Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
added 2025/01/06 12:5 p.m.9 views

Authorization Bypass

golang.org/x/crypto is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of public key authentication callbacks where the order or reuse of keys in the callback can lead to incorrect authorization decisions, allowing attackers to exploit misused APIs or assumptions...

9.1CVSS7.1AI score0.03092EPSS
Exploits2References8Affected Software2
Veracode
Veracode
added 2025/01/06 11:43 a.m.4 views

Denial Of Service (DoS)

github.com/CosmWasm/wasmd is vulnerable to Denial Of Service DoS. The vulnerability is due to an uncaught exception caused by simulation of Wasmd message...

7AI score
Exploits0
Veracode
Veracode
added 2025/01/06 10:38 a.m.13 views

Insufficient Verification Of Data Authenticity

org.wildfly:wildfly-elytron-oidc-client-subsystem is vulnerable to authorization code injection. The vulnerability is due to improper session handling that allows an attacker to inject a stolen authorization code into their own session with a victim's identity, typically through a Man-in-the-Midd...

4.2CVSS7.1AI score0.00243EPSS
Exploits0References10Affected Software3
Veracode
Veracode
added 2025/01/06 9:1 a.m.13 views

XML External Entity (XXE) Injection

simplesamlphp is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper handling of untrusted XML input, which allows attackers to exploit maliciously crafted XML documents, such as SAMLResponse, to access sensitive information or perform other malicious activities...

8.3CVSS7.1AI score0.00414EPSS
Exploits0References4Affected Software5
Veracode
Veracode
added 2025/01/06 7:15 a.m.7 views

Directory Traversal

Spatie/browsershot is vulnerable to Directory Traversal. The vulnerability is due to URI normalization in the browser, where the check for file:// can be bypassed using file:\ instead, allows the attacker to manipulate the path and access files outside the intended directory...

8.7CVSS7AI score0.00905EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/06 6:46 a.m.11 views

Cross-Site Scripting (XSS)

Liferay Portal is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of user input in the Service Class text field, allowing remote attackers to inject arbitrary web scripts or HTML...

4.8CVSS6.3AI score0.00265EPSS
Exploits0References3Affected Software2
Veracode
Veracode
added 2025/01/06 6:16 a.m.8 views

Privilege Escalation

open-cluster-management.io/ocm is vulnerable to Privilege Escalation. The vulnerability is due to improper service account management, where the cluster-manager service account is bound to a ClusterRole with broad permissions, including the ability to create Pod resources. It allows attackers on...

7.5CVSS6.7AI score0.00439EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2025/01/06 6:4 a.m.24 views

Remote Code Execution (RCE)

Unisharp/laravel-filemanager is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper validation of file extensions and mimetypes, which allows an attacker to bypass security mechanisms by inserting the . character after the php file extension...

9.8CVSS7.9AI score0.0128EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/06 2:50 a.m.5 views

Cleartext Transmission Of Sensitive Information

Keycloak is vulnerable to plain text replication. The vulnerability is due to the environment option KCCACHEEMBEDDEDMTLSENABLED not functioning as intended, resulting in JGroups replication configuration always using plain text, which allows attackers on adjacent networks to intercept and read...

5.7CVSS6.4AI score0.00267EPSS
Exploits0References11Affected Software1
Veracode
Veracode
added 2025/01/06 2:49 a.m.13 views

Authentication Bypass

Elasticsearch is vulnerable to Authentication Bypass. The vulnerability is due to improper implementation of authorization controls, allowing a malicious actor to circumvent Document Level Security and access restricted documents...

6.5CVSS6.6AI score0.00393EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/06 2:48 a.m.7 views

Privilege Escalation

github.com/minio/minio is vulnerable to Privilege Escalation. The vulnerability is due to improper validation and handling of imported IAM policies in the IAM import API, allows an attacker to escalate their privileges and potentially gain unauthorized access to resources or perform actions beyon...

7.5AI score
Exploits0
Veracode
Veracode
added 2025/01/06 2:47 a.m.5 views

Stack Overflow

github.com/cosmos/cosmos-sdk, cosmossdk.io/x/tx is vulnerable to Stack overflow. The vulnerability is due to improper handling of transaction decoding in Cosmos SDK, allows for excessive resource consumption or stack overflow when processing transactions, potentially leading to system instability...

7.5AI score
Exploits0
Veracode
Veracode
added 2025/01/03 7:25 p.m.8 views

Time-of-Check Time-of-Use (TOCTOU)

Apache Tomcat is vulnerable to a Time-of-Check Time-of-Use TOCTOU. The vulnerability is due to incomplete mitigation and improper handling of file path canonicalization on case-insensitive file systems when the default servlet write is enabled, which allows an attacker to exploit race conditions ...

9.8CVSS6.9AI score0.43663EPSS
Exploits13References9Affected Software3
Veracode
Veracode
added 2025/01/03 10:17 a.m.8 views

BREACH Attack

Varnish VCL templates are vulnerable to the BREACH vulnerability. The vulnerability is due to improper handling of HTTP compression, allowing secrets to be extracted through carefully crafted requests...

7AI score
Exploits0
Veracode
Veracode
added 2025/01/03 9:24 a.m.6 views

Denial Of Service (DoS)

league/commonmark is vulnerable to Denial of service DoS. The vulnerability is due to unbounded resource exhaustion caused by inefficient code handling specially crafted Markdown inputs, which allows an attacker to tie up CPU resources or PHP-FPM processes and deny service to legitimate users...

7.2AI score
Exploits0
Veracode
Veracode
added 2025/01/03 6:57 a.m.6 views

Unrestricted Certificate Access

github.com/canonical/lxd is vulnerable to Unrestricted Certificate Access. The vulnerability is due to LXD not honoring the restrictions of certificates added to the trust store in PKI mode, allows clients to gain unrestricted access, even if the certificate was intended to have limitations...

3.8CVSS6.8AI score0.00156EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2025/01/03 6:11 a.m.5 views

BREACH Attack

ibexa/post-install is vulnerable to the BREACH attack. The vulnerability is due to improper handling of HTTP compression, allowing secrets to be extracted through carefully crafted requests...

7AI score
Exploits0
Veracode
Veracode
added 2025/01/03 5:22 a.m.7 views

BREACH Attack

ibexa/http-cache is vulnerable to the BREACH Attack. The vulnerability is due to improper handling of HTTP compression, allowing secrets to be extracted through carefully crafted requests...

7AI score
Exploits0
Veracode
Veracode
added 2025/01/03 5:6 a.m.12 views

Mishandling Non-integer Values

nanoid is vulnerable to Mishandling non-integer values. The vulnerability is due to insufficient input validation and inadequate type checking in earlier versions of Nano ID, which fails to properly handle non-integer values. It allows attackers to exploit the mishandling of input, leading to...

4.3CVSS4.8AI score0.00666EPSS
Exploits0References7Affected Software2
Veracode
Veracode
added 2025/01/03 4:39 a.m.6 views

TLS Authentication Bypass

github.com/canonical/lxd is vulnerable to TLS Authentication Bypass. The vulnerability is due to improper certificate validation. LXD accepts non-CA signed certificates if they are present in the trust store, allowing unauthenticated clients to bypass the expected security checks...

3.8CVSS6.9AI score0.00158EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/03 3:25 a.m.10 views

SQL Injection

Django is vulnerable to SQL injection. The vulnerability exists due to the improper handling of untrusted data in the django.db.models.fields.json.HasKey lookup when used with an Oracle database, allowing attackers to execute arbitrary SQL commands...

9.8CVSS7.8AI score0.01396EPSS
Exploits0References7Affected Software2
Veracode
Veracode
added 2025/01/03 3:24 a.m.6 views

Denial Of Service (DoS)

Django is vulnerable to a denial-of-service DoS attack. The vulnerability is due to the striptags method and striptags template filter failing to handle inputs with large sequences of nested incomplete HTML entities, allowing an attacker to perform a DoS attack with specially crafted inputs...

7.5CVSS6.4AI score0.0137EPSS
Exploits0References8Affected Software2
Veracode
Veracode
added 2025/01/03 3:20 a.m.9 views

Session Fixation

github.com/drakkan/sftpgo is vulnerable to a session Cookie Prediction vulnerability. The vulnerability is due to the predictable generation of session cookies using the xid library, which results in cookies that are unique but not cryptographically secure, allows an attacker to brute force sessi...

5.3CVSS6.7AI score0.00389EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/03 3:16 a.m.7 views

Race Condition Vulnerability

github.com/moby/moby is vulnerable to a Race Condition. The vulnerability is due to the lack of synchronization mechanisms to manage concurrent write operations in the streamformatter package, allowing multiple operations to occur simultaneously and potentially result in data corruption or...

8.1CVSS6.8AI score0.00641EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/03 3:4 a.m.7 views

Race Condition Vulnerability

github.com/moby/moby is vulnerable to a Race Condition. The vulnerability is due to improper synchronization in builder/builder-next/adapters/snapshot/layer.go within the EnsureLayer function, allowing concurrent builds to access shared resources without adequate safeguards, leading to resource...

6.5CVSS6.5AI score0.00625EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2025/01/02 12:3 p.m.11 views

Header Injection

Traefik is vulnerable to Header Injection. The vulnerability is due to improper validation of the X-Forwarded-Prefix header, allowing it to be provided from an untrusted source...

6.3CVSS7AI score0.00389EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/02 9:49 a.m.12 views

Remote Code Execution (RCE)

systeminformation is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of SSIDs before they are passed to cmd.exe in the getWindowsIEEE8021x function, allows potentially malicious SSID content to be executed as OS commands, leading to remote code execution...

7.8CVSS8.6AI score0.00698EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2025/01/02 9:6 a.m.6 views

Incorrect Access Control

oqtane.framework is vulnerable to Incorrect Access Control. The vulnerability is due to relying on client-side information for authentication and the absence of server-side validation, which allows attackers to manipulate parameters like entityid and bypass security controls...

7.5CVSS7.3AI score0.00447EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2025/01/02 8:26 a.m.6 views

Insecure Direct Object Reference (IDOR)

Oqtane Framework is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control. Specifically, the application does not properly validate or restrict a user's access to resources based on their identity, allowing them to manipulate parameters like...

4.3CVSS6.6AI score0.00274EPSS
Exploits0References4Affected Software4
Veracode
Veracode
added 2025/01/02 8:3 a.m.7 views

Prototype Pollution

jsii is vulnerable to prototype pollution. The vulnerability is due to insufficient validation of user input. When untrusted input is allowed to modify the prototype of objects, an attacker can inject malicious properties into the object's prototype, potentially altering the behavior of the entir...

6.9AI score
Exploits0
Veracode
Veracode
added 2025/01/02 7:58 a.m.9 views

Cross-Site Request Forgery (CSRF)

Astro is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to improper validation of the Content-Type header in Astro's CSRF-protection middleware, which allows semicolon-delimited parameters to bypass CSRF checks...

6.5CVSS6.8AI score0.00213EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/02 7:54 a.m.7 views

Prototype Pollution

Bun is vulnerable to Prototype Pollution. The vulnerability is due to improper input sanitization, which allows attackers to manipulate an object's prototype through Bun's APIs that accept objects...

7.7CVSS7AI score0.00634EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/02 7:51 a.m.4 views

Arbitrary Code Execution (ACE)

filippo.io/age is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to improper validation or sanitization of plugin names, identities, or recipients, allows malicious input to be introduced and will execute arbitrary code or binaries...

8.2AI score
Exploits0
Veracode
Veracode
added 2025/01/02 7:48 a.m.21 views

Authorization Bypass

Next is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization in middleware based on pathname, allowing it to be bypassed for pages directly under the root directory of a Next.js application...

7.5CVSS7AI score0.03884EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2025/01/02 7:46 a.m.12 views

Authentication Bypass

org.apache.hugegraph:hugegraph-server is vulnerable to Authentication Bypass. The vulnerability is due to assumed-immutable data being improperly handled, allowing attackers to bypass authentication mechanisms...

9.8CVSS7.4AI score0.69651EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/02 7:14 a.m.16 views

SQL Injection

com.amazon.redshift:redshift-jdbc42 is vulnerable to SQL Injection. The vulnerability is due to insufficient input validation in the getSchemas, getTables, or getColumns Metadata APIs, allowing an attacker to gain escalated privileges...

8.6CVSS7.8AI score0.00579EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2025/01/02 6:51 a.m.13 views

Remote Command Execution

Gogs is vulnerable to Remote Command Execution. The vulnerability is due to improper validation of symlink files, allowing a malicious user to commit and edit crafted symlink files in a repository to gain SSH access to the server...

9.8CVSS7.1AI score0.00837EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2025/01/02 6:24 a.m.10 views

Insecure Direct Object Reference (IDOR)

oqtane.framework is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient authorization checks in the Oqtane.Controllers.UserController, allows attackers to manipulate the id parameter to access sensitive information belonging to other users...

6.5CVSS6.3AI score0.0034EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2025/01/02 6:19 a.m.11 views

Directory Traversal

Gogs is vulnerable to Directory Traversal. The vulnerability is due to improper input handling that allows a malicious user to write a file to an arbitrary path on the server, potentially gaining SSH access...

8.8CVSS7.1AI score0.75197EPSS
Exploits3References6Affected Software1
Veracode
Veracode
added 2025/01/02 5:51 a.m.9 views

Account Hijacking

joelbutcher/socialstream is vulnerable to insufficient confirmation during account linking. The vulnerability is due to the lack of a confirmation step during account linking and the use of -stateless in the Socialite configuration, which bypasses state verification, allowing an attacker to link...

8.9CVSS6.5AI score0.00543EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/12/31 6:15 p.m.2 views

Cross-Site Scripting (XSS)

NagVis is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of input fields before rendering, and attackers can exploit this to inject and execute arbitrary JavaScript code in the context of the victim’s browser...

8.8CVSS5.6AI score0.00515EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/12/31 12:30 a.m.4 views

Buffer Overflow

Radare2 is vulnerable to Buffer Overflow. The vulnerability is due to improper input validation due to the lack of bounds checking in the name, type, or group fields, allowing an attacker to execute arbitrary code...

9.8CVSS7.3AI score0.00891EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/12/30 11:27 a.m.15 views

Authorization Bypass

org.springframework.security is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of locale-dependent exceptions in String.toLowerCase and String.toUpperCase, which could lead to authorization rules not functioning as intended...

4.8CVSS4.9AI score0.00385EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/12/30 10:18 a.m.12 views

Improper Authentication

AsyncHttpClient AHC is vulnerable to Improper Authentication. The vulnerability is due to improper management of the CookieStore, which silently replaces explicitly defined cookies with those from the cookie jar if they share the same name, potentially leading to user session confusion in...

9.2CVSS6.6AI score0.00587EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/12/30 8:50 a.m.10 views

Arbitrary Code Execution

Jinja2 is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper detection in the sandboxed environment caused by an oversight in how calls to str.format are handled, allowing attackers to execute arbitrary Python code if they control the content of a template and exploit...

7.8CVSS7.5AI score0.005EPSS
Exploits0References6Affected Software2
Veracode
Veracode
added 2024/12/30 8:22 a.m.14 views

Arbitrary Code Execution

Jinja is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper handling in the compiler caused by a bug that allows an attacker controlling both the content and filename of a template to execute arbitrary Python code, regardless of whether Jinja's sandbox is used...

8.8CVSS7.3AI score0.00301EPSS
Exploits0References6Affected Software2
Veracode
Veracode
added 2024/12/30 8:4 a.m.9 views

Cross-site Scripting (XSS)

shuchkin/simplexlsx is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input handling because the toHTMLEx method allows the execution of arbitrary JavaScript code...

5.4CVSS6.3AI score0.00241EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/12/30 7:41 a.m.10 views

NULL Pointer Dereference

PrestaShop is vulnerable to a NULL pointer dereference. The vulnerability is due to improper handling of NULL values in the mathround function within Tools.php, leading to a NULL pointer dereference. Attackers can exploit this to crash the application or potentially cause a denial of service...

5.3CVSS6.7AI score0.00628EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/12/27 6:48 a.m.13 views

Sensitive Information Disclosure

Navidrome is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper handling of sensitive information because the JWT secret is stored in plaintext in the navidrome.db database file, making it retrievable by anyone with access to the database...

7.1CVSS6.1AI score0.0015EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/12/27 6:33 a.m.23 views

SQL Injection

github.com/apache/trafficcontrol is vulnerable to SQL Injection. The vulnerability is due to improper input validation in Traffic Ops, allowing a privileged user with roles such as "admin," "federation," "operations," "portal," or "steering" to execute arbitrary SQL queries through...

9.9CVSS7.7AI score0.41841EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities38326