Lucene search
K
VeracodeRecent

38332 matches found

Veracode
Veracode
added 2024/11/19 9:39 a.m.9 views

Cross-site Scripting (XSS)

django-cms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of input during web page generation, allowing malicious scripts to be injected and executed...

4.8CVSS6.2AI score0.00493EPSS
Exploits1References7Affected Software1
Veracode
Veracode
added 2024/11/19 8:53 a.m.4 views

Out-of-bounds Read And Write

libheif.so is vulnerable to Out-of-bounds Read and Write. The vulnerability is due to insufficient validation of image overlay offsets in the ImageOverlay::parse function, allows the decoding process to access memory outside the allocated bounds, leading to out-of-bounds read and write operations...

8.1CVSS6.5AI score0.00825EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/11/19 8:41 a.m.7 views

Cross-site Scripting (XSS)

firebase is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper handling of the "FIREBASEDEFAULTS" cookie, which allows attackers to manipulate the "authTokenSyncURL" field and redirect user session data to a malicious server...

6.1CVSS6.3AI score0.00125EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/11/19 7:54 a.m.9 views

HTTP Request Smuggling

io.undertow:undertow-core is vulnerable to HTTP Request Smuggling. The vulnerability is due to incorrect parsing of cookies with specific value-delimiting characters, enabling attackers to exfiltrate HttpOnly cookies or spoof additional cookie values...

7.4CVSS6.6AI score0.01117EPSS
Exploits0References12Affected Software1
Veracode
Veracode
added 2024/11/19 7:30 a.m.9 views

Race Condition

OpenStack is vulnerable to Race Condition. The vulnerability is due to inadequate validation when deleting non-existent access rules, leading to the removal of unrelated existing access rules that lack application credential associations...

5.5CVSS7AI score0.00493EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2024/11/19 6:54 a.m.16 views

Remote Code Execution (RCE)

LibVNCserver.so is vulnerable to Remote Code Execution RCE. The vulnerability is due to a heap out-of-bounds write in libvncserver/rfbserver.c, allowing a remote attacker to execute arbitrary code on the system...

9.8CVSS8.8AI score0.03335EPSS
Exploits1References14Affected Software1
Veracode
Veracode
added 2024/11/19 6:34 a.m.10 views

Timing Attack

mudler/LocalAI is vulnerable to Timing Attack. The vulnerability is due to a side-channel attack that exploits variations in response time during cryptographic operations, potentially exposing valid login credentials...

7.5CVSS6.7AI score0.00533EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/11/19 6:8 a.m.9 views

Man-in-the-middle(MitM) Attack

libnbd is vulnerable to a Man-in-the-middleMitM Attack. The vulnerability is due to the client failing to consistently verify the NBD server's certificate when using TLS to connect, which allows an attacker to intercept and manipulate the NBD traffic...

7.4CVSS6.5AI score0.0039EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/11/19 4:50 a.m.10 views

Insecure File Upload

agnai is vulnerable to an Insecure File Upload. The vulnerability is due to insufficient validation of user-uploaded files, allows attackers to choose the location where the files are stored on the server. potentially leading to overwriting existing files or uploading files to unintended...

4.3CVSS6.5AI score0.00482EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/11/19 4:43 a.m.8 views

Arbitrary File Upload

agnai is vulnerable to Arbitrary File Upload. The vulnerability is due to insufficient validation of uploaded files, allowing attackers to place files in attacker-controlled locations on the server, including executable JavaScript files...

8.8CVSS6.6AI score0.00763EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/11/19 4:37 a.m.10 views

Denial Of Service (DoS)

Werkzeug is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of specifically crafted multipart/form-data requests by werkzeug.formparser.MultiPartParser, allowing resource exhaustion and excessive memory allocation...

7.5CVSS6.5AI score0.01093EPSS
Exploits0References7Affected Software2
Veracode
Veracode
added 2024/11/19 3:41 a.m.6 views

Privilege Escalation

Rancher Manager is vulnerable to Privilege Escalation. The vulnerability is due to weak Access Control Lists ACL in Rancher Manager deployments containing Windows nodes, allow overly permissive access to sensitive files by BUILTIN\Users or NT AUTHORITY\Authenticated Users...

7.5CVSS7AI score0.00508EPSS
Exploits0References6Affected Software2
Veracode
Veracode
added 2024/11/18 2:59 p.m.7 views

Improper Input Validation

mudler/LocalAI is vulnerable to Improper Input Validation. The vulnerability is due to improper handling of automatic archive extraction, allowing a 'tarslip' attack to bypass file location restrictions and write files to arbitrary locations on the server...

9.8CVSS6.9AI score0.01501EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/11/18 10:53 a.m.8 views

Cross-site Scripting (XSS)

Lollms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to incomplete filtering in the sanitizesvg function, which fails to account for all potential XSS vectors in uploaded SVG files...

9CVSS5.5AI score0.00595EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/11/18 7:53 a.m.7 views

Arbitrary File Read

Gradio is vulnerable to Arbitrary File Read. The vulnerability is due to improper handling of File or UploadButton components, allowing attackers to read arbitrary files from the application server...

6.5CVSS6.7AI score0.00672EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/11/18 7:42 a.m.12 views

Deserialization Of Untrusted Data

Chainer is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling of deserialization, allowing the execution of arbitrary code...

9.8CVSS7.3AI score0.00811EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/18 6:51 a.m.8 views

Server-Side Request Forgery (SSRF)

Gradio is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the lack of restrictions on URLs in the saveurltocache function, allowing access to local resources and sensitive information...

6.5CVSS6.5AI score0.00464EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/11/18 5:7 a.m.13 views

XML External Entity (XXE)

hapi fhir is vulnerable to XML External Entity XXE. The vulnerability is due to improper handling of XML input. Specifically, the system fails to properly disable or validate external entities within XML documents, allowing attackers to inject malicious XML that can lead to unauthorized data acce...

9.8CVSS6.7AI score0.01851EPSS
Exploits1References4Affected Software9
Veracode
Veracode
added 2024/11/18 4:37 a.m.10 views

Information Leakage

symfony/http-client is vulnerable to IP/port enumeration. The vulnerability is due to improper handling of IP filtering in the NoPrivateNetworkHttpClient, which fails to block certain IPs early enough during host resolution, allowing an attacker to enumerate IP addresses and ports, potentially...

3.1CVSS6.5AI score0.00481EPSS
Exploits0References5Affected Software2
Veracode
Veracode
added 2024/11/18 3:33 a.m.9 views

XML External Entity (XXE) Injection

org.openimaj, openimaj is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper handling of external entities in XML files. Specifically, the system fails to properly validate or sanitize XML input, allowing attackers to craft malicious XML that can trigger...

9.8CVSS7.1AI score0.01156EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2024/11/18 3:12 a.m.12 views

Cross-Site Scripting (XSS)

studio-42/elfinder is vulnerable to persistent Cross-site Scripting XSS. The vulnerability is due to a filename restriction bypass, allowing attackers to inject malicious scripts...

6.1CVSS6.3AI score0.00265EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/11/18 2:41 a.m.13 views

Remote Code Execution (RCE)

studio-42/elfinder is vulnerable to Remote Code Execution RCE. The vulnerability is due to the lack of restrictions on uploading files with the .php8 extension, allows an attacker to upload a malicious .php8 file, which can then be executed on the server to gain unauthorized access or execute...

9.8CVSS8.6AI score0.00768EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/11/16 7:45 p.m.8 views

Privilege Escalation

github.com/rclone/rclone is vulnerable to Privilege Escalation. The vulnerability is due to insecure handling of symlinks with the --links and --metadata flags, allows unprivileged users to exploit symlinks to modify the ownership and permissions of target files when copied by a privileged proces...

5.4CVSS6.4AI score0.00214EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2024/11/15 6:39 a.m.5 views

Unauthorized File Manipulation

ansiblecore is vulnerable to Unauthorized File Manipulation. The vulnerability is due to the user module allowing an unprivileged user with directory traversal permissions to create or replace files on any system path and gain ownership when a privileged user executes the module against the...

6.3CVSS6.3AI score0.00248EPSS
Exploits0References13Affected Software2
Veracode
Veracode
added 2024/11/15 6:37 a.m.9 views

Cross-Site Scripting (XSS)

Happy-dom is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation and execution of script tags, which allows arbitrary code to run in the user context of happy-dom...

9.3CVSS6.7AI score0.00741EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/11/15 6:34 a.m.9 views

Authentication Bypass

codechecker is vulnerable to Authentication Bypass. The vulnerability is due to improper URL handling in the API, where the endpoint ending with "/Authentication" fails to properly enforce access controls, allowing unauthorized superuser access to other API endpoints...

10CVSS6.6AI score0.40058EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/14 9:58 a.m.10 views

Remote Code Execution (RCE)

Langflow is vulnerable to Remote Code Execution RCE. The vulnerability is due to the lack of sandboxing, allowing an attacker to execute arbitrary code on the local machine...

9.8CVSS8AI score0.01318EPSS
Exploits2References4Affected Software1
Veracode
Veracode
added 2024/11/14 9:46 a.m.9 views

Refresh Token Exposure

@workos-inc/authkit-nextjs is vulnerable to Refresh Token Exposure. The vulnerability is due to improper handling of sensitive data, where refresh tokens are logged to the console if the debug flag, which is disabled by default, is enabled. This allows an attacker with access to the logs to steal...

5.5CVSS6.5AI score0.00247EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/11/14 9:35 a.m.7 views

Code Injection

AgentScope is vulnerable to Code Injection. The vulnerability is due to the eval function in the iscallableexpression function, which executes user-provided commands, allowing potential code injection...

9.8CVSS7AI score0.00788EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/11/14 9:20 a.m.9 views

Information Exposure

@workos-inc/authkit-remix is vulnerable to Information Exposure. The vulnerability is due to the debug flag being enabled, which allows an attacker to view refresh tokens logged to the console...

2.1CVSS6.5AI score0.00215EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/14 8:58 a.m.19 views

Directory Traversal

github.com/ollama/ollama is vulnerable to Directory Traversal. The vulnerability is due to path traversal in the api/push route, allowing attackers to confirm which files exist on the server...

7.5CVSS6.8AI score0.03938EPSS
Exploits2References2Affected Software1
Veracode
Veracode
added 2024/11/14 8:7 a.m.12 views

Sensitive Information Disclosure

github.com/ollama/ollama is vulnerable to Sensitive Information Disclosure. The vulnerability is due to the CreateModel route reflecting "File does not exist" error messages when given a non-existent file path, allowing attackers to confirm file presence on the server...

7.5CVSS7AI score0.04237EPSS
Exploits2References3Affected Software1
Veracode
Veracode
added 2024/11/14 7:51 a.m.18 views

Denial Of Service (DoS)

github.com/ollama/ollama is vulnerable to Denial-of-Service DoS. The vulnerability is due to the CreateModelHandler function improperly handling the req.Path parameter, which can be set to /dev/random to cause infinite blocking and resource exhaustion...

7.5CVSS7AI score0.02683EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/11/14 7:19 a.m.4 views

Improper Authentication

com.baidu.disconf:disconf-core is vulnerable to Improper Authentication. The vulnerability is due to a flaw in the Configuration Center component’s /api/config/list endpoint, which allows remote attackers to bypass authentication...

6.9CVSS6.9AI score0.00501EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/11/14 6:51 a.m.4 views

Incorrect Rekor Entry Selection

github.com/sigstore/gitsign is vulnerable to Incorrect Rekor entry selection. The vulnerability is due to gitsign not correctly handling situations where multiple Rekor entries are returned during online verification, leading it to potentially select the wrong one. It allows an attacker to...

7AI score
Exploits0
Veracode
Veracode
added 2024/11/14 6:35 a.m.10 views

Cross-Site Scripting (XSS)

github.com/j3ssie/osmedeus is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper filtering of file contents when generating reports. The contents of the report files HTML and Markdown are read and used to generate the report, but they are not adequately sanitized, allowi...

8.7CVSS6.2AI score0.0044EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2024/11/14 6:34 a.m.11 views

Cross-Site Scripting (XSS)

github.com/mudler/localai is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper input validation and inadequate sanitization of user inputs when passing parameters to the delete model API, allows malicious scripts to be stored and executed in the application...

6.1CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/11/14 6:33 a.m.7 views

Authentication Bypass

OctoPrint is vulnerable to an Authentication Bypass. The vulnerability is due to inadequate session handling in OctoPrint, which allows an attacker with temporary control over an authenticated session to access or delete the API key without requiring reauthentication...

6.5CVSS6.5AI score0.00282EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/14 5:39 a.m.5 views

Reflected Cross-Site Scripting (Reflected XSS)

OctoPrint is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to unescaped user inputs in OctoPrint’s login dialog and standalone application key confirmation dialog, allows attackers to inject malicious scripts that get reflected back to the user's browser...

6.1CVSS6.1AI score0.00265EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/14 4:50 a.m.14 views

Arbitrary Code Execution (ACE)

@cyclonedx/cdxgen is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to a lack of safeguards against executing code in build-related files, allowing attackers to inject and execute malicious code within these files during analysis...

7.2CVSS7.7AI score0.00831EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/11/14 4:13 a.m.10 views

Authentication Method Confusion

CodeChecker is vulnerable to Authentication Method Confusion. The vulnerability is due to insufficient account security, where the weakly generated root user account cannot be disabled, allowing attackers to exploit it through an external authentication service...

9CVSS7AI score0.00472EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/14 4:11 a.m.5 views

Authentication Bypass

github.com/golang-jwt/jwt is vulnerable to Authentication Bypass. The vulnerability is due to ambiguous error handling in the ParseWithClaims function, where a token that is both expired and invalid may lead users to check only for jwt.ErrTokenExpired, potentially ignoring...

3.1CVSS3.9AI score0.00521EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/11/14 4:10 a.m.11 views

Carriage Return Line Feed(CRLF) Injection

Refit is vulnerable to Carriage Return Line FeedCRLF Injection. The vulnerability is due to lack of validation for CRLF characters in HTTP header values in the Refit library. Specifically, the HttpHeaders.TryAddWithoutValidation method used by Refit does not sanitize or check for CRLF sequences,...

10CVSS6.7AI score0.00535EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/11/14 4:9 a.m.5 views

Cross-Site Scripting (XSS)

umbraco.cms.core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of the argument culture in the file /Umbraco/preview/frame?id of the Dashboard component, which allows remote attackers to manipulate the argument and execute malicious scripts...

6.9CVSS6.5AI score0.00559EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/11/13 12:8 p.m.10 views

Session Fixation

Apache Kylin is vulnerable to Session Fixation. The vulnerability is due to improper handling of session identifiers, allowing an attacker to hijack a user's session...

9.1CVSS6.6AI score0.00622EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/11/13 11:52 a.m.8 views

Out-of-bounds Read

Ollama is vulnerable to Out-of-bounds Read. The vulnerability is due to the ability to upload a malformed GGUF file containing only 4 bytes with a custom magic header. By using a custom Modelfile with a FROM statement pointing to an attacker-controlled blob, the attacker can cause a segmentation...

8.2CVSS6.7AI score0.02479EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/11/13 11:31 a.m.9 views

Improper Privilege Management

Zope and AccessControl is vulnerable to Improper Privilege Management. The vulnerability is due to anonymous users being able to delete user data in AccessControl.userfolder.UserFolder, potentially preventing privileged access. Users unable to upgrade can mitigate by adding dataroles = to...

8.7CVSS6.6AI score0.00413EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2024/11/13 10:54 a.m.15 views

Insecure Deserialization

Apache Lucene.Net.Replicator is vulnerable to Insecure Deserialization. The vulnerability exists due to the deserialization of untrusted data without adequate validation, allowing an attacker who intercepts traffic or controls the replication node URL to send a malicious JSON response...

8.1CVSS6.7AI score0.01234EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/11/13 10:53 a.m.13 views

Password Reset Attack

yeswiki/yeswiki is vulnerable to weak cryptographic algorithm. The vulnerability is due to poor cryptographic practices, specifically the use of a weak cryptographic algorithm and a hard-coded salt for hashing the password reset key, allowing attackers to recover the reset key and gain unauthoriz...

9.9CVSS7AI score0.00368EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/11/13 10:51 a.m.14 views

Signature Verification Bypass

laravel/reverb is vulnerable to a verification signature bypass. The vulnerability is due to missing verification of request signatures for the Pusher-compatible API endpoints, allows unauthorized requests to bypass security checks and potentially access sensitive functionality...

6.3CVSS6.7AI score0.00332EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities38332