Devise Has A Confirmable "change Email" Race Condition Permits User To Confirm Email They Have No Access To

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the "reconfirmable" option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

TLS Connection Bypass

pyOpenSSL is vulnerable to TLS connection bypass. The vulnerability is due to an unhandled exception in a user-provided settlsextservernamecallback, where the exception is not caught and results in the connection being accepted, allowing attackers to bypass security-sensitive checks...

Denial Of Service

pypdf is vulnerable to Denial of Service. The vulnerability is due to inefficient decoding of array-based streams, where accessing an array-based stream with many entries leads to long runtimes and large memory usage, and attackers can exploit it by crafting a malicious PDF with a large array-bas...

Path Traversal

PyMuPDF is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths in the embedded get function in main.py, allowing attackers to manipulate paths and write files outside the intended directory, leading to arbitrary file write...

Format String Injection

Ruby JSON is vulnerable to Format String Injection. The vulnerability is due to a format string injection vulnerability, where the allowduplicatekey: false parsing option is used to parse user supplied documents and can lead to denial of service attacks or information disclosure...

Privilege Escalation

Craft CMS is vulnerable to Privilege Escalation. The vulnerability is due to improper authorization checks in the UsersController-actionImpersonateWithToken functionality, which allows an attacker to abuse shared or low-privileged access to gain administrative privileges...

Arbitrary Code Execution

PySpector is vulnerable to Arbitrary Code Execution. The vulnerability is due to incomplete AST validation in the plugin system where indirect calls via getattr are not properly resolved, which allows an attacker to bypass security checks and execute arbitrary system commands through malicious...

Unauthenticated Remote Code Execution In Langflow Via Public Flow Build Endpoint

Summary The "POST /api/v1/buildpublictmp/flowid/flow" endpoint allows building public flows without requiring authentication. When the optional "data" parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored...

Authentication Bypass

Authlib is vulnerable to Authentication Bypass. The vulnerability is due to fail-open behavior in the verifyhash function when processing unsupported or unknown algorithms, where hash validation incorrectly returns success, allowing attackers to forge ID Tokens and bypass integrity checks...

Directory Traversal

Langflow is vulnerable to Directory Traversal. The vulnerability is due to improper validation of foldername and filename parameters in the download endpoint, which allows an attacker to access sensitive files such as the secretkey across directories...

Code Injection

SimpleEval is vulnerable to code injection. The vulnerability is due to objects leaking dangerous modules through to direct access inside the sandbox, where dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call...

Missing Authentication

Glances is vulnerable to Missing Authentication. The vulnerability is due to the web server running without authentication by default glances -w, exposing REST API endpoints that return sensitive system information, including process command-lines containing credentials, to any network client...

Cross-Site Scripting (XSS)

PySpector is vulnerable to stored Cross-Site Scripting XSS. The vulnerability is due to the HTML report generator inserting code snippets without sanitization, where the scanned Python file's JavaScript payload is interpolated into the report and an attacker can trigger execution by opening the...

Incorrect Authorization

Craft CMS is vulnerable to Incorrect Authorization. The vulnerability is due to improper authorization checks in the UsersController-actionImpersonateWithToken functionality, which allows an attacker to abuse shared or low-privileged access to gain administrative privileges...

Code Injection

craftcms/cms is vulnerable to Code Injection. The vulnerability is due to passing unvalidated configuration data to Craft::configure without proper sanitization, which allows an attacker to inject malicious behavior or event handlers and execute arbitrary code...

Denial Of Service (DoS)

DeepDiff is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient restriction on constructor arguments during pickle deserialization, which allows an attacker to supply crafted payloads that trigger excessive memory allocation and crash the application...

Buffer Overflow

pyOpenSSL is vulnerable to Buffer Overflow. The vulnerability is due to improper bounds checking in setcookiegeneratecallback, where cookie values exceeding 256 bytes can overflow an OpenSSL buffer, potentially leading to memory corruption...

Broken Access Control In Extension "Redirect Tab" (redirect_tab)

The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password Via SetPassword.json.php

Summary The "setPassword.json.php" endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero befor...

Remote Code Execution (RCE)

cpsit/typo3-mailqueue is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper restriction of allowed classes during deserialization of transport failure metadata, which allows an attacker to execute arbitrary code if they can write to the configured spool directory...

Behavior Injection Remote Code Execution (RCE)

Craft CMS is vulnerable to Behavior Injection Remote Code Execution RCE. The vulnerability is due to improper handling of behavior injection in ElementIndexesController and FieldsController, which allows an attacker with admin privileges and enabled admin changes to execute arbitrary code...

Authentication Bypass

ralffreit/mfa-email is vulnerable to Authentication Bypass. The vulnerability is due to failure to properly reset the MFA code after successful authentication, which allows an attacker to bypass MFA by providing an empty code in subsequent login attempts...

Denial Of Service (DoS)

Micronaut Framework is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of descending array index order in JsonBeanPropertyBinder::expandArrayToThreshold, where crafted form-urlencoded parameters can trigger a non-terminating loop, leading to CPU exhaustion and...

Improper Access Control

OneUptime is vulnerable to Improper Access Control. The vulnerability is due to missing authorization checks on account creation APIs, which allows a low-privileged user to create new accounts via direct API requests...

Regular Expression Denial Of Service (ReDoS)

Valibot is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient processing in the EMOJIREGEX used by the emoji action, which allows an attacker to supply a crafted input that triggers excessive CPU consumption and causes a denial of service...

Denial Of Service (DoS)

github.com/VictoriaMetrics/VictoriaMetrics is vulnerable to Denial of Service DoS. The vulnerability is due to the snappy decoder ignoring request size limits, which allows an attacker to send malformed compressed blocks that trigger excessive memory usage and cause service disruption...

Denial Of Service (DoS)

github.com/free5gc/nssf is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of crafted POST requests to the NnssfNSSAIAvailability API, which allows an attacker to disrupt service availability...

Denial Of Service (DoS)

github.com/free5gc/pcf is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of crafted POST requests to the NpcfBDTPolicyControl API, which allows an attacker to trigger service disruption...

Improper Authorization

code.gitea.io/gitea is vulnerable to improper authorization. The vulnerability is due to insufficient authorization checks when deleting releases, which allows an attacker to delete releases without proper permissions...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks, which allows an anonymous attacker to access private user projects...

Improper Access Control.

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to inadequate enforcement of branch deletion permissions after merging a pull request, which allows an attacker to delete branches without proper authorization...

Cross Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes in links, which allows an attacker to inject malicious javascript: URLs and execute arbitrary scripts in a user's browser...

Denial Of Service (DoS)

Node.js is vulnerable to Denial of Service DoS. The vulnerability is due to improper error handling when asynchooks.createHook is enabled, where "Maximum call stack size exceeded" errors become uncatchable and terminate the process instead of reaching uncaughtException, allowing attackers to...

Improper Input Validation

code.gitea.io/gitea is vulnerable to improper input validation. The vulnerability is due to insufficient validation of attachment file names in the attachment API, which allows an attacker to bypass file extension restrictions by modifying the attachment name...

Privilege Escalation

OpenBao is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the identity group subsystem, which allows a privileged operator to assign root policies to group identities and escalate permissions...

Authentication Bypass

github.com/hashicorp/terraform-provider-vault is vulnerable to Authentication Bypass. The vulnerability is due to the default denynullbind parameter being set to false in the LDAP auth method, which allows an attacker to authenticate using anonymous or unauthenticated binds when the LDAP server...

Improper Authorization

github.com/authzed/spicedb is vulnerable to Improper Authorization. The vulnerability is due to incorrect handling of permission unions referencing the same relation in the LookupResources API, which allows an attacker to bypass expected permission checks by causing incomplete or missing...

Cross-site Scripting (XSS)

phpPgAdmin is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization and encoding of user-supplied input from $REQUEST parameters across multiple components, which allows an attacker to inject and execute arbitrary JavaScript in users’ browsers...

SQL Injection

phpPgAdmin is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of user-controlled input from the $REQUEST'query' parameter passed to the browseQuery function, which allows an attacker to execute arbitrary SQL commands and compromise the database...

SQL Injection

phpPgAdmin is vulnerable to SQL Injection. The vulnerability is due to direct execution of user-supplied input from the $REQUEST'query' parameter without sanitization or parameterization, which allows an attacker to execute arbitrary SQL commands and compromise the database...

Access Control Bypass

phpPgAdmin is vulnerable to Improper Access Control. The vulnerability is due to lack of validation and access control on user-controlled parameters subject, server, database, queryid in sql.php, which allows an attacker to manipulate session variables and inject arbitrary SQL queries, potentiall...

Denial Of Service (DoS)

github.com/elastic/beats is vulnerable to Denial of Service DoS. The vulnerability is due to improper resource management when processing integrated IPv4 fragments, which allows an unauthenticated remote attacker to send malicious fragments that trigger excessive memory and CPU allocation...

Arbitrary File Read

github.com/kedacore/keda is vulnerable to Arbitrary File Read. The vulnerability is due to insufficient path validation when loading the Service Account Token from spec.hashiCorpVault.credential.serviceAccount, which allows an attacker with permission to create or modify a TriggerAuthentication...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to incorrect handling of API tokens with scopes limited to public resources, which allows an attacker to access private resources using a token that should only permit access to public data...

Cross-Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user input in the search input box used for creating tags and branches, where v-html is used instead of v-text, which allows an attacker to inject and execute malicious scripts in the...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to incorrect propagation of token scope within its package registry access control, which allows an attacker to gain unauthorized access to package resources by misusing improperly scoped tokens...

SQL Injection

devcode-it/openstamanager is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of the display parameter in API requests, which allows an attacker to execute arbitrary SQL queries and compromise the database...

Stored Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of the alert rule name in the Alert Rule API, which allows an attacker to inject malicious HTML code when creating or updating alert rules via the API...

Remote Code Execution (RCE)

com.liferay, com.liferay.object.service is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper restriction on the use of Groovy scripts in Object actions, which allows authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts and...

Path Traversal

github.com/weaviate/weaviate is vulnerable to Path Traversal. The vulnerability is due to insufficient validation of the fileName field in the transfer logic, which allows an attacker who can invoke the GetFile method while a shard is in the “Pause file activity” state and the...