Lucene search
K
VeracodeRecent

38332 matches found

Veracode
Veracode
added 2024/10/15 7:7 a.m.8 views

Information Disclosure

Open-webui is vulnerable to an Information Disclosure. The vulnerability is due to the embedding model update feature under admin settings, which allows an attacker to enumerate file names and traverse directories by observing error messages related to file existence and configuration...

2.7CVSS6.6AI score0.00336EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/10/15 6:30 a.m.10 views

Arbitrary File Write And Delete

open-webui is vulnerable to Arbitrary File write and delete. The vulnerability is due to unsanitized file.filename concatenation with CACHEDIR, allowing attackers to overwrite and delete system files...

7.2CVSS6.8AI score0.01032EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2024/10/15 5:54 a.m.5 views

Email Enumeration Attack

Django is vulnerable to Email Enumeration Attack. The vulnerability is due to the PasswordResetForm class revealing differences in responses when password reset emails fail to send, allowing attackers to infer if an email address is registered...

5.3CVSS6.7AI score0.00805EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2024/10/14 11:51 a.m.9 views

Information Disclosure

typo3/cms-backend is vulnerable to Information Disclosure. The vulnerability is due to improper access control configuration, which allows backend users to see items in the page tree for restricted pages if no mounts were configured, exposing restricted content to unauthorized users...

4.3CVSS6.6AI score0.00294EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2024/10/14 11:42 a.m.6 views

Denial Of Service (DoS)

GoPistolet is vulnerable to a Denial of Service DoS vulnerability. The vulnerability is due to improper handling within the MTA component, which can lead to service disruption...

7.5CVSS6.6AI score0.0094EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/10/14 10:58 a.m.5 views

Improper Privilege Management

Mattermost is vulnerable to an Improper Privilege Management. The vulnerability is due to improper permission protection, allowing authenticated users with a restricted custom admin role to bypass restrictions and view server logs and the server config.json file...

4.3CVSS6.5AI score0.00625EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/10/14 10:57 a.m.7 views

Arbitrary File Read

github.com/adguardteam/adguardhome is vulnerable to an Arbitrary File Read. The vulnerability is due to improper validation of user input and inadequate restrictions on file access, allowing authenticated users to manipulate the file system and read sensitive files...

4.9CVSS6.2AI score0.00788EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2024/10/14 10:35 a.m.10 views

Prototype Pollution

@sap/hana-client is vulnerable to Prototype Pollution. The vulnerability is due to improper user input sanitation when using the nestTables feature of the SAP HANA Node.js client package, allows attackers to manipulate object prototypes, enabling them to add arbitrary properties...

4.3CVSS6.8AI score0.00589EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/14 10:17 a.m.10 views

Arbitrary Argument Injection

ggit is vulnerable to Arbitrary Argument Injection. The vulnerability is due to the failure to sanitize user input and improper handling of command-line flags and doesn't validate the URL scheme or properly pass arguments to the git binary using the necessary -- POSIX characters, allowing attacke...

6.5CVSS6.9AI score0.00577EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/10/14 10:6 a.m.14 views

Remote Code Execution (RCE)

livewire/livewire is vulnerable to Remote Code Execution RCE. The vulnerability is due to the framework's file upload mechanism that only guesses the file extension based on the MIME type, allowing attackers to bypass security measures and upload malicious files...

9.8CVSS7.5AI score0.00823EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/10/14 10:5 a.m.5 views

Input Validation

typo3/cms-backend is vulnerable to Input Validation. The vulnerability is due to a lack of proper validation checks on user input, allowing for the manipulation of data saved in the bookmark toolbar and triggering errors that disrupt access to the backend user interface...

4.9CVSS6.6AI score0.00684EPSS
Exploits1
Veracode
Veracode
added 2024/10/14 10:0 a.m.5 views

Log Injection

io.quarkiverse.cxf, quarkus-cxf is vulnerable to Log Injection. The vulnerability is due to misconfiguration of logging settings, which results in passwords and other secrets being logged; specific configurations, such as enabled SOAP logging and access to application logs, allow attackers to...

5.3CVSS6.5AI score0.00511EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2024/10/14 9:56 a.m.8 views

Command Injection

ggit is vulnerable to Command Injection. The vulnerability is due to user input being concatenated with a git command, which is then passed to the unsafe exec Node.js child process API. It allows an attacker to inject arbitrary commands...

7.3CVSS6.8AI score0.01247EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/10/14 9:14 a.m.8 views

Improper Access Control

github.com/rancher/rancher is vulnerable to Improper Access Control. The vulnerability is due to authenticated users being able to disable access control via an API call...

8.8CVSS6.5AI score0.01489EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/10/14 8:56 a.m.5 views

Incorrect Calculation

github.com/ethereum/go-ethereum is vulnerable to an Incorrect Calculation. The vulnerability is due to a miscalculation of Proof of Work PoW generation caused by an error in the DAG creation process...

7.5CVSS6.5AI score0.01643EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/10/14 8:43 a.m.8 views

Cross-site Scripting (XSS)

limesurvey/limesurvey is is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input validation and output encoding in the Alert Widget's message component...

6.1CVSS6.3AI score0.00535EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/11 12:0 p.m.7 views

Cross-site Scripting (XSS)

Krayin CRM is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input validation in the organization name field in /admin/contacts/organizations/edit/2, allowing malicious scripts to be injected...

7.1CVSS6.1AI score0.00392EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2024/10/11 8:26 a.m.8 views

Cross-Site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to a cross-site scripting XSS. The vulnerability is due to improper handling of input where a number is expected, allowing an attacker to perform formula injection through direct concatenation of user-supplied parameters into spreadsheet formulas...

7.1CVSS6.3AI score0.00466EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/10/11 7:14 a.m.6 views

IBC Hijack

github.com/cheqd/cheqd-node is vulnerable to IBC hijack. The vulnerability is due to improper handling or validation within the IBC transfer mechanism, allows an attacker to compromise the security of chain-to-chain IBC transfers...

7.1AI score
Exploits0
Veracode
Veracode
added 2024/10/11 6:24 a.m.10 views

Command Injection

github.com/icewhaletech/casaos is vulnerable to a Command Injection. The vulnerability is due to lack of proper input validation and sanitization mechanisms via the component leave or join zerotier api, allows attackers to inject malicious commands into the system, which can then be executed...

9.8CVSS6.9AI score0.05967EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/10/11 5:16 a.m.8 views

Denial Of Service (DoS)

github.com/foxcpp/maddy is vulnerable to Denial Of Service DoS. The vulnerability is due to the lack of proper error handling during write operations in S3 storage, when write operations encounter errors, they are not aborted, allowing the system to continue consuming memory without limit...

7AI score
Exploits0
Veracode
Veracode
added 2024/10/11 4:36 a.m.11 views

Privilege Escalation

github.com/kiali/kiali is vulnerable to Privilege Escalation. The vulnerability is due to an incorrect access control flaw that allows an attacker with basic access to deploy a kiali operand and potentially gain access to privileged service account tokens...

8.8CVSS6.7AI score0.00969EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/10 10:17 p.m.7 views

Cross-site Scripting (XSS)

Dynamic Dashboard is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of values passed to a paragraph widget, allowing malicious characters to trigger XSS attacks when a user opens a page where the widget is rendered...

6.1CVSS5.5AI score0.00363EPSS
Exploits0References5Affected Software2
Veracode
Veracode
added 2024/10/10 9:37 p.m.9 views

Cross-site Scripting (XSS)

Mediawiki Cargo is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of input during web page generation, allowing attackers to execute malicious scripts...

6.9CVSS6.4AI score0.00377EPSS
Exploits1References8Affected Software1
Veracode
Veracode
added 2024/10/10 2:17 p.m.8 views

Cross-site Scripting (XSS)

LimeSurvey is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization, allowing a remote attacker to execute arbitrary code by injecting a crafted script into the title and comment fields...

6.1CVSS6.8AI score0.00535EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/10/10 1:28 p.m.6 views

Improper Authentication

github.com/ubuntu/authd is vulnerable to Improper Authentication. The vulnerability is due to improper management of broker-managed users, allowing them to impersonate any other user managed by the same broker and perform PAM operations, including authentication...

8.8CVSS6.6AI score0.00585EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/10 12:43 p.m.2 views

Information Exposure

github.com/opentofu/opentofu is vulnerable to Information Exposure. The vulnerability is due to the static evaluation of module sources, versions and backend configurations. An attacker can expose sensitive variables and locals...

6.9AI score
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/10/10 11:36 a.m.7 views

Cross-Site Scripting (XSS)

limesurvey/limesurvey is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user input, allowing a remote attacker to execute arbitrary code via crafted scripts in the title and comment fields...

6.1CVSS6.2AI score0.00535EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/10 8:38 a.m.4 views

Cross-Site Scripting (XSS)

@saltcorn/server is vulnerable to stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of event log data, allowing malicious scripts to be stored...

6.2AI score
Exploits0
Veracode
Veracode
added 2024/10/10 7:39 a.m.7 views

File Deletion

@saltcorn/server is vulnerable to a file deletion vulnerability. The vulnerability is due to the lack of validation and sanitization of the dirname POST parameter, which allows a logged-in user to construct requests that delete arbitrary files on the filesystem through the sync/cleansyncdir...

6.5CVSS6.8AI score0.00751EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/10 3:39 a.m.9 views

Cross-Site Scripting (XSS)

PHPSpreadsheet is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to \PhpOffice\PhpSpreadsheet\Writer\Html not sanitizing "javascript:" URLs from hyperlink href attributes, which allows an attacker to execute malicious scripts in the context of a user's browser session...

5.4CVSS6.2AI score0.00316EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/10/10 3:12 a.m.8 views

Server Side Request Forgery (SSRF)

phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the ability of an attacker to construct an XLSX file that links images from arbitrary paths, which allows for embedding those files as data: URLs and performing unauthorized HTTP GET requests...

8.8CVSS6.8AI score0.00792EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/10/10 3:11 a.m.12 views

XML External Entity (XXE)

phpoffice/phpspreadsheet is vulnerable to XML External Entity XXE. The vulnerability is due to a flawed XML encoding check in the toUtf8 function of the security scanner, allows crafted XML structures with whitespace to bypass the security measures intended to prevent XXE attacks...

7.5CVSS7.5AI score0.02859EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2024/10/10 3:11 a.m.7 views

Local File Inclusion (LFI)

phpoffice/phpspreadsheet is vulnerable to Local File Inclusion LFI. The vulnerability is due to PhpSpreadsheet retrieving image sizes and types by reading the contents of files from external URLs, allowing attackers to exploit php://filter URLs to leak sensitive file contents or data from arbitra...

7.7CVSS6.6AI score0.00579EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2024/10/09 6:3 a.m.9 views

Privilege Escalation

Parse Server is vulnerable to Privilege Escalation. The vulnerability is due to insufficient validation and control over user input, specifically the lack of restrictions on the allowCustomObjectId setting, which allows attackers to define custom object IDs without proper checks and exploit user...

8.1CVSS6.7AI score0.00414EPSS
Exploits0References6Affected Software1
Veracode
Veracode
added 2024/10/09 5:38 a.m.10 views

Denial Of Service (DoS)

@rocket.chat/message-parser is vulnerable to Denial Of Service DoS. The vulnerability is due to by crafted messages with specific characters crashing the workspace due to an issue in the message parser, allowing an attacker to exploit this weakness...

7.5CVSS6.5AI score0.00593EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/10/09 5:22 a.m.9 views

Cross-Site Scripting (XSS)

dev-lancer/minecraft-motd-parser is vulnerable to cross-site scripting XSS. The vulnerability is due to the lack of proper input validation and sanitization in the HtmlGenerator class, allowing attackers to inject malicious HTML into a web page through a malformed Minecraft server MOTD...

6.9CVSS5.9AI score0.00357EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/10/09 5:9 a.m.10 views

Denial Of Service (DoS)

JSON-lib is vulnerable to Denial Of Service DoS. The vulnerability is due to improper input validation and handling in the util/JSONTokener.java class, where the code fails to correctly process unbalanced comment strings in JSON data, allowing attackers to craft malicious JSON inputs that trigger...

5.3CVSS6.7AI score0.15413EPSS
Exploits0References3Affected Software2
Veracode
Veracode
added 2024/10/09 4:34 a.m.5 views

Man-in-the-middle(MitM)

OpenStack Ironic is vulnerable to Man-in-the-middleMitM. The vulnerability is due to the lack of checksum validation on the supplied imagesource URLs, allows for the possibility of malicious actors manipulating the image data during the conversion process...

5.3CVSS6.6AI score0.00662EPSS
Exploits0References9Affected Software1
Veracode
Veracode
added 2024/10/09 4:18 a.m.6 views

Cookie Poisoning

cookie is vulnerable to Cookie Poisoning. The vulnerability is due to improper input validation for the cookie name, path, and domain fields, allowing these fields to be manipulated and alter other cookie attributes...

6.9CVSS6.6AI score0.00749EPSS
Exploits0References4Affected Software2
Veracode
Veracode
added 2024/10/08 5:9 p.m.5 views

Deserialization Of Untrusted Data

Apache Avro is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper schema parsing in the Java SDK, which allows attackers to execute arbitrary code...

9.2CVSS7.5AI score0.03278EPSS
Exploits0References11Affected Software1
Veracode
Veracode
added 2024/10/08 1:3 p.m.8 views

Expected Behavior Violation

@backstage/plugin-app-backend is vulnerable to Expected Behavior Violation. The vulnerability is due to the handling of APPCONFIG environment variables, which ignores the visibility defined in the configuration schema. Note: This was an intended feature of the APPCONFIG way of supplying...

5.8CVSS6.6AI score0.00365EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2024/10/08 12:39 p.m.11 views

Uncontrolled Resource Consumption

Apache Commons IO is vulnerable to Uncontrolled Resource Consumption. The vulnerability is due to excessive CPU consumption caused by the org.apache.commons.io.input.XmlStreamReader class when processing maliciously crafted input...

4.3CVSS7AI score0.01249EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2024/10/08 12:14 p.m.5 views

Exposure Of Information Through Directory Listing

@saltcorn/server is vulnerable to Exposure of Information Through Directory Listing. The vulnerability is due to missing validations of the builddirname parameter. This allows an attacker with admin permission to view files and directories on the filesystem...

6.9AI score
Exploits0
Veracode
Veracode
added 2024/10/08 11:46 a.m.3 views

Directory Traversal

@saltcorn/server is vulnerable to Directory Traversal. The vulnerability is due to missing sanitization of the filename parameter used to identify the zip file when passed to the res.download API. This allows an attacker with admin permission to read and download arbitrary zip files when...

7AI score
Exploits0
Veracode
Veracode
added 2024/10/08 11:16 a.m.5 views

Prototype Pollution

@saltcorn/server is vulnerable to Prototype Pollution. The vulnerability is due to improper handling of the lang and defstring parameters, allowing modification of the Object prototype, which can lead to remote code execution RCE and SQL injection vulnerabilities...

8.9AI score
Exploits0
Veracode
Veracode
added 2024/10/08 7:24 a.m.2 views

Prototype Pollution

@sentry/browser is vulnerable to Prototype Pollution. The vulnerability is due to inadequate checks on user input or unsafe handling of data within an application when data is not properly validated or sanitized. It allows attackers to manipulate the prototype of objects, leading to potential...

7.1AI score
Exploits0
Veracode
Veracode
added 2024/10/08 7:1 a.m.6 views

Cross Site Scripting (XSS)

sulu/sulu is vulnerable to Cross Site Scripting XSS. The vulnerability is due to a low privileged user with access to the “Media” section being able to upload an SVG file with a malicious payload, allowing an attacker to execute malicious JavaScript in the browsers of other users, including admin...

5.4CVSS6.4AI score0.00353EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2024/10/08 6:40 a.m.9 views

Path Traversal

agnai is vulnerable to Path Traversal. The vulnerability is due to improper input validation in JSON file handling, allowing attackers to read arbitrary JSON files at attacker-chosen locations on the server. This can lead to unauthorized access to sensitive information exposure...

4.3CVSS6.4AI score0.00455EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2024/10/08 6:34 a.m.5 views

Cross Site Scripting(XSS)

sulu/sulu is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the improper handling of user input in the media download URL within the SuluMediaBundle component, allowing attackers to inject malicious code that can be executed in the browser of users who access the compromised...

6.1CVSS6.2AI score0.00322EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities38332