitrary external websites by supplying a crafted url parameter. This is only exploitable if the configuration option enablelogout is set to true, and is most...

Malicious Package

Overview dowloadebokstalkingjacktheripperbykerrimaniscalcojamespattersonb529t is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no...

Malicious Package

Overview dowloadebokthetestamentofsolomonbykingsolomonfrederickcornwallisconybeare5201c is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is...

Malicious Package

Overview dowloadebokalsoanoctopusbymaggietokudahallah2ip is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Malicious Package

Overview thesecretofrunningbyhansvandijkronvanmegen02jsk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Malicious Package

Overview dowloadeboklosenemigosdelcomerciobyantonioescohotado6t2l4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection betwee...

Malicious Package

Overview dowloadebokcomoleerelfutbolbyruudgullit8qd97 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Malicious Package

Overview dowloadebokterraincognitauraniabyianmcdonaldum4vu is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

Malicious Package

Overview dowloadeboktheupsideofunrequitedbybeckyalbertalli2jgmw is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between...

Malicious Package

Overview marathon-assets is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview browser-interaction-time-demo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview jenkins-forge-app is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview atlassian-jenkins-helper-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

Malicious Package

Overview jenkins-forge-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview jenkins-for-jira is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview browser-interaction-time-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

Malicious Package

Overview atlassian-marathon-asset-pipeline is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

Malicious Package

Overview babel-6-compatibility-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...