Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
added 2025/01/28 4:20 a.m.5 views

Server-Side Request Forgery (SSRF)

Fedify is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the Webfinger mechanism, allowing attackers to perform GET requests to internal resources, cause denial of service via infinite loops, or execute blind SSRF attacks...

5.4CVSS7AI score0.00572EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/28 4:9 a.m.18 views

Denial Of Service (DoS)

org.apache.cxf, cxf-core is vulnerable to Denial of Service DoS. The vulnerability is due to CachedOutputStream instances not being closed in certain edge cases, potentially filling up the file system when backed by temporary files, allows an attacker to exhaust the file system...

7.5CVSS6.5AI score0.01941EPSS
Exploits0References11Affected Software1
Veracode
Veracode
added 2025/01/28 4:5 a.m.25 views

Out Of Memory Error

org.elasticsearch, elasticsearch is vulnerable to Out of Memory Error. The vulnerability is due to unrestricted resource allocation in Elasticsearch, where there are no limits or throttling mechanisms in place to manage resource usage effectively. It allows malicious queries, such as those using...

7.5CVSS7.2AI score0.00597EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/28 4:3 a.m.8 views

Credential Disclosure

github.com/writefreely/writefreely is vulnerable to Credential Disclosure. The vulnerability is due to improper configuration management. Specifically, the sensitive information in the config.ini file is not adequately protected, allowing local users to access it and discover credentials when MyS...

8.4CVSS6.4AI score0.00203EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/28 4:0 a.m.6 views

Cross-Site Request Forgery (CSRF)

codechecker is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper authentication handling in CodeChecker, which allows an attacker to hijack the authentication of a logged-in user and perform actions with the same permissions...

8.2CVSS7AI score0.00243EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/27 10:55 a.m.9 views

Cross-site Scripting (XSS)

YesWiki is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation in the attach component, where a non-existing resource in the file attribute generates a file upload button, allowing authenticated users with edit or comment permissions to inject malicious scripts...

7.6CVSS6AI score0.00392EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/27 10:25 a.m.8 views

Relative Path Traversal

github.com/hashicorp/go-slug is vulnerable to Relative Path Traversal. The vulnerability is due to improper path validation when extracting user-provided paths from tar entries, allowing for directory traversal and potential overwriting of arbitrary files...

9.1CVSS6.8AI score0.00667EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/27 8:55 a.m.7 views

Cross-site Scripting (XSS)

YesWiki is vulnerable to a Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the search by tag feature, allowing a malicious user to craft a link that triggers an XSS when clicked. This results in potential account takeover, stealing other accounts,...

7.6CVSS5.5AI score0.00337EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/27 7:58 a.m.10 views

Denial Of Service (DoS)

The compose-go library is vulnerable to a Denial of Service DoS. The vulnerability is due to excessive memory and CPU consumption when parsing malicious YAML payloads, which can be sent by an authorized user...

5.9CVSS6.7AI score0.00223EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/27 6:26 a.m.13 views

Predictable Boundary Selection

Undici is vulnerable to predictable boundary selection. The vulnerability is due to the use of Math.random to choose the boundary, which can be predicted if several of its values are known, potentially allowing an attacker to tamper with requests to backend APIs...

6.8CVSS6.5AI score0.00736EPSS
Exploits0References8Affected Software2
Veracode
Veracode
added 2025/01/27 5:46 a.m.9 views

Cross-Site Scripting (XSS)

PhpSpreadsheet is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization or escaping of user input when converting XLSX files into HTML, allows malicious scripts to be embedded in the file content and executed in the context of the user's browser...

6.1CVSS6.1AI score0.00371EPSS
Exploits4References4Affected Software2
Veracode
Veracode
added 2025/01/27 5:30 a.m.6 views

Arbitrary File Deletion

yeswiki/yeswiki is vulnerable to Arbitrary File Deletion. The vulnerability is due to improper file permission handling, where authenticated users can delete files owned by the FastCGI Process Manager FPM user, allowing them to arbitrarily remove critical files without any scope limitation...

7.1CVSS6.5AI score0.00568EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/27 3:8 a.m.15 views

Account Enumeration

umbraco.cms is vulnerable to Account Enumeration. The vulnerability is due to discrepancies in response codes and the timing of Umbraco management API responses, which allow attackers to infer the existence of specific accounts...

5.3CVSS6.6AI score0.01451EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/27 3:5 a.m.7 views

Cross-Site Scripting (XSS)

mathlive is vulnerable to Cross-site scripting XSS. The vulnerability is due to the lack of proper escaping of HTML content when using commands like \htmlData, which allows the injection and execution of malicious scripts...

7.2AI score
Exploits0
Veracode
Veracode
added 2025/01/27 3:0 a.m.10 views

Privilege Escalation

github.com/containers/buildah is vulnerable to Privilege Escalation. The vulnerability is due to improper use of the --mount flag in multi-stage builds, which exposes content from the build host to the command run in the RUN instruction. When the build process is performed with root privileges, i...

8.6CVSS6.7AI score0.00358EPSS
Exploits0References41Affected Software3
Veracode
Veracode
added 2025/01/27 2:57 a.m.7 views

Remote Code Execution (RCE)

system.linq.dynamic.core is vulnerable to Remote code execution RCE. The vulnerability is due to insufficient input validation and improper access control when handling reflection types and static properties/fields in the System.Linq.Dynamic.Core library, allows remote access without proper...

6.4CVSS7.5AI score0.00317EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/24 12:26 p.m.6 views

Insecure TLS Configuration

aws-cdk-lib is vulnerable to Insecure TLS configuration. The vulnerability is due to the tls.connect method setting rejectUnauthorized: false by default, which allows connections to unauthorized OIDC providers without verification. This could potentially allow attackers to exploit insecure...

8.1CVSS6.6AI score0.00312EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2025/01/24 4:34 a.m.6 views

Unbounded Disk Consumption

github.com/t2bot/matrix-media-repo is vulnerable to Unbounded Disk Consumption. The vulnerability is MMR's lack of proper rate limiting and controls on the amount of data that can be requested and cached, allowing unauthenticated users to request excessive amounts of remote media files...

7.5CVSS6.8AI score0.00675EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/24 4:34 a.m.12 views

Stored Cross-site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-site Scripting XSS. The vulnerability is due to insufficient input sanitization of the descr parameter in /ajaxform.php, allows malicious scripts to be injected and stored in the system...

5.4CVSS5.9AI score0.01221EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/24 4:34 a.m.6 views

Access Control Bypass

zotregistry.dev/zot is vulnerable to Access Control Bypass. The vulnerability is due to group data being stored as an append-list in the boltdb database meta.db, where group memberships are appended instead of replaced. It allows unauthorized access to persist, enabling attackers to retain...

7.3CVSS6.7AI score0.00394EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/24 4:33 a.m.13 views

Cross-Site Scripting (XSS)

KateX is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of input. When users render untrusted mathematical expressions using renderToString, malicious input containing \htmlData can bypass validation, allowing for the execution of arbitrary JavaScrip...

7.2CVSS6.4AI score0.00381EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/24 4:16 a.m.4 views

Reflected Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the community parameter on the /addhost page, allowing remote attackers to inject malicious scripts, which execute when the page is viewed or interacted with...

6.1CVSS6.6AI score0.00398EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2025/01/24 4:14 a.m.11 views

Stored Cross-site Scripting (XSS)

librenms/librenms is vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper sanitization of the display parameter in the /device/$DEVICEID/edit endpoint, allowing remote attackers to inject malicious scripts...

5.4CVSS6AI score0.00349EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/24 4:12 a.m.7 views

Stored Cross-site Scripting (XSS)

librenms/librenms is vulnerable to Stored cross-site scripting XSS. The vulnerability is due to insufficient input sanitization of the display parameter in the /device/$DEVICEID/edit endpoint, allowing attackers to inject and store malicious scripts on the server...

5.4CVSS5.9AI score0.00372EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/24 4:9 a.m.6 views

Stored Cross-site Scripting (XSS)

librenms/librenms is vulnerable to stored cross-site scripting XSS. The vulnerability is due to improper input sanitization of the state parameter in ajaxform.php, which allows an attacker to inject malicious scripts that execute when a user views or interacts with the affected page...

5.4CVSS5.9AI score0.30854EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/23 1:58 p.m.13 views

Broken Object Level Authorization

Indico is vulnerable to a Broken Object Level Authorization BOLA vulnerability. The vulnerability is due to insufficient access control in the /api/principals component, which allows attackers to retrieve information about other user accounts by sending crafted POST requests...

7.5CVSS6.7AI score0.00603EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/23 1:37 p.m.12 views

Improper Input Validation

Mattermost is vulnerable to Improper Input Validation. The vulnerability is due to the failure to properly handle attachment fields that cannot be cast to a String, leading to a crash in the web application. Attackers can exploit this by creating and sending specially crafted posts with such...

7.5CVSS6.6AI score0.00442EPSS
Exploits0References1Affected Software1
Veracode
Veracode
added 2025/01/23 5:14 a.m.10 views

Arbitrary Code Execution

github.com/t2bot/matrix-media-repo is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to improper validation of file types during the thumbnail generation process, where MMR relies on user-supplied file type values to select decoders e.g., ImageMagick or ffmpeg, which can...

6.8CVSS7.4AI score0.00618EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/23 5:13 a.m.5 views

Server Side Request Forgery (SSRF)

github.com/t2bot/matrix-media-repo is vulnerable to Server Side Request Forgery SSRF. The vulnerability is due to MMR serving content from a private network it can access, under certain conditions, allows attackers to potentially access internal resources that would otherwise be protected...

5.3CVSS6.6AI score0.00552EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2025/01/23 5:13 a.m.6 views

Excessive Memory Consumption

github.com/t2bot/matrix-media-repo is vulnerable to Excessive Memory Consumption. The vulnerability is due to inadequate handling of large JSON responses, allowing an attacker to exhaust system memory and potentially crash the application...

7.5CVSS6.6AI score0.00728EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/23 5:12 a.m.4 views

Improper Authentication

Matrix Media Repo MMR is vulnerable to Improper Authentication. The vulnerability is due to MMR's design, which allows unauthenticated remote participants to trigger the download and caching of remote media from a remote homeserver to the local repository, enabling adversaries to plant problemati...

5.3CVSS6.7AI score0.00529EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/23 2:19 a.m.15 views

OS Command Injection

github.com/mayuresh82/gocast is vulnerable to OS Command Injection. The vulnerability is due to improper validation of user input in the name parameter, which allows specially crafted HTTP requests to inject and execute arbitrary OS commands...

9.8CVSS7.6AI score0.06445EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/23 2:17 a.m.8 views

Path Traversal

Ray is vulnerable to Path Traversal. The vulnerability is due to improper validation or sanitization of user input in the log API endpoint, allowing attackers to specify arbitrary file paths and access unauthorized files on the server...

9.8CVSS6.8AI score0.81512EPSS
Exploits22References5Affected Software1
Veracode
Veracode
added 2025/01/23 2:14 a.m.10 views

Local File Inclusion (LFI)

Ray is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper validation and access control in Ray's /static/ directory, which allows attackers to specify and access arbitrary file paths without authentication...

9.8CVSS6.8AI score0.81512EPSS
Exploits22References5Affected Software1
Veracode
Veracode
added 2025/01/23 2:11 a.m.14 views

OS Command Injection

Ray is vulnerable to Os command Injection. The vulnerability is due to improper input sanitization in the cpuprofile URL parameter, allowing attackers to execute OS commands remotely on the system running the Ray dashboard without authentication...

9.8CVSS7.6AI score0.81512EPSS
Exploits22References5Affected Software1
Veracode
Veracode
added 2025/01/22 7:6 p.m.7 views

Improper Input Validation

Mattermost is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of post properties, which allows a malicious authenticated user to craft and send a malicious post, potentially causing a crash...

6.5CVSS6.5AI score0.0054EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/22 6:56 p.m.8 views

Improper Input Validation

Mattermost is vulnerable to Improper Input Validation. The vulnerability is due to improper validation of the style of proto supplied to an action's style in post.props.attachments, which allows attackers to crash the frontend by providing crafted malicious input...

6.5CVSS6.6AI score0.0054EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/22 6:13 p.m.13 views

Improper Input Validation

Mattermost is vulnerable to Improper Input Validation. The vulnerability is due to a failure to properly validate post props, which can result in a crash when malicious posts are processed...

6.5CVSS6.6AI score0.00413EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/22 9:53 a.m.3 views

Remote Code Execution (RCE)

umbraco.headless.client.net is vulnerable to Remote Code Execution RCE. The vulnerability is due to the use of an insecure Refit package, allows an attacker to exploit the insecure Refit dependency...

7.7AI score
Exploits0
Veracode
Veracode
added 2025/01/22 7:35 a.m.6 views

Signature Bypass

github.com/dexidp/dex is vulnerable to Signature Bypass. The vulnerability is due to issues with XML encoding in the underlying Go library by using the xml-roundtrip-validator from Mattermost, which allows an attacker to bypass the signature verification process in SAML assertions...

9.6CVSS7AI score0.00977EPSS
Exploits0References12Affected Software2
Veracode
Veracode
added 2025/01/22 7:11 a.m.7 views

Regular Expression Denial Of Service (ReDoS)

Parse-uri is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression processing, which allows attackers to exploit crafted URLs and cause a denial of service...

6.5CVSS6.7AI score0.00507EPSS
Exploits0References3Affected Software2
Veracode
Veracode
added 2025/01/22 5:55 a.m.6 views

Remote Code Execution (RCE)

islandora/crayfish is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper configuration in certain web-accessible installations, which allows an attacker to execute arbitrary code remotely...

8.5AI score
Exploits0
Veracode
Veracode
added 2025/01/22 5:18 a.m.36 views

Account Takeover

Sentry is vulnerable to Account Takeover. The vulnerability is due to improper handling of SAML Identity Providers, which allows an attacker to craft a malicious SAML response and associate it with a different organization on the same Sentry instance...

9.1CVSS6.6AI score0.00584EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/22 5:17 a.m.10 views

Search Injection

Mongoose is vulnerable to Search Injection. The vulnerability is due to improper handling of a nested $where filter with a populate match, allows the improper handling of a nested $where filter with a populate match, which can be exploited for search injection attacks...

9.8CVSS6.9AI score0.07025EPSS
Exploits1References10Affected Software1
Veracode
Veracode
added 2025/01/22 5:15 a.m.10 views

Authentication Bypass

github.com/tyktechnologies/tyk-identity-broker is vulnerable to Authentication Bypass. The vulnerability is due to the Go XML parser not guaranteeing integrity during the XML round-trip encoding/decoding XML data, which allows for the bypassing of SAML authentication...

9.1CVSS6.7AI score0.01011EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/22 5:12 a.m.9 views

Cross-Site Request Forgery (CSRF)

typo3/cms-lowlevel is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper handling of deep links in the backend user interface, caused by insufficient enforcement of HTTP methods and reliance on misconfigured security settings and allows an attacker to manipulate...

6.5CVSS6.8AI score0.00218EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/21 8:53 a.m.4 views

Denial Of Service (DoS)

io.netty, netty-common is vulnerable to Denial Of Service DoS. The vulnerability is due to unsafe reading of environment files, where Netty attempts to load a non-existent file, allows an attacker can exploit this by creating a large file, causing the application to crash and resulting in a denia...

5.5CVSS5.3AI score0.00408EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2025/01/21 4:55 a.m.9 views

Cross-Site Request Forgery (CSRF)

typo3/cms-dashboard is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper validation of HTTP methods in state-changing actions and misconfigurations in the backend settings, such as disabled security.backend.enforceReferrer or lax/none BE/cookieSameSite settings,...

4.3CVSS6.7AI score0.00188EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/21 4:55 a.m.11 views

Cross-Site Request Forgery (CSRF)

typo3/cms-belog is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to the backend user interface functionality involving deep links, which allows state-changing actions via HTTP GET without enforcing the appropriate HTTP method and allows an attacker to exploit the “Log...

4.3CVSS6.8AI score0.00235EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2025/01/21 4:34 a.m.9 views

Information Disclosure

typo3/cms-install is vulnerable to Information Disclosure. The vulnerability is due to an incorrect password hashing mechanism, which causes the install tool password to be logged in plaintext, allowing an attacker to potentially gain access to the password if they can access the logs or system...

5.3CVSS6.9AI score0.00308EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities38326