Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
•added 2025/02/18 8:53 a.m.•9 views

Cross-site Scripting (XSS)

Vega and vega-selections are vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper function invocation due to the vlSelectionTuples function allowing attacker-controlled input to execute arbitrary JavaScript via Function, leading to potential code execution...

6.9CVSS6.7AI score0.00602EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2025/02/18 8:22 a.m.•8 views

Server Side Request Forgery (SSRF)

labelstudio is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the lack of proper validation or restrictions on the custom S3 endpoint URL, allowing an attacker to send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint...

8.6CVSS6.9AI score0.00536EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2025/02/18 8:8 a.m.•7 views

Cross-Site Scripting (XSS)

labelstudio is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user-provided HTML content in the /projects/upload-example endpoint, allowing attackers to inject malicious JavaScript via a specially crafted labelconfig query parameter in a GET request...

6.1CVSS5.9AI score0.01778EPSS
Exploits2References4Affected Software1
Veracode
Veracode
•added 2025/02/18 6:6 a.m.•10 views

Path Traversal

labelstudiosdk is vulnerable to Path Traversal. The vulnerability is due to improper file path validation in the VOC, COCO, and YOLO export functionalities, where the download function in the label-studio-sdk package fails to properly validate file paths during task exports, allowing attackers to...

8.7CVSS6.8AI score0.00708EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/18 6:6 a.m.•8 views

Regular Expression Denial Of Service (ReDoS)

@octokit/plugin-paginate-rest is vulnerable to Regular Expression Denial Of Service ReDoS. The vulnerability is due to improper handling of the link parameter in the headers section of the request, which allows a specially crafted input to exploit the regular expression logic and trigger a denial...

5.3CVSS5.1AI score0.0058EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/18 6:5 a.m.•7 views

Mutation Cross-site Scripting (mXSS)

DOMPurify is vulnerable to mutation cross-site scripting mXSS. The vulnerability is due to an incorrect template literal regular expression in DOMPurify, allows an attacker to execute mutation cross-site scripting mXSS...

6.1CVSS4.5AI score0.00559EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2025/02/18 6:2 a.m.•4 views

Cross-Site Scripting (XSS)

alextselegidis/easyappointments is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper handling of the legalsettings parameter, which allows a remote attacker to execute arbitrary code...

6.1CVSS6.9AI score0.00472EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/02/18 5:50 a.m.•9 views

Regular Expression Denial-of-Service (ReDoS)

@octokit/endpoint is vulnerable to Regular Expression Denial-of-Service ReDoS. The vulnerability is due to inefficient regex processing due to the endpoint.parseoptions function allowing crafted input to trigger excessive backtracking, leading to high CPU utilization and application hang...

5.3CVSS6.6AI score0.0058EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/18 5:48 a.m.•8 views

Regular Expression Denial Of Service (ReDoS)

@octokit/request-error is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression processing in the handling of HTTP request headers. Specifically, the regex used to process authorization headers fails to handle excessive whitespace...

5.3CVSS5.1AI score0.0058EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/17 10:21 a.m.•8 views

Memory Leakage

go-crypto-winnative is vulnerable to a Memory Leakage. The vulnerability is due to improper resource management due to failure to release the key handle in cng.TLS1PRF, causing a small memory leak on each call...

7.5CVSS7AI score0.0128EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/02/17 9:15 a.m.•3 views

Log Injection

Rack is vulnerable to Log Injection. The vulnerability is due to improper handling of user input in Rack::CommonLogger, which allows attackers to inject newline characters into log entries by crafting a username with CRLF and whitespace characters, potentially manipulating the log format or...

7.1CVSS6.5AI score0.01095EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2025/02/17 9:1 a.m.•8 views

Denial Of Service (DoS)

parse-duration is vulnerable to Denial Of Service DoS. The vulnerability is due to CPU-bound operations that resolve a provided string, causing delays of 0.5ms to 50ms per operation and crashes due to memory exhaustion when the string size reaches approximately 10 MB with Unicode characters, allo...

7.5CVSS7AI score0.00715EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/17 8:30 a.m.•6 views

Information Disclosure

Elliptic is vulnerable to Information Disclosure. The vulnerability is due to inadequate input validation in the ECDSA signing process. Specifically, the system accepts malformed inputs like strings or numbers without proper checks, which allows an attacker to craft input that can lead to the...

7AI score
Exploits0
Veracode
Veracode
•added 2025/02/17 8:14 a.m.•4 views

Remote Code Execution (RCE)

islandora/crayfish is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient input validation and lack of proper access controls in the web-accessible installation of Hypercube, allow attackers to inject and execute arbitrary code remotely...

8.5AI score
Exploits0
Veracode
Veracode
•added 2025/02/17 5:42 a.m.•23 views

Improper Authorization

magento/community-edition and magento/project-community-edition are vulnerable to Improper Authorization. The vulnerability is due to insufficient access controls due to improper authorization enforcement, allowing an attacker to bypass security measures and escalate privileges, potentially leadi...

9.1CVSS7AI score0.15857EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2025/02/17 5:15 a.m.•6 views

Denial Of Service (DoS)

Koa is vulnerable to Denial of Service. The vulnerability is due to inefficient regular expression processing due to the use of an overly complex regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers, which can be exploited to cause excessive resource consumption...

9.2CVSS7AI score0.0077EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2025/02/17 5:9 a.m.•3 views

Denial Of Service (DoS)

github.com/cosmos/ibc-apps is vulnerable to Denial Of Service DoS. The vulnerability is due to disruptions in IBC transfers, allowing an attacker to interfere with asset transfers between their native chain and another chain...

7AI score
Exploits0
Veracode
Veracode
•added 2025/02/17 5:8 a.m.•5 views

Request Parameter Leakage

io.quarkus, quarkus-rest is vulnerable to Request parameter leakage. The vulnerability is due to request parameters leaking between concurrent requests due to endpoints using field injection without a CDI scope, allows an attacker to manipulate request data, impersonate users, or access sensitive...

8.3CVSS7.2AI score0.00724EPSS
Exploits0References12Affected Software2
Veracode
Veracode
•added 2025/02/17 5:7 a.m.•9 views

Cross-Site Scripting (XSS)

org.apache.atlas, apache-atlas is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization, allowing an authenticated user to inject malicious scripts...

7.1CVSS6AI score0.00529EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/14 9:36 a.m.•9 views

Denial Of Service (DoS)

io.netty:netty-handler is vulnerable to Denial of Service. The vulnerability is due to improper input validation due to incorrect handling of specially crafted packets in SslHandler, which can lead to a native crash...

7.5CVSS6.5AI score0.01966EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2025/02/14 8:6 a.m.•10 views

Improper Authentication

github.com/distribution/distribution/v3 is vulnerable to Improper Authentication. The vulnerability is due to Improper Authentication due to inadequate verification of JSON Web Keys JWK in JSON Web Tokens JWT, allowing an attacker to inject an untrusted signing key when token authentication is...

8.7CVSS6.8AI score0.00326EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/14 7:53 a.m.•6 views

Privilege Escalation

github.com/mayswind/ezbookkeeping is vulnerable to Privilege Escalation. The vulnerability is due to Privilege Escalation due to the lack of rate limiting, allowing a remote attacker to repeatedly attempt authentication or privilege elevation without restriction...

6.3CVSS7.5AI score0.00412EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/02/14 6:43 a.m.•7 views

Improper Data Encryption

Temporal api-go is vulnerable to Improper Data Encryption. The vulnerability is due to missing Data Converter transformations due to the update response information not being processed by the Data Converter when using a gRPC proxy with the api-go module, leading to unencrypted data exposure...

2CVSS5.9AI score0.0009EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/14 6:21 a.m.•5 views

Open Redirection

@sap/approuter is vulnerable to Open Redirection. The vulnerability is due to improper session handling due to an attacker injecting a malicious payload when trading an authorization code, allowing session hijacking and impacting the application's confidentiality and integrity...

8.1CVSS6.7AI score0.00475EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/13 10:9 a.m.•7 views

Improper Access Control

esbuild is vulnerable to Improper Access Control. The vulnerability is due to improper CORS settings due to the development server allowing any website to send requests and read responses by default...

7AI score
Exploits0
Veracode
Veracode
•added 2025/02/13 8:47 a.m.•8 views

Denial Of Service

Net::IMAP is vulnerable to Denial of Service DoS. The vulnerability is due to memory exhaustion due to the response parser's use of Rangetoa, which allows a malicious server to send highly compressed uid-set data, leading to uncontrolled memory expansion...

6.5CVSS7AI score0.00578EPSS
Exploits0References10Affected Software1
Veracode
Veracode
•added 2025/02/13 8:18 a.m.•5 views

Missing Encryption Of Sensitive Data

@coinbase/wallet-sdk is vulnerable to Missing Encryption of Sensitive Data. The vulnerability is due to the use of outdated versions due to an unspecified security flaw that does not directly impact users' keys, smart contracts, or funds...

7.2AI score
Exploits0
Veracode
Veracode
•added 2025/02/13 5:26 a.m.•10 views

Signature Bypass

github.com/distribution/distribution is vulnerable to Signature Bypass. The vulnerability is due to improper JSON Web Key JWK verification, allowing an attacker to forge a malicious JWT and bypass authentication...

8.7CVSS7AI score0.00326EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/13 5:24 a.m.•7 views

Authentication Bypass

OpenSSL is vulnerable to Authentication Bypass. The vulnerability is due to SSLVERIFYPEER not enforcing handshake failure when the server's RPK does not match an expected key, allowing unauthenticated connections to proceed...

6.3CVSS6.6AI score0.02357EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2025/02/13 5:23 a.m.•8 views

Prompt Injection

pandasai is vulnerable to Prompt Injection. The vulnerability is due to insufficient input validation in the interactive prompt function, allowing prompt injection to execute arbitrary Python code...

9.8CVSS7.5AI score0.0122EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/13 5:22 a.m.•8 views

Privilege Escalation

com.instaclustr:cassandra-lucene-index-plugin is vulnerable to Privilege Escalation. The vulnerability is due to a flaw in the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin, which allows authenticated users to bypass the RBAC mechanism and gain elevated privileges...

8.8CVSS6.6AI score0.00536EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/12 10:37 a.m.•9 views

Cross-site Scripting (XSS)

serialize-javascript is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization due to the failure to properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject and execute malicious code when deserializ...

5.4CVSS6.3AI score0.01006EPSS
Exploits0References23Affected Software2
Veracode
Veracode
•added 2025/02/12 10:25 a.m.•13 views

Authentication Bypass

OPCFoundation.NetStandard.Opc.Ua is vulnerable to an Authentication Bypass. The vulnerability is due to improper authentication enforcement due to weaknesses in HTTPS endpoint handling, allowing an unauthorized attacker to bypass application authentication...

5.3CVSS7AI score0.00508EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2025/02/12 9:58 a.m.•6 views

Authorization Bypass

OPCFoundation.NetStandard.Opc.Ua is vulnerable to Authorization Bypass. The vulnerability is due to improper authentication enforcement due to the deprecated Basic128Rsa15 security policy being enabled, allowing an unauthorized attacker to bypass application authentication...

8.6CVSS7AI score0.00549EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2025/02/12 7:28 a.m.•8 views

Sensitive Information Exposure

opensource-workshop/connect-cms is vulnerable to Sensitive Information Exposure. The vulnerability is due to improper access control due to restricted information in site search results still being accessible via the main text feature...

6.6AI score
Exploits0
Veracode
Veracode
•added 2025/02/12 7:0 a.m.•4 views

SQL Injection

org.jeecgframework.boot, jeecg-boot-common is vulnerable to SQL injection. The vulnerability is due to improper input validation in the getTotalData component, allowing a remote attacker to execute malicious SQL queries and obtain sensitive information...

7.5CVSS8.2AI score0.00533EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2025/02/12 6:59 a.m.•12 views

Denial Of Service (DoS)

io.netty, netty-common is vulnerable to Denial Of Service DoS. The vulnerability is due to an unsafe reading of the environment file, allows an attacker to create a large nonexistent file on Windows, causing Netty to crash due to an unsafe reading of the environment file...

5.5CVSS6.6AI score0.00357EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/12 6:57 a.m.•8 views

Cross-Site Scripting (XSS)

org.apache.felix, org.apache.felix.webconsole is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper neutralization of user-supplied input during web page generation, which allows an attacker to inject and execute malicious scripts in a user's browser...

6.1CVSS6.4AI score0.00622EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/12 6:57 a.m.•8 views

Cross-Site Scripting (XSS)

redaxo/source is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of the "Article Name" argument in the Structure Management Page, allowing remote attackers to inject malicious scripts...

5.4CVSS6.3AI score0.00372EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2025/02/11 11:34 a.m.•6 views

Denial Of Service (DoS)

Apache James Server is vulnerable to Denial of Service DoS. The vulnerability is due to unbounded memory consumption due to the JMAP HTML-to-plain-text conversion implementation failing to properly limit resource usage, potentially leading to service disruption...

7.5CVSS6.7AI score0.00742EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2025/02/11 10:55 a.m.•15 views

Path Traversal

github.com/clidey/whodb/core is vulnerable to Path Traversal. The vulnerability is due to improper path validation due to the lack of checks when joining user-controlled database file names with the default directory, allowing an attacker to use path traversal ../../ to access any Sqlite3 databas...

10CVSS9.4AI score0.0268EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2025/02/11 10:25 a.m.•10 views

Parameter Injection

github.com/clidey/whodb/core is vulnerable to Parameter Injection. The vulnerability is due to unsafe string concatenation due to improper handling of user input in database connection URIs, allowing an attacker to inject parameters like allowAllFiles=true and read local files thr ugh the LOAD DA...

8.6CVSS8.2AI score0.00525EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/02/11 9:48 a.m.•10 views

Cache Poisoning

vLLM is vulnerable to Cache Poisoning. The vulnerability is due to hash collisions due to the use of Python's built-in hash function for prefix caching, which makes hashNone a predictable constant value, allowing an attacker to intentionally populate the cache with colliding prompts and interfere...

2.6CVSS3.6AI score0.00176EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2025/02/11 7:15 a.m.•7 views

Cross-Site Scripting (XSS)

@nuxtjs/mdc is vulnerable to cross-site scripting XSS. The vulnerability is due to a deny-list approach in URL parsing that fails to properly filter encoded HTML entities, allowing an attacker to bypass security checks and execute arbitrary JavaScript...

9.3CVSS9AI score0.00632EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/02/11 6:59 a.m.•9 views

Remote Code Execution (RCE)

mitmproxy is vulnerable to Remote Code Execution RCE. The vulnerability is due to mitmweb's proxy server allowing access to its internal API, allowing an attacker to perform SSRF and potentially escalate to remote code execution...

8.2CVSS7.5AI score0.00761EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2025/02/11 3:41 a.m.•3 views

XML External Entity (XXE)

xml2rfc is vulnerable to XML External Entity XXE. The vulnerability is due to improper enforcement of the --allow-local-file-access flag, allowing XML entity references to access local files within the source directory, leading to potential information disclosure...

6.6AI score
Exploits0
Veracode
Veracode
•added 2025/02/11 3:41 a.m.•4 views

Access Control Vulnerability

opensource-workshop/connect-cms is vulnerable to Access control vulnerability. The vulnerability is due to improper access control mechanisms, allowing unauthorized access to restricted areas of the management system...

7AI score
Exploits0
Veracode
Veracode
•added 2025/02/11 3:40 a.m.•11 views

Improper Input Validation

github.com/drakkan/sftpgo is vulnerable to Improper Input Validation. The vulnerability is due to missing sanitization of the client-provided rsync command, allowing an authenticated remote user to read or write files with the permissions of the SFTPGo server process...

7.5CVSS7.5AI score0.0067EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2025/02/11 3:39 a.m.•8 views

User Enumeration

pimcore/admin-ui-classic-bundle is vulnerable to User Enumeration. The vulnerability is due to improper error handling in the "Forgot password" function, which reveals valid account usernames, allows an attacker to identify existing user accounts and use them for further attacks such as brute-for...

6.9CVSS6.7AI score0.00483EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2025/02/10 4:12 p.m.•7 views

Man-In-The-Middle (MITM)

org.apache.cassandra:cassandra-all is vulnerable to a Man-In-The-Middle attack. The vulnerability is due to improper RMI registry protections due to the ability of a local attacker to manipulate the RMI registry, allowing them to capture JMX interface credentials and perform unauthorized operatio...

5.3CVSS5.6AI score0.00259EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities38326