38468 matches found
Cross-origin Data Exfiltration
Glances is vulnerable to Cross-origin Data Exfiltration. The vulnerability is due to the REST API /api/4/ being exposed without authentication and configured with a permissive CORS policy Access-Control-Allow-Origin: , allowing malicious websites to access and exfiltrate sensitive system...
Server-Side Request Forgery
Glances is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of the publicapi configuration parameter in the IP plugin, where attacker-controlled URLs are used directly in outbound HTTP requests without scheme or hostname restrictions, allowing...
Server-Side Template Injection (SSTI)
getkirby/cms is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper enforcement of page status permissions during page creation through the REST API, which allows an attacker to create published pages directly and bypass the intended editorial workflow...
OpenMage LTS: Cross-user Wishlist Import Leads To Private Option & File Disclosure
Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant Summary The shared wishlist add-to-cart endpoint authorizes access with a public "sharingcode", but loads the acted-on wishlist item by a separate global "wishlistitemid" and...
OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution
The product custom option file upload in OpenMage LTS uses an incomplete blocklist "forbiddenextensions = php,exe" to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as ".phtml", ".phar", ".php3", ".php4", ".php5",...
Timing Attack
Bouncy Castle is vulnerable to Timing Attack. The vulnerability is due to timing discrepancies in cryptographic operations within the FrodoEngine component, which allows an attacker to infer sensitive information through timing analysis...
Security Misconfiguration
github.com/containerd/containerd is vulnerable to Security Misconfiguration. The vulnerability is due to incorrect permission settings on critical directories, which allows an attacker to access or manipulate container runtime files with unintended privileges...
Symlink-Based Path Traversal
Backstage is vulnerable to symlink-based path traversal. The vulnerability is due to improper validation of symlinks in Scaffolder actions and archive extraction utilities, which allows an attacker with template execution access to read, write, or delete arbitrary files outside the intended...
Improper Access Control
Mattermost is vulnerable to improper access control. The vulnerability is due to insufficient sanitization and access restrictions on team email addresses, which allows an authenticated user to exploit the GET /api/v4/channels/channelid/commonteams endpoint to view sensitive team email informatio...
Improper Validation Of OAuth State Tokens
github.com/mattermost/mattermost-server is vulnerable to improper validation of OAuth state tokens. The vulnerability is due to insufficient validation during the OpenID Connect OAuth flow, which allows an attacker to manipulate authentication data and take over a user account under specific...
Improper Authentication
Mattermost is vulnerable to improper authentication. The vulnerability is due to failure to validate plugin bot identity in reaction forwarding, which allows an attacker to hijack the GitHub reaction feature and make users add reactions to arbitrary GitHub objects via crafted notification posts...
Denial-Of-Service (DoS)
libxmljs is vulnerable to a segmentation fault leading to denial-of-service DoS. The vulnerability is due to improper handling of the internal ref property in entityref and entitydecl nodes when parsing specially crafted XML documents, which allows an attacker to trigger a crash by supplying...
Improper Access Control
github.com/mattermost/mattermost-server is vulnerable to improper access control. The vulnerability is due to failure to validate user channel membership when attaching posts to Jira issues, which allows an authenticated attacker with Jira plugin access to read post content and attachments from...
Improper Access Control
github.com/redhatinsights/runtimes-inventory-operator is vulnerable to improper access control. The vulnerability is due to a misconfigured internal proxy that attaches administrative credentials to all commands, which allows a standard user to send unauthorized commands and gain full cluster...
Improper TLS Certificate Verification
github.com/traefik/traefik/v3 is vulnerable to improper TLS certificate verification. The vulnerability is due to incorrect handling of the proxy-ssl-verify annotation, which disables TLS verification when enabled, allowing an attacker to perform man-in-the-middle attacks on HTTPS backends...
Arbitrary Code Injection
protobufjs is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper validation of the "type" field in protobuf definitions, which allows an attacker to inject and execute arbitrary code during object decoding...
Improper Policy Enforcement
github.com/openfga/openfga is vulnerable to improper policy enforcement. The vulnerability is due to inadequate validation during certain Check and ListObject calls, which allows an attacker to bypass authorization controls and gain unauthorized access to resources...
Denial Of Service (DoS)
github.com/google/osv-scalibr is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of empty directory responses in the filesystem traversal fallback path, which allows an attacker to trigger an out-of-bounds access index out of range leading to a panic and...
Improper Authorization
github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to failure in validating the relationship between the post being updated and the MSTeams plugin OAuth flow, which allows an attacker to exploit this via a crafted OAuth redirect URL to edit...
Sensitive Information Exposure
github.com/mattermost/mattermost-server is vulnerable to sensitive information exposure. The vulnerability is due to improper sanitization of user data, which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/userid/email/verify/member endpoint...
Improper Access Control
github.com/mattermost/mattermost-server is vulnerable to improper access control. The vulnerability is due to failure in enforcing the "Allow users to view archived channels" setting, which allows an attacker to access archived channel content and files via the "Open in Channel" functionality fro...
Authorization Bypass
mcp-neo4j-cypher is vulnerable to Authorization Bypass. The vulnerability is due to the readonly mode enforcement being bypassable using APOC CALL procedures, where unauthorized write operations or server-side request forgery can occur and attackers can exploit this to gain unauthorized access...
Cross-site Scripting (XSS)
Decidim is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user input in the user name field, which allows an attacker to inject and execute arbitrary code when other users view affected pages...
SQL Injection
PraisonAI is vulnerable to SQL Injection. The vulnerability is due to unsafe concatenation of the tableprefix configuration value into SQL queries without validation, which allows an attacker to inject arbitrary SQL and manipulate or access database contents...
Giskard Has A Regular Expression Denial Of Service (ReDoS) In RegexMatching Check
Summary The RegexMatching check in the "giskard-checks" package passes a user-supplied regular expression pattern directly to Python's re.search without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs...
Security Misconfiguration
Apache Airflow is Vulnerable to Security Misconfiguration. The Vulnerability is due to insufficiently clear documentation of the security model, workload isolation, and JWT authentication behavior, which may lead deployment managers to make incorrect assumptions and configure insecure environment...
Information Disclosure
apacheairflow is vulnerable to Information Disclosure. The vulnerability is due to JWT Tokens used by tasks being exposed in logs, where UI users could act as Dag Authors by exploiting this exposure...
Buffer Overflow
zlib is vulnerable to a buffer overflow. The vulnerability is due to insufficient capacity validation in the zstreambufferungets function of Zlib::GzipReader before shifting existing data with memmove, which allows an attacker to trigger memory corruption by supplying crafted input that causes th...
Server-Side Request Forgery (SSRF)
web3.py is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to web3.py directly processing contract-supplied URLs in its CCIP Read/OffchainLookup EIP-3668 implementation without validating the destination, which allows an attacker to craft a malicious smart contract that...
Decompression Bomb
Pillow is vulnerable to Decompression bomb attacks. The vulnerability is due to not limiting the amount of GZIP-compressed data read when decoding a FITS image, where a specially crafted FITS file could cause unbounded memory consumption, and attackers can exploit it by providing maliciously...
Remote Code Execution (RCE)
Giskard is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe rendering of user-controlled input using Jinja2 Template without validation, which allows an attacker to execute arbitrary code through crafted rule definitions...
LibreNMS: Cross-Site Scripting In ShowConfigController
Summary A Stored Cross-Site Scripting XSS vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the "rancidrepourl" configuration value. When a user navigates to a device's configuration page, this unsanitise...
October CMS Has Stored XSS In Event Log Mail Preview
A stored cross-site scripting XSS vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. Impact - Stored XSS via mail...
Wger Has Stored XSS Via Unescaped License Attribution Fields
Stored XSS via Unescaped License Attribution Fields Summary The "AbstractLicenseModel.attributionlink" property in "wger/utils/models.py" constructs HTML strings by directly interpolating user-controlled fields "licenseauthor", "licensetitle", "licenseobjecturl", "licenseauthorurl",...
OS Command Injection
dolibarr/dolibarr is vulnerable to OS Command Injection. The vulnerability is due to improper validation and escaping of the MAINODTASPDF configuration input before passing it to the exec function, which allows an attacker to execute arbitrary operating system commands...
October CMS Has Stored XSS In Backend Editor Markup Classes
A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...
Denial Of Service (DoS)
webonyx/graphql-php is vulnerable to denial of service DoS. The vulnerability is due to the OverlappingFieldsCanBeMerged validation rule performing On² pairwise comparisons on fields with the same response name, which allows an attacker to submit a GraphQL query containing thousands of repeated...
Server-Side Request Forgery (SSRF)
markhuot/craftql is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of external requests in the GetAssetsFieldSchema component, which allows an attacker to trigger unauthorized requests and potentially execute arbitrary code...
Remote Code Execution (RCE)
LibreNMS is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of Binary Locations configuration and the Netcommand feature, which allows an attacker with administrative privileges to execute arbitrary commands on the server...
Apache Log4net: Silent Log Event Loss In XmlLayout And XmlLayoutSchemaLog4J Due To Unescaped XML 1.0 Forbidden Character
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.htmllayout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0...
DNN: Same HostGUID For All New Installs
DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue...
Cross-Site Request Forgery (CSRF)
PAC4J is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to weak CSRF token validation relying on hash collisions in String.hashCode, which allows an attacker to forge requests with colliding tokens and perform unauthorized actions without the victim’s consent...
LDAP Injection
Bouncy Castle BC-JAVA is vulnerable to LDAP Injection.The vulnerability is due to improper sanitization of user-supplied input in the LDAPStoreHelper component, which allows an attacker to inject malicious LDAP queries and manipulate directory lookups or retrieve unauthorized data...
OAuth Authorization Code Theft
SignalK Server is vulnerable to OAuth authorization code theft. The vulnerability is due to the unvalidated HTTP Host header being used to construct the OAuth2 redirecturi, where an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic...
Improper Access Control
Hono is vulnerable to Improper Access Control. The vulnerability is due to inconsistent cookie parsing between browsers and the parse function, where differently formatted cookie names may be normalized to the same key, allowing attacker-controlled cookies to override legitimate ones and bypass...
Improper Verification
github.com/mattermost/mattermost-server is vulnerable to improper verification. The vulnerability is due to failure to validate that /share-issue-publicly post actions were created by the Jira plugin, which allows an attacker to exfiltrate Jira tickets by tricking victim users into interacting wi...
Path Traversal
Hono is vulnerable to Path Traversal. The vulnerability is due to a path traversal issue in toSSG, where specially crafted values can cause generated file paths to escape the intended output directory, and attackers who can influence values passed to ssgParams during the build process may be able...
Regular Expression Denial Of Service
fast-jwt is vulnerable to Regular Expression Denial of Service. The vulnerability is due to the library allowing regular expressions in claim validation, where a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during...
OS Command Injection
taskflow-ai is vulnerable to OS Command Injection. The vulnerability is due to a security flaw in the terminalexecute component, where performing a manipulation results in os command injection and the attack is possible to be carried out remotely...
Improper Input Validation
Lodash is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of options.imports key names and unsafe merging of inherited properties, which allows an attacker to inject malicious expressions that execute arbitrary code during template compilation...