Lucene search
K
VeracodeRecent

38340 matches found

Veracode
Veracode
added 2024/06/25 5:2 a.m.13 views

Denial Of Service (DoS)

io.crate: crate is vulnerable for Denial Of Service. The vulnerability is due to the server allowing client-initiated renegotiation, which attackers can exploit to repeatedly request renegotiation of security parameters during an ongoing TLS session. This can lead to excessive CPU resource...

5.3CVSS6.8AI score0.00704EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/25 5:1 a.m.9 views

Denial Of Service (DoS)

ZenML is vulnerable to a Denial Of Service DoS. The vulnerability is due to improper handling of line feed \n characters in component names, allowing an attacker to cause uncontrolled resource consumption by adding a component through an API endpoint api/v1/workspaces/default/components...

6.6AI score
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/25 4:58 a.m.17 views

Unrestricted Upload Of File With Dangerous Type

vrana/admine is vulnerable to a Unrestricted Upload Of File With Dangerous Type. The vulnerability is due to the ability to upload a file with a table name of “..” to the root of the Adminer directory, allowing attackers to guess the name of the uploaded file and execute it...

9.8CVSS7.3AI score0.00663EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/06/24 10:18 a.m.10 views

Cross Site Scripting (XSS)

drupal/drupal is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the issues in the CKEditor library when configured for WYSIWYG editing, allowing attackers to target users with access to CKEditor, including privileged site admins...

6.3AI score
Exploits0
Veracode
Veracode
added 2024/06/24 9:32 a.m.20 views

Open Redirect

gradio is vulnerable to Open Redirect. The vulnerability is due to improper validation of user-supplied input, allowing attackers to redirect users to arbitrary websites...

5.4CVSS6.9AI score0.01021EPSS
Exploits1References1Affected Software1
Veracode
Veracode
added 2024/06/24 8:44 a.m.8 views

Cross Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient escaping of user-generated content within parts of the Admin UI, allowing attackers to inject malicious scripts that can then be executed within the context of other users' sessions o...

6.6AI score
Exploits0
Veracode
Veracode
added 2024/06/24 8:11 a.m.47 views

SQL Injection

opencart/opencart is vulnerable to SQL Injection. The vulnerability is due to insufficient validation in the Divido payment extension, allowing an anonymous unauthenticated user to exploit SQL injection to gain unauthorized access to the backend database...

8.1CVSS8AI score0.1908EPSS
Exploits2References3Affected Software1
Veracode
Veracode
added 2024/06/24 7:39 a.m.9 views

Denial Of Service (DoS)

typo3/cms is vulnerable to Denial Of Service. The vulnerability is due to the unbound cHash argument, which attackers can exploit it by using valid cHash arguments for multiple pages, leading to additional useless page cache entries. This allows an attackers to generate a considerable amount of...

7AI score
Exploits0
Veracode
Veracode
added 2024/06/24 7:35 a.m.13 views

Prototype Pollution

getsetprop is vulnerable to prototype pollution. The vulnerability is due to improper restrictions on proto or constructor.prototype properties, which allows an attacker to manipulate application logic, potentially leading to denial of service, remote code execution...

9.8CVSS7.5AI score0.00622EPSS
Exploits0References1Affected Software1
Veracode
Veracode
added 2024/06/24 7:23 a.m.14 views

Path Traversal

lollms is vulnerable to Path Traversal. The vulnerability is due to inadequate input sanitization of the data.category and data.folder parameters, allowing attackers to navigate beyond the intended directory structure. The attacker can create a config.yaml file in a controllable path, which can b...

9.8CVSS7.4AI score0.01154EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/06/24 7:13 a.m.10 views

Improper Access Control

studiomitte/friendlycaptcha is vulnerable to Improper Access Control. The vulnerability is due to the extension failing to check the captcha field requirement in submitted form data, which lets an attacker bypass the captcha check...

5.3CVSS6.7AI score0.0055EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/24 7:7 a.m.9 views

Brute Force Attack

ezsystems/ezplatform-user is vulnerable to Brute Force Attack. The vulnerability is due to the password reset functionality not having sufficient protections against brute force attacks, allowing attackers to repeatedly attempt different passwords to gain unauthorized access to user accounts...

7.5AI score
Exploits0
Veracode
Veracode
added 2024/06/24 7:0 a.m.16 views

Insecure Direct Object Reference (IDOR)

jweiland/events2 is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to missing access checks in the management plugin, which allows an attacker to activate or delete events without authentication...

5.4CVSS6.6AI score0.0029EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/24 6:5 a.m.7 views

Prototype Pollution

@byondreal/accessor is vulnerable to Prototype Pollution. The vulnerability is due to improper key restrictions to prevent object prototype manipulation, which allows an attacker to overwrite the object prototype which can result in remote code execution​ among other attacks...

8.1CVSS7.3AI score0.00563EPSS
Exploits0References1Affected Software1
Veracode
Veracode
added 2024/06/24 6:0 a.m.6 views

Session Hijacking

silverstripe/framework is vulnerable to Session Hijacking. The vulnerability is due to a malfunction in the security protection designed to detect changes in the User-Agent header, which allows an attacker to modify the header without invalidating the user session...

7AI score
Exploits0
Veracode
Veracode
added 2024/06/24 5:26 a.m.21 views

Arbitrary File Creation

opencart/opencart is vulnerable to Arbitrary File Creation. The vulnerability is due to insufficient validation in the database restoration functionality, allowing an attacker with admin privileges to inject PHP code and create a backup file with an arbitrary filename and extension within...

7.2CVSS7AI score0.00719EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/24 5:12 a.m.7 views

Cross Site Scripting (XSS)

silverstripe/framework is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper validation allowing users to specify a non-URL malicious script as the redirection path, which executes within the browser when the URL is followed...

6.5AI score
Exploits0
Veracode
Veracode
added 2024/06/24 4:47 a.m.16 views

Cross-site Scripting (XSS)

moodle/moodle is vulnerable to Cross-site Scripting XSS. The vulnerability is caused due to improper validation of user input in the "Field Name" parameter associated with a new activity, which allows an attacker to perform XSS attacks...

5.5CVSS5.8AI score0.0059EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/06/24 4:27 a.m.20 views

XML External Entity (XXE)

io.github.classgraph:classgraph is vulnerable to XML External Entity XXE. The vulnerability is due to improper handling of external entities during XML processing, which can result in XML External Entity XXE injection attacks that can expose sensitive data or execute malicious code...

7.5CVSS7.1AI score0.00556EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/06/21 1:24 p.m.16 views

Server Side Request Forgery

@strapi/strapi is vulnerable to Server Side Request Forgery. The vulnerability is due to improper url parameter validation within the /strapi.io/next/image endpoint, which allows an attacker to send request to internal resources on the network...

8.6CVSS6.8AI score0.00556EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/21 10:13 a.m.9 views

Cross Site Scripting (XSS)

silverstripe/framework is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper input validation of HTML content, which allows authenticated users with page edit permission to perform XSS...

6.3AI score
Exploits0
Veracode
Veracode
added 2024/06/21 9:59 a.m.7 views

Insecure Deserialization

typo3/cms is vulnerable to Insecure Deserialization. The vulnerability is due to the execution of source code from Phar files when they are invoked. Due to missing sanitization of user input, attackers can upload obfuscated Phar files "bundle.txt" and manipulate URLs in TYPO3 backend forms to...

7.6AI score
Exploits0
Veracode
Veracode
added 2024/06/21 9:46 a.m.11 views

Account Takeover

silverstripe/framework is vulnerable to Account Takeover. The vulnerability is due to plain text storage of user login attempts, which may include sensitive data like passwords mistyped into the username field. The vulnerability allows an attacker could gain unauthorized access to user credential...

7AI score
Exploits0
Veracode
Veracode
added 2024/06/21 9:39 a.m.14 views

Authentication Bypass

typo3/cms is vulnerable to Authentication Bypass. The vulnerability is due to late TCA initialization, which fails to restrict frontend users according to the validation rules, allowing attackers to authenticate restricted e.g., disabled frontend users...

7.1AI score
Exploits0
Veracode
Veracode
added 2024/06/21 9:14 a.m.11 views

Improper Input Validation

github.com/lightningnetwork/lnd is vulnerable to Improper Input Validation. The vulnerability is due to excessive memory allocation during the parsing process, which creates a Denial-Of-Service DoS vector...

6.5CVSS6.7AI score0.00572EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2024/06/21 9:2 a.m.17 views

Path Traversal

github.com/go-skynet/LocalAI is vulnerable to path traversal. The vulnerability is due to insufficient input validation of the model parameter during the model deletion process, which allows an attacker to delete arbitrary files on the host file system...

9.1CVSS7.1AI score0.25538EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/21 8:15 a.m.26 views

SQL Injection

Gin-vue-admin is vulnerable to SQL injection. The vulnerability is due to insufficient validation user input which allows an attacker to execute arbitrary SQL queries...

8.8CVSS8.2AI score0.00513EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/06/21 8:1 a.m.7 views

Information Disclosure

typo3/cms is vulnerable to Information Disclosure. The vulnerability is due to improper permission checks, allowing editors to gain knowledge of protected storages and their folders. Attackers can exploit this by using a valid backend user account to include protected files in a collection render...

7.2AI score
Exploits0
Veracode
Veracode
added 2024/06/21 7:36 a.m.5 views

User Enumeration

silverstripe/framework is vulnerable to User Enumeration. The vulnerability is due to a timing attack on the login or password reset pages, allowing an attacker to determine the existence of user credentials based on response times...

7.2AI score
Exploits0
Veracode
Veracode
added 2024/06/21 7:15 a.m.15 views

SQL Injection

silverstripe/framework is vulnerable to SQL injection. The vulnerability is due to the 'start' querystring parameter not being safely escaped, which exposes a possible SQL injection risk...

8.4AI score
Exploits0
Veracode
Veracode
added 2024/06/21 7:2 a.m.12 views

Incorrect Authorization

github.com/drakkan/sftpgo is vulnerable to Incorrect Authorization. The vulnerability is due to a lack of session invalidation when a user or admin changes their password, which allows an attacker to regain access to restricted accounts by resetting the accounts password. Note that this...

5.4CVSS6.8AI score0.00307EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/06/21 7:1 a.m.25 views

Remote Code Execution (RCE)

js2py is vulnerable to Remote Code Execution RCE. The vulnerability is due to the js2py.disablepyimport function failing to prevent JS sandbox escape, which allows an attacker to send crafted API calls which results in arbitrary code execution...

5.3CVSS7.7AI score0.04548EPSS
Exploits22References4Affected Software1
Veracode
Veracode
added 2024/06/21 6:40 a.m.23 views

Denial Of Service (DoS)

io.undertow: undertow-core is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of URL-encoded request paths for concurrent requests on the ajp-listener, which can cause the wrong path to be processed, potentially leading to Denial Of Service DoS...

7.5CVSS6.7AI score0.01702EPSS
Exploits0References9Affected Software1
Veracode
Veracode
added 2024/06/21 6:8 a.m.7 views

CSV Injection

silverstripe/framework is vulnerable to CSV injection. The vulnerability is due to the potential inclusion of executable macros and scripts in the exported CSV files, which allows an attacker to execute arbitrary code or commands on the user's system...

8.4AI score
Exploits0
Veracode
Veracode
added 2024/06/21 5:44 a.m.15 views

Improper Input Validation

Apache Superset is vulnerable to Improper Input Validation. The vulnerability is due to a lack of validation of user-supplied input. If an authenticated attacker creates a MariaDB connection with the localinfile option enabled, they can execute a specific MySQL/MariaDB SQL command which results i...

6.8CVSS7.4AI score0.01571EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/21 5:36 a.m.11 views

Improper Preservation Of Permissions

github.com/authzed/spicedb is vulnerable to Improper Preservation Of Permissions. The vulnerability is due to a failure in the exclusion dispatcher to request all the folders in which the user is a member, leading to an incorrect NOPERMISSION response when the user should have permission...

3.7CVSS7AI score0.00396EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/06/20 10:35 a.m.19 views

Cross Site Scripting (XSS)

magento/community-edition is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the product and category management sections, allowing attackers to inject malicious scripts that can affect other admin users accessing those sections...

4.8CVSS6.2AI score0.00557EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/06/20 10:22 a.m.18 views

Cross-Site Scripting (XSS)

magento/community-edition is vulnerable to a stored Cross-site scripting XSS vulnerability. The vulnerability is due to insufficient input sanitization, allowing an authenticated user to inject malicious JavaScript into the name of the main website, which can then execute in the context of other...

5.4CVSS5.6AI score0.00556EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/20 10:9 a.m.12 views

SQL Injection

magento/community-edition is vulnerable to SQL Injection. The vulnerability is due to improper user input sanitization in email templates, allowing an authenticated user with access to these templates to send malicious SQL queries and gain access to sensitive database information...

6.5CVSS7.1AI score0.00902EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/20 9:12 a.m.15 views

Prototype Pollution

@almela/obx is vulnerable to Prototype Pollution. The vulnerability is caused by improper handling of JavaScript object prototypes within index.js, which allows an attacker to manipulate object prototypes, potentially leading to arbitrary code execution or unexpected application behavior...

9.8CVSS7.5AI score0.00693EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/20 9:2 a.m.18 views

Insecure Authentication And Session Management

magento/community-edition is vulnerable to Insecure Authentication and session management. The vulnerability is due to inadequate session validation, allows authenticated users to manipulate session parameters related to authentication and session management on the storefront, leading to security...

6.5CVSS6.8AI score0.01168EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/06/20 8:48 a.m.9 views

Prototype Pollution

@tsed/core is vulnerable to Prototype Pollution. The vulnerability is due to the deepExtend function which lacks proper validation, allowing an attacker to overwrite and pollute the object prototype of a program when user input is provided...

8.1CVSS6.6AI score0.017EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/06/20 8:44 a.m.5 views

Authorization Bypass

ezsystems/ez-support-tools is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access controls, allowing any authenticated backend user, regardless of their assigned permissions, to view sensitive system information such as phpinfo output...

6.5AI score
Exploits0
Veracode
Veracode
added 2024/06/20 8:38 a.m.29 views

SQL Injection

Magento is vulnerable to SQL injection. The vulnerability is due to a user with store manipulation privileges being able to execute arbitrary SQL queries by accessing the database connection through a group instance in email templates...

8.8CVSS8.1AI score0.01002EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/06/20 7:44 a.m.15 views

Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to unsafe parsing of noscript elements, which allows an attacker to execute malicious code when the content is loaded into the editor...

6.1CVSS6.5AI score0.00529EPSS
Exploits0References5Affected Software2
Veracode
Veracode
added 2024/06/20 7:32 a.m.16 views

Insecure Authentication

magento/community-edition is vulnerable to Insecure authentication. The vulnerability is due to improper session handling that allows an unauthenticated user to append arbitrary session IDs which will not be invalidated by subsequent authentication, allowing attackers to hijack or manipulate user...

9.8CVSS6.9AI score0.0214EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/06/20 7:27 a.m.15 views

SQL Injection

magento/community-edition is vulnerable to SQL injection. The vulnerability is due to improper sanitization of input in email template variables, allowing a user with marketing privileges to execute arbitrary SQL queries in the database. Attackers can exploit this to manipulate the database,...

8.8CVSS7.6AI score0.01002EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/06/20 7:26 a.m.20 views

Arbitrary File Access

magento/community-edition is vulnerable to arbitrary file access. The vulnerability is due to an issue in the file upload controller for downloadable products, allowing an authenticated user to read or delete arbitrary files. Attackers can exploit this vulnerability to gain unauthorized access to...

8.8CVSS6.8AI score0.01117EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/06/20 7:25 a.m.14 views

Improper Access Control

mediawiki/core is vulnerable to Improper Access Control. The vulnerability is due to the absence of a .htaccess file which is required to protect some directories from web access, potentially allowing attackers to access sensitive files and directories that shouldn't be web accessible...

5.3CVSS6.5AI score0.02056EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2024/06/20 7:18 a.m.14 views

2FA Sniffing

pterodactyl/panel is vulnerable to a 2FA sniffing. The vulnerability is due to a logical error that delays password verification until after 2FA credentials are entered, allowing malicious users to determine account existence with incorrect passwords...

7.5CVSS6.8AI score0.01475EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities38340