Lucene search
K
VeracodeRecent

38341 matches found

Veracode
Veracode
•added 2024/06/13 5:30 a.m.•15 views

Cross Site Scripting(XSS)

summernote is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient input validation and sanitization of user-provided content, allowing malicious scripts to be executed within the context of the application when viewed in code mode...

6.1CVSS6.2AI score0.00474EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/13 5:8 a.m.•11 views

Incorrect Authorization

org.apache.submarine, submarine-server-core is vulnerable to an Incorrect Authorization. The vulnerability is due to invalidation on authorization checks, allowing unauthorized users to potentially gain access to restricted functionalities...

9.8CVSS6.8AI score0.00733EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/06/13 5:5 a.m.•19 views

Local File Inclusion (LFI)

parisneo/lollms is vulnerable to Local File Inclusion LFI. The vulnerability is due to insufficient path sanitization in the sanitizepathfromendpoint function, which does not properly handle Windows-style paths backward slash \, which allows attackers to exploit directory traversal on Windows...

9.1CVSS6.6AI score0.01024EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/06/13 4:50 a.m.•19 views

Authentication Bypass

@strapi/plugin-users-permissions is vulnerable to Authentication Bypass. The vulnerability is caused due to improper handling of Open Redirects and session tokens being sent as URL query parameters, allowing an unauthenticated attacker to retrieve third-party tokens with one user click...

8.1CVSS6.9AI score0.0071EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/13 4:43 a.m.•18 views

Server-side Template Injection (SSTI)

documentmergeservice is vulnerable to Server-side Template Injection SSTI. The vulnerability is due to insufficient input sanitization and validation in the handling of templates within the Document Merge Service, which allows attackers to inject malicious code into templates, which is then...

9.9CVSS7.1AI score0.0104EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/06/13 4:31 a.m.•18 views

Remote Code Execution

langflow is vulnerable to Remote Code Execution. The vulnerability is due to untrusted users being able to reach the POST /api/v1/customcomponent endpoint and provide a Python script, allowing an attacker to execute arbitrary code...

9.8CVSS7.7AI score0.00923EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/12 9:11 a.m.•12 views

File Disclosure

vrana/adminer is vulnerable to File Disclosure. This vulnerability is due to insufficient input validation, allowing unauthorized access to sensitive files within the application's directory...

6.9AI score
Exploits0
Veracode
Veracode
•added 2024/06/12 8:52 a.m.•17 views

Arbitrary File Upload

aimeos/aimeos-core is vulnerable to an Arbitrary File Upload. The vulnerability is due to improper validation within the image upload function, allowing attackers to execute arbitrary PHP code by uploading a specially crafted file...

7.6AI score
Exploits0References6Affected Software1
Veracode
Veracode
•added 2024/06/12 8:26 a.m.•19 views

Reflected Cross-site Scripting (XSS)

jupyter-server-proxy is vulnerable to Reflected Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the host value in the /proxy endpoint, allowing an attacker to send a phishing link with custom JavaScript that runs when the user clicks the link, potentially granting...

9.6CVSS6.2AI score0.00442EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/06/12 7:45 a.m.•21 views

Denial Of Service (DoS)

@grpc/grpc-js is vulnerable to Denial of Service DoS. The vulnerability is due to improper message size checks becauses messages that exceed the grpc.maxreceivemessagelength are buffered or decompressed in entirety before being discarded, which can result in DoS...

5.3CVSS6.6AI score0.00671EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/06/12 7:35 a.m.•18 views

Cross Site Scripting (XSS)

html is vulnerable to Cross-Site Scripting XSS. This vulnerability is due to improper validation which allows an attacker to introduction JavaScript code through tagged templates within the ghtml, allowing an attacker to inject and execute malicious JavaScript code...

8.9CVSS6.3AI score0.00436EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/12 7:14 a.m.•14 views

Command Injection

composer/composer is vulnerable to Command Injection. This vulnerability is due to specially crafted branch names in git/hg repositories, when executing the composer install command, which allows an attacker to execute arbitrary commands...

8.8CVSS7.6AI score0.03255EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/06/12 7:10 a.m.•18 views

Remote Code Execution

lightning is vulnerable to a Remote Code Execution. This vulnerability is due to improper handling of deserialized user input and mismanagement of dunder attributes by the deepdiff library, which attackers can exploit to manipulate the application state and execute arbitrary code remotely...

9.8CVSS8AI score0.26488EPSS
Exploits3References2Affected Software1
Veracode
Veracode
•added 2024/06/12 6:53 a.m.•14 views

Path Traversal

lollms is vulnerable to Path Traversal. The vulnerability is due to insufficient sanitization of user-supplied input in the sanitizepathfromendpoint and sanitizepath functions within lollmscore\lollms\security.py, enabling arbitrary file reading, particularly on Windows systems...

9.8CVSS6.9AI score0.28317EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/12 6:45 a.m.•13 views

Cross Site Scripting (XSS)

getformwork/formwork is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper user input validation within meta.php, which allows an attacker to perform XSS...

4.8CVSS6.6AI score0.00463EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/06/12 6:34 a.m.•15 views

Insufficient Granularity Of Access Control

lunary is vulnerable to an Insufficient Granularity of Access Control vulnerability. The vulnerability is due to improper validation of dataset ownership, allowing users to create, update, get, and delete prompt variations for datasets not owned by their organization, leading to unauthorized...

8.1CVSS6.8AI score0.00431EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/12 6:34 a.m.•12 views

Insufficient Session Expiration

zenml is vulnerable to Insufficient Session Expiration. The vulnerability is due to the application not terminating existing sessions after a user's password is updated, allowing attackers to maintain access even after security credentials have been changed...

8.8CVSS7AI score0.00405EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/12 6:25 a.m.•18 views

Code Execution

composer/composer is vulnerable to Code Execution. The vulnerability is due to improper branch name sanitization within the status, reinstall, and remove commands when handling packages installed from source via git, which allows an attacker to execute arbitrary code...

8.8CVSS8AI score0.01041EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2024/06/12 6:24 a.m.•11 views

XML Entity Expansion (XXE)

ebookmeta is vulnerable to an XML External Entity XXE vulnerability. The vulnerability is due to improper handling of crafted XML input via the lxml dependency in the ebookmeta.getmetadata function, allowing attackers to access sensitive information or cause a Denial of Service DoS...

9.1CVSS6.6AI score0.00532EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/12 6:23 a.m.•9 views

Regular Expression Denial Of Service (ReDoS)

ua-parser/uap-php is vulnerable toRegular Expression Denial Of Service ReDoS. The vulnerability is due to use of inefficient or poorly constructed regular expressions that can take an exceptionally long time to evaluate against certain input strings, which results in Regular Expression Denial Of...

7AI score
Exploits0
Veracode
Veracode
•added 2024/06/12 6:7 a.m.•20 views

Improper Access Control

scikit-learn is vulnerable to Improper Access Control. The vulnerability is due to the unexpected storage of all tokens in the stopwords attribute, which can leak sensitive information such as passwords or keys when using the TfidfVectorizer class...

4.7CVSS6.3AI score0.00187EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/12 5:47 a.m.•14 views

XML Entity Expansion (XXE)

ebookmeta is vulnerable to an XML External Entity XXE vulnerability. The vulnerability is due to improper handling of crafted XML input in the ebookmeta.getmetadata function, allowing attackers to access sensitive information or cause a Denial of Service DoS...

7.5CVSS6.6AI score0.00498EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/12 5:44 a.m.•22 views

Authentication Bypass

authlib is vulnerable to Authentication Bypass The vulnerability is due to allowing HMAC verification with any asymmetric public key in jwt.decode calls without specifying an algorithm, which attackers can exploit to bypass authentication checks...

7.5CVSS7.3AI score0.00382EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2024/06/12 5:26 a.m.•21 views

Path Traversal

lollms is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system...

7.5CVSS7AI score0.00881EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/12 5:14 a.m.•12 views

Code Injection

litellm is vulnerable to Code Injection. The vulnerability is caused due to a lack of input validation in the eval function within the secret management system, which allows an attacker to execute arbitrary code...

7.2CVSS7.8AI score0.00859EPSS
Exploits1References1Affected Software1
Veracode
Veracode
•added 2024/06/12 4:58 a.m.•9 views

Arbitrary File Write

onnx is vulnerable to Arbitrary File Write. The vulnerability is due to insufficient path validation within an archive during tar file extraction. An attacker can overwrite any file on the system, potentially leading to remote code execution, and deletion of system, personal, or application files...

8.8CVSS7.7AI score0.01168EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/11 10:57 a.m.•10 views

Request Smuggling

tornado is vulnerable to Request Smuggling. This vulnerability is due to mishandling multiple Transfer-Encoding: chunked headers, which allows for request smuggling attacks when deployed behind a proxy server that emits such requests...

7AI score
Exploits0
Veracode
Veracode
•added 2024/06/11 10:28 a.m.•22 views

Sensitive Information Exposure

h2o is vulnerable to Sensitive Information Exposure. The vulnerability is due the Typeahead API call which allows an attacker to lookup arbitrary system paths in the entire file system where h2o-3 is hosted...

5.3CVSS6.8AI score0.00835EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 9:31 a.m.•13 views

Race Condition

zenml is vulnerable to a Race Condition vulnerability. The vulnerability is due to insufficient handling of concurrent user creation requests, which allows an attacker to create multiple users with the same username when requests are sent in parallel...

3.1CVSS6.6AI score0.00289EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/06/11 8:54 a.m.•22 views

Denial Of Service (DoS)

langchain is vulnerable to a Denial-of-Service DoS. The vulnerability is due to infinite recursion in the parsesitemap method, which results in an infinite loop that exceeds the maximum recursion depth in Python...

4.7CVSS6.7AI score0.00301EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/06/11 7:59 a.m.•15 views

Inadequate Encryption Strength

Ninja Core is vulnerable to Inadequate Encryption Strength. The vulnerability is due to the encrypt method in the CookieEncryption class which uses AES with default padding, leading to the possible leakage of sensitive cookie information...

7.5CVSS6.5AI score0.0078EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/11 7:55 a.m.•16 views

Improper Authorization

zenml is vulnerable to Improper Authorization. The vulnerability is due to improper authorization controls in the API PUT /api/v1/users/id endpoint, allowing any authenticated user to modify other users' information, including deactivating accounts...

6.5CVSS6.5AI score0.00623EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 6:43 a.m.•15 views

Cross Site Scripting (XSS)

sulu/form-bundle is vulnerable to Cross Site Scripting XSS. The vulnerability is due to the TokenController improperly sanitizating the formName parameter which is returned in the input field...

6.1CVSS6.3AI score0.00292EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/06/11 6:32 a.m.•11 views

Arbitrary File Deletion

litellm is vulnerable to Arbitrary File Deletion. The vulnerability is due to improper input validation on the /audio/transcriptions endpoint, allowing attackers to send crafted requests that delete specified files without proper authorization or validation...

8.1CVSS6.7AI score0.00614EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 6:27 a.m.•8 views

Session Fixation

Evmos is vulnerable to Session Fixation. The vulnerability is due to the improper handling of contract balances during interchain transactions involving a local state change and an ICS20 transfer. An attacker can exploit this flaw to artificially increase the supply of Evmos tokens by manipulatin...

7.5CVSS6.4AI score0.00618EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 6:26 a.m.•22 views

CRLF Injection

tornado is vulnerable to CRLF Injection. The vulnerability is due to improper CR/LF checks allowing for the inclusion of attacker-controlled header values in requests, which allows arbitrary headers or requests to be sent to a specified server...

7.1AI score
Exploits0
Veracode
Veracode
•added 2024/06/11 6:8 a.m.•10 views

Local File Inclusion (LFI)

gradio is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper input validation in the postprocess function within jsoncomponent.py, where a user-controlled string is parsed as JSON which can be exploited to read arbitrary files on the remote system...

7.5CVSS6.8AI score0.0083EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 6:7 a.m.•16 views

Incorrect Calculation

github.com/evmos/evmos is vulnerable to Incorrect Calculation. The vulnerability is due to a failure to update the spendable balance correctly when delegating vested tokens, allowing attackers with clawback vesting accounts to manipulate the system to treat unvested tokens as though they were...

4.3CVSS6.7AI score0.00384EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/11 6:7 a.m.•11 views

Improper Authentication

born05/craft-twofactorauthentication is vulnerable to Improper Authentication. The vulnerability is due to improper checks to prevent TOTP tokens from used multiple times within the validity period...

6.5CVSS6.7AI score0.00588EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2024/06/11 6:6 a.m.•10 views

Improper Authorization

github.com/evmos/evmos is vulnerable to Improper Authorization. The vulnerability is due to the absence of proper checks to prevent the delegation of unvested tokens, which enables attackers to prematurely access and utilize these tokens in ways not intended by the vesting agreements...

5.3CVSS6.7AI score0.00382EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2024/06/11 6:5 a.m.•20 views

Password Hash Disclosure

born05/craft-twofactorauthentication is vulnerable to Password Hash Disclosure. The vulnerability is due to the improper handling of password hashes, which are exposed in server responses after a valid TOTP submission. Attackers can exploit this by controlling a user's session to obtain the...

8.1CVSS6.8AI score0.00832EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2024/06/11 6:4 a.m.•14 views

Sensitive Information Disclosure

jupyterserver is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper path validation, which allows unauthenticated attackers to leak the NTLMv2 password hash of the Windows user running the server...

7.5CVSS7.5AI score0.00699EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/06/11 6:3 a.m.•16 views

Information Exposure

zsa is vulnerable to Information Exposure Through Error Message. The vulnerability is due to the application transferring the parse error stack from the server to the client in production build mode, potentially revealing sensitive server information...

5.3CVSS6.5AI score0.00292EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/06/11 5:52 a.m.•12 views

Cross Site Scripting (XSS)

zenml is vulnerable to Cross Site Scripting XSS. The vulnerability is due to missing santization of the logourl field, allowing an attacker to send harmful messages to other users and potentially compromise their accounts...

4.8CVSS6.3AI score0.00364EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 5:48 a.m.•10 views

Undefined Behavior

mlflow is vulnerable to Undefined Behavior. The vulnerability is due to inadequate validation of model names, which allows an attacker to create multiple models with the same name, leading to potential Denial of Service DoS and data model poisoning...

5.4CVSS6.7AI score0.00442EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/11 4:52 a.m.•14 views

SQL Injection

litellm is vulnerable to SQL Injection. The vulnerability is due to improper handling of the 'userid' parameter in the raw SQL query used for deleting users. This allows an attacker to inject malicious SQL commands, leading to potential unauthorized access to sensitive information such as API key...

4.9CVSS6.7AI score0.0056EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/10 3:6 p.m.•21 views

Server-Side Request Forgery (SSRF)

langchain is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper restriction of requests in the Web Research Retriever component, allowing it to reach local addresses and enabling attackers to execute port scans, access local services, and potentially read instanc...

7.7CVSS6.9AI score0.00691EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/06/10 2:31 p.m.•17 views

SQL Injection

litellm is vulnerable to SQL Injection. The vulnerability is due to improper neutralization of special elements in an SQL command within the /global/spend/logs endpoint, where the apikey parameter is concatenated directly into the query without validation. Successful exploitation could lead to...

7.2CVSS7.3AI score0.00429EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/06/10 1:58 p.m.•23 views

Improper Restriction Of Rendered UI Layers Or Frames (Clickjacking)

zenml is vulnerable to Improper Restriction of Rendered UI Layers or Frames Clickjacking. The vulnerability is due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers, allowing an attacker to embed the application UI within an iframe on a...

6.1CVSS6.6AI score0.00354EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/06/10 1:52 p.m.•12 views

Authentication Bypass By Spoofing

github.com/kubernetes/kubernetes/ is vulnerable to Authentication Bypass By Spoofing. The vulnerability is due to improper issuers check which allows an attacker to bypass the issue "iss" check during JSON Web Token JWT authentication...

7.1AI score
Exploits0
Total number of security vulnerabilities38341