Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
added 2025/01/13 1:49 a.m.9 views

Arbitrary File Deletion

github.com/siyuan-note/siyuan is vulnerable to Arbitrary file deletion. The vulnerability is due to a lack of proper safeguards in the POST /api/history/getDocHistoryContent endpoint, which allows maliciously crafted payloads to trigger the deletion of arbitrary files on the server...

9.1CVSS6.7AI score0.00579EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2025/01/13 1:48 a.m.7 views

Path Traversal

github.com/karmada-io/karmada is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths within custom resource definition CRD archives, allowing attackers to exploit a TarSlip vulnerability and write arbitrary files to arbitrary locations in the filesystem...

5.3CVSS6.7AI score0.00696EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/13 1:47 a.m.7 views

Cross-Site Scripting (XSS)

Trix is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of the link field, allowing attackers to trick users into pasting a malicious javascript: URL, which could execute arbitrary JavaScript code within the user's session...

5.3CVSS6.5AI score0.004EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/13 1:46 a.m.7 views

Privilege Escalation

github.com/karmada-io/karmada is vulnerable to Privilege Escalation. The vulnerability is due to pull mode clusters being registered with excessive access to control plane resources via the karmadactl register command, allowing them excessive privileges to control plane resources...

8.7CVSS6.7AI score0.00476EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/10 9:1 a.m.16 views

Directory Traversal

path-sanitizer is vulnerable to Path Traversal. The vulnerability is due to insufficient sanitization of input paths, allowing attackers to bypass filters using .= %5c, potentially enabling directory traversal attacks...

9.3CVSS6.8AI score0.00721EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/10 7:24 a.m.9 views

Privilege Escalation

github.com/openshift/hive is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the Hive ClusterDeployments resource, which, under certain conditions, allows a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing...

8.8CVSS7AI score0.00474EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/10 7:13 a.m.7 views

Incorrect Access Control

letta is vulnerable to Incorrect Access Control. The vulnerability is due to improper enforcement of access controls in the /users endpoint, allowing attackers to access sensitive data...

7.5CVSS6.6AI score0.00392EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/10 7:2 a.m.10 views

Denial Of Service (DoS)

org.jboss.narayana.rts:lra-coordinator-jar is vulnerable to a denial of service DoS. The vulnerability is due to a race condition in the LRA Coordinator component. If Cancel is called on an LRA and Join is called with the same LRA ID within approximately 2 seconds, the application may crash or ha...

5.9CVSS6.6AI score0.00606EPSS
Exploits0References9Affected Software1
Veracode
Veracode
added 2025/01/10 6:47 a.m.5 views

Cross-Site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of custom properties, as the library generates HTML pages without clearing them, allowing an attacker to inject and execute malicious scripts in another user's browser, potentially...

5.4CVSS6AI score0.00316EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/10 6:46 a.m.9 views

Cross-Site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of the javascript protocol and special characters, allowing an attacker to craft malicious links that bypass the sanitizer...

5.4CVSS6.1AI score0.00366EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/10 6:46 a.m.9 views

Reflected Cross-Site Scripting (Reflected XSS)

phpoffice/phpspreadsheet is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to insufficient sanitization in the constructor of the Downloader class, allowing an attacker to perform a cross-site scripting attack using the...

8.3CVSS5.8AI score0.00312EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/10 5:30 a.m.10 views

Denial Of Service (DoS)

Next.js is vulnerable to a Denial of Service DoS. The vulnerability is due to requests to Server Actions hanging indefinitely, causing the server to remain idle with the connection open, allows an attacker to keep the connection open until the hosting provider cancels the function, leading to...

5.3CVSS5.1AI score0.00794EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/10 2:55 a.m.7 views

Cross-Site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, allowing an attacker to inject malicious scripts into web pages viewed by other...

8.3CVSS6.1AI score0.00388EPSS
Exploits1References7Affected Software2
Veracode
Veracode
added 2025/01/10 2:54 a.m.10 views

Reflected Cross-Site Scripting (Reflected XSS)

phpoffice/phpspreadsheet is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to insufficient input sanitization in the Accounting.php file, which allows an attacker to inject malicious scripts...

8.3CVSS6.2AI score0.00319EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/10 2:53 a.m.9 views

Cross-Site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to cross-site scripting XSS. The vulnerability is due to the lack of sanitization of the hyperlink base in the HTML page header within the file Html.php, allows an attacker to inject malicious scripts into the generated HTML pages...

5.4CVSS5.8AI score0.00346EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/10 2:52 a.m.11 views

Reflected Cross-Site Scripting

phpoffice/phpspreadsheet is vulnerable to Unauthorized Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to improper input handling in the Currency.php file, allows an attacker to inject and execute malicious scripts...

8.3CVSS6.3AI score0.00319EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2025/01/09 5:49 a.m.7 views

Cross-site Scripting (XSS)

phpMyFAQ is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of HTML content in the FAQ editor at http://localhost/admin/index.php?action=editentry . Attackers can inject malformed HTML elements styled to cover the entire screen, disrupting the user...

7.6CVSS6.2AI score0.00396EPSS
Exploits1References3Affected Software2
Veracode
Veracode
added 2025/01/09 5:19 a.m.8 views

Cross-site Scripting (XSS)

dcat/laravel-admin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization in the /admin/auth/menu and /admin/auth/extensions endpoints, allowing attackers to inject malicious scripts...

4.8CVSS6.3AI score0.00264EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2025/01/09 5:10 a.m.16 views

Open Redirection

better-auth is vulnerable to an Open Redirect. The vulnerability is due to insufficient validation of the callbackURL parameter in the verify email endpoint. Attackers can manipulate this parameter to redirect users to malicious websites because the origin checker only validates POST requests, an...

7.9CVSS6.7AI score0.00381EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2025/01/09 4:52 a.m.8 views

Cross-site Scripting (XSS)

dcat/laravel-admin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization in the /admin/articles/create endpoint in version 2.2.0-beta, which allows attackers to inject malicious scripts...

4.8CVSS6.3AI score0.00315EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2025/01/09 4:33 a.m.7 views

Insecure Direct Object Reference (IDOR)

Khoj is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to the improper implementation of access controls in the updatesubscription endpoint, where the system fails to enforce authorization checks to ensure that only the owner of a subscription can modify it, allowin...

4.3CVSS6.4AI score0.00367EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/09 4:32 a.m.8 views

Unauthorized Access

Apache NiFi is vulnerable to Unauthorized Access. The vulnerability is due to missing fine-grained authorization checks during Process Group creation, allowing attackers to access Parameter Contexts, Controller Services, and Parameter Providers without proper permissions...

5.4CVSS6.7AI score0.03095EPSS
Exploits0References5Affected Software7
Veracode
Veracode
added 2025/01/09 4:32 a.m.8 views

Improper Access Control

nilsteampassnet/teampass is vulnerable to Improper access control. The vulnerability is due to the application failing to properly validate whether a folder belongs to the user's allowed folders list defined by an admin, allowing an attacker to bypass access restrictions and access unauthorized...

4.3CVSS6.6AI score0.00322EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/09 4:31 a.m.8 views

Reflected Cross-Site Scripting (Reflected XSS)

tltneon/lgsl is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to improper sanitization of the Referer HTTP header, allowing an attacker to inject arbitrary JavaScript code into the application's HTML response...

5.3CVSS6.2AI score0.00599EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/09 2:34 a.m.11 views

Improper Access Control

TeamPass is vulnerable to improper access control. The vulnerability is due to improper access control, as the application fails to verify whether a "mailmeaka actionmail" operation is performed by an administrator or manager, allowing an attacker to perform unauthorized operations...

5.4CVSS6.6AI score0.0029EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/09 2:32 a.m.7 views

Privilege Escalation

nilsteampassnet/teampass is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in TeamPass, which fails to properly validate and restrict a user's actions based on their own privileges, allowing them to act with the privileges of a different userid...

8.1CVSS6.7AI score0.00444EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/09 2:30 a.m.6 views

Local File Read (LFR)

changedetectionio is vulnerable to Local file read LFR. The vulnerability is due to improper input validation, which allows attackers to exploit user input to construct file paths without adequate sanitization...

8.6CVSS6.6AI score0.00691EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/09 2:24 a.m.5 views

SQL Injection

python-sql is vulnerable to SQL Injection. The vulnerability is due to insufficient input sanitization and improper handling of unary operators in the python-sql library. Specifically, non-Expression values are not properly escaped, allowing them to be inserted into SQL queries without proper...

6.5CVSS7.2AI score0.00677EPSS
Exploits0References9Affected Software1
Veracode
Veracode
added 2025/01/08 12:28 p.m.17 views

SQL Injection

redshiftconnector is vulnerable to SQL injection. The vulnerability is due to SQL injection in the getschemas, gettables, or getcolumns Metadata APIs in version 2.1.4, which could allow an attacker to gain escalated privileges...

8.6CVSS8.1AI score0.0052EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/08 8:36 a.m.11 views

Cross-Site Scripting (XSS)

tecnickcom/tcpdf is vulnerable to Cross-site Scripting XSS. The vulnerability is due to the Error function lacking an htmlspecialchars call for the error message, which allows an attacker to inject malicious scripts into the error message...

7.5CVSS6.6AI score0.00717EPSS
Exploits1References7Affected Software1
Veracode
Veracode
added 2025/01/08 7:38 a.m.14 views

Timing Attack

tecnickcom/tcpdf is vulnerable to a Timing Attack. The vulnerability is due to the use of loose comparison != in the unserializeTCPDFtag function, which lacks a constant-time comparison, allowing an attacker to infer hash values through timing discrepancies...

7.5CVSS6.9AI score0.00593EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2025/01/08 5:50 a.m.18 views

Remote Code Execution (RCE)

Apache MINA is vulnerable to Remote code execution RCE. The vulnerability is due to lack of necessary security checks and defenses in the ObjectSerializationDecoder, which uses Java’s native deserialization protocol. It allows attackers to exploit the deserialization process by sending malicious...

10CVSS7.8AI score0.23932EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/08 5:9 a.m.7 views

Cross-site Scripting (XSS)

Koji is vulnerable to cross-site scripting XSS. The vulnerability is due to unsanitized input due to malicious JavaScript code from a crafted link being reflected in the resulting web page, although XSS protections prevent actions or changes in Koji...

5.4CVSS5.3AI score0.0029EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/08 5:9 a.m.4 views

Cross-Site Scripting (XSS)

@marp-team/marp-core is vulnerable to Cross-site scripting XSS. The vulnerability is due to improper neutralization of HTML during sanitization, allowing malicious scripts to bypass defenses and execute...

5.3CVSS6.3AI score0.00307EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2025/01/08 4:39 a.m.11 views

Sensitive Information Exposure

Apache Hive is vulnerable to Sensitive Information Exposure. The vulnerability is due to inadequate handling of signature mismatches due to exposing the correct cookie signature to end users when there is a mismatch between the current and expected signature, potentially enabling further...

5.9CVSS6.6AI score0.01468EPSS
Exploits1References10Affected Software3
Veracode
Veracode
added 2025/01/08 1:50 a.m.14 views

Unsafe SSL Verification

tecnickcom/tcpdf is vulnerable to Unsafe SSL verification. The vulnerability is due to improper handling of SSL verification settings in TCPDF when using libcurl, where CURLOPTSSLVERIFYHOST and CURLOPTSSLVERIFYPEER are set unsafely. It allows an attacker to perform a Man-in-the-Middle MitM attack...

9.8CVSS7AI score0.00748EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/08 1:49 a.m.9 views

Denial Of Service (DoS)

tc-lib-pdf-font is vulnerable to Denial Of Service DoS. The vulnerability is due to inadequate validation and handling of font metadata, specifically the FontBBox for Type 1 and TrueType fonts, in tc-lib-pdf-font, allows the font data to be misparsed, leading to potential security issues...

7.3CVSS6.7AI score0.00528EPSS
Exploits0References8Affected Software2
Veracode
Veracode
added 2025/01/08 1:43 a.m.17 views

Server-side Template Injection (SSTI)

opencart/opencart is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper validation and sanitization of user inputs within the Theme Editor Function, allows attackers to inject malicious template code that can be executed on the server...

7.2CVSS7.1AI score0.00887EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2025/01/07 7:40 a.m.7 views

Denial Of Service (DoS)

golang.org/x/net is vulnerable to Denial Of Service DoS. The vulnerability is due to non-linear processing of input length, which causes excessive parsing delays and allows an attacker to craft input that results in a denial of service...

5.3CVSS5.7AI score0.00856EPSS
Exploits0References9Affected Software3
Veracode
Veracode
added 2025/01/07 7:14 a.m.10 views

Denial Of Service (DoS)

github.com/clidey/whodb is vulnerable to Denial of Service DoS. The vulnerability is due to the server reading the entire request body into memory without size limits, which allows an attacker to send large request bodies to the server, leading to memory exhaustion and potentially resulting in a...

7AI score
Exploits0
Veracode
Veracode
added 2025/01/07 6:52 a.m.12 views

Server-Side Request Forgery (SSRF)

ch.qos.logback, logback-core is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of the DOCTYPE declaration in XML configuration files, allowing an attacker to forge requests...

2.4CVSS6.6AI score0.00221EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/07 6:18 a.m.7 views

Privilege Escalation

github.com/openshift/must-gather is vulnerable to Privilege Escalation. The vulnerability is due to improper access controls and lack of validation in the MustGather.managed.openshift.io Custom Defined Resource CRD, which allows a non-privileged user to craft objects that misuse the most privileg...

8.8CVSS6.6AI score0.00754EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2025/01/07 6:17 a.m.10 views

Insufficiently Protected Credentials

GoPhish is vulnerable to Insufficiently Protected Credentials. The vulnerability is due to improper handling of mail server credentials due to storing cleartext passwords for the configured IMAP and SMTP servers, exposing sensitive information to attackers...

7.5CVSS6.4AI score0.00358EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/07 5:53 a.m.5 views

Out-of-bounds Read

libpoppler.so is vulnerable to Out-of-bounds Read. The vulnerability is due to improper handling of bitmap combinations within the JBIG2Bitmap::combine function in JBIG2Stream.cc, leading to potential memory access errors...

4.3CVSS6.5AI score0.0062EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/07 5:42 a.m.7 views

Privilege Escalation

github.com/hashicorp/nomad is vulnerable to Privilege Escalation. The vulnerability is due to unredacted workload identity tokens that allow unauthorized privilege escalation within a namespace...

6.5CVSS6.9AI score0.0053EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/07 4:27 a.m.11 views

Directory Traversal

Uptime Kuma is vulnerable to Directory Traversal. The vulnerability is due to inadequate validation of user-supplied URLs that allows attackers to exploit the file:/// protocol, enabling access to sensitive local files via the "real-browser" request type...

6.8CVSS6.4AI score0.01793EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/07 3:3 a.m.12 views

Account Takeover

Socialstream is vulnerable to Account Takeover. The vulnerability is due to the lack of a confirmation step when linking social accounts and the potential use of -stateless in the Socialite configuration, which allows an attacker to link a social account to an authenticated user’s account without...

8.9CVSS6.4AI score0.00543EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/07 3:0 a.m.7 views

Remote Code Execution (RCE)

com.databricks, databricks-jdbc is vulnerable to Remote code execution RCE. The vulnerability is due to insufficient validation or sanitization of the krbJAASFile parameter in the Databricks JDBC Driver, allows the attacker to manipulate the JDBC URL, enabling a JNDI injection that can lead to...

7.3CVSS7.9AI score0.00711EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/07 2:56 a.m.21 views

Remote Code Execution (RCE)

craftcms/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to the registerargcargv directive being enabled in the php.ini configuration, which allows an attacker to execute arbitrary code on the affected system remotely...

9.8CVSS8.1AI score0.97446EPSS
Exploits9References6Affected Software1
Veracode
Veracode
added 2025/01/07 2:53 a.m.10 views

Incorrect Implementation Of The Authentication Algorithm

org.apache.kafka, kafka-clients is vulnerable to an incorrect implementation of the authentication algorithm. The vulnerability is due to the lack of nonce verification in Apache Kafka's SCRAM implementation, where the server does not verify that the nonce sent by the client in the second message...

5.3CVSS6.8AI score0.0078EPSS
Exploits0References8Affected Software2
Total number of security vulnerabilities38326