Lucene search
K
VeracodeRecent

38332 matches found

Veracode
Veracode
•added 2024/10/08 6:9 a.m.•12 views

Command Injection

@saltcorn/plugins-loader is vulnerable to command injection. The vulnerability is due to the lack of input validation on the user-controlled value req.body.name, allows users with admin permissions to manipulate the input by adding escaping characters, thereby executing arbitrary commands when th...

7.8AI score
Exploits0
Veracode
Veracode
•added 2024/10/08 5:26 a.m.•8 views

Unauthorized Access

github.com/mattermost/mattermost is vulnerable to Unauthorized Access. The vulnerability is due to non-members receiving broadcasted team details via the updateteam WebSocket event, which allows an attacker to gain unauthorized access to sensitive team information...

5.3CVSS6.7AI score0.0092EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/10/07 7:10 p.m.•10 views

Privilege Escalation

github.com/rancher/rancher vulnerable to Privilege Escalation. The vulnerability is due to improper restrictions in node driver options, allowing unprivileged users to deploy nodes and post sensitive files such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml...

8.8CVSS6.7AI score0.02013EPSS
Exploits0References4
Veracode
Veracode
•added 2024/10/07 6:55 p.m.•8 views

Authorization Bypass

www.velocidex.com/golang/velociraptor is vulnerable to Authorization Bypass. The vulnerability is due to improper permission checks in the copy VQL function, which applies checks for reading files but does not check for permission to write files, allowing low-privilege users to overwrite server...

8.8CVSS6.6AI score0.00544EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/10/07 11:32 a.m.•7 views

Cross Site Scripting(XSS)

OpenC3 COSMOS is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to the login functionality, which allows an attacker to inject malicious scripts while sending commands to and receiving data from embedded systems...

6.1CVSS6.7AI score0.00443EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/10/07 10:47 a.m.•10 views

Cross Site Scripting(XSS)

OpenC3 COSMOS is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to the insecure storage of user passwords in an unencrypted format within the LocalStorage of a web browser, allows an attacker to execute malicious scripts in a user's browser...

6.5CVSS6.7AI score0.00344EPSS
Exploits1References4Affected Software2
Veracode
Veracode
•added 2024/10/07 10:21 a.m.•8 views

Cross Site Scripting(XSS)

Decidim is vulnerable to a Cross-site scripting XSS. The vulnerability is due to XSS through a malformed URL in the version control feature used in resources. which allows an attacker to exploit XSS...

7.1CVSS5.5AI score0.00394EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/10/07 10:12 a.m.•5 views

Command Injection

git-shallow-clone is vulnerable to Command injection. The vulnerability is due to missing sanitization or mitigation flags in the process variable of the gitShallowClone function. which allows malicious inputs to be executed as system commands...

5.3CVSS7.1AI score0.00938EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/10/07 9:55 a.m.•8 views

Regular Expression Denial Of Service (ReDoS)

langflow is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to improper handling of the remainingtext argument in the HTTP POST Request Handler, allowing an attacker to exploit the inefficient regular expression patterns and causes excessive resource consumption...

6.5CVSS6.7AI score0.00896EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2024/10/06 7:45 p.m.•10 views

Race Condition

github.com/theupdateframework/go-tuf/v2 is vulnerable to Race Condition. The vulnerability is due to the inconsistent tracing of delegations in the client's processing logic potentially leads to Denial Of Service...

8.2CVSS6.2AI score0.00486EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2024/10/06 7:38 p.m.•13 views

Cross-site Scripting (XSS)

Pagekit is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization in the widget management feature of the admin panel index.php/admin/site/widget, allowing attackers to inject malicious scripts...

4.7CVSS6.1AI score0.00358EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/10/06 7:31 p.m.•7 views

Link Following

github.com/containers/common is vulnerable to Link Following. The vulnerability is due to incorrect handling of symbolic links in FIPS mode, allowing an attacker to exploit symbolic links and mount sensitive host directories inside a container, bypassing the isolation between containers and the...

8.2CVSS8.1AI score0.0099EPSS
Exploits0References19Affected Software4
Veracode
Veracode
•added 2024/10/06 7:19 p.m.•4 views

Improper Input Validation

github.com/containers/buildah and github.com/containers/podman/v5 are vulnerable to Improper Input Validation. The vulnerability due to improper input validation in the bind-propagation option of the Dockerfile RUN --mount instruction, an attacker with build privileges on the system can exploit...

4.7CVSS4.6AI score0.00287EPSS
Exploits0References12Affected Software4
Veracode
Veracode
•added 2024/10/06 7:11 p.m.•10 views

Use Of Uninitialized Variable

github.com/golang-fips/openssl is vulnerable to Use of Uninitialized Variable. The vulnerability is due to improper handling of uninitialized buffer lengths in FIPS mode, which can result in zeroed buffers being returned. This flaw allows an attacker to force false positive hash matches, send...

6.5CVSS6.7AI score0.00297EPSS
Exploits0References14Affected Software1
Veracode
Veracode
•added 2024/10/06 6:57 p.m.•5 views

Server-Side Request Forgery (SSRF)

inventree is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper error handling, where submitting a crafted URL instead of a valid image can raise a server-side error. This error message may contain sensitive information about server-side resources, including the...

6.7AI score
Exploits0
Veracode
Veracode
•added 2024/10/06 6:36 p.m.•7 views

Inadequate Encryption Strength

github.com/portainer/portainer is vulnerable to Inadequate Encryption Strength. The vulnerability is due to the improper use of an encryption algorithm in the AesEncrypt function. An attacker can decrypt sensitive information or compromise data integrity by exploiting the weak encryption...

7.5CVSS6.6AI score0.00284EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2024/10/06 6:12 p.m.•6 views

Directory Traversal

OpenC3 COSMOS is vulnerable to Directory Traversal. The vulnerability is due to improper input validation in LocalMode's openlocalfile method, allowing an authenticated user with adequate permissions to download any .txt file via the ScreensControllershow endpoint on the web server...

6.5CVSS6.5AI score0.00932EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/06 4:59 p.m.•8 views

Information Exposure Through An Error Message

org.jenkins-ci.main:jenkins-core is vulnerable to Information Exposure Through an Error Message. The vulnerability is due to improper redaction of multi-line secret values in error messages generated from form submissions involving the secretTextarea form field...

4.3CVSS4.5AI score0.0084EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/10/04 6:57 a.m.•10 views

Cross Site Scripting(XSS)

CKEditor 5 is vulnerable to a Cross-Site Scripting XSS. The vulnerability is due to Insecure Editor Configuration and lack of Input Sanitization in the CKEditor 5 clipboard package, which allows an attacker to insert malicious content into the editor when the General HTML Support or HTML Embed...

6.1CVSS5.9AI score0.00489EPSS
Exploits0References4Affected Software4
Veracode
Veracode
•added 2024/10/04 6:41 a.m.•8 views

Incorrect Authorization

Jenkins is vulnerable to Incorrect Authorization. The vulnerability is due to incomplete enforcement of item creation checks, where prohibited items are created in memory and can be saved to persist them, bypassing restrictions when attackers have Item/Configure permissions...

4.3CVSS4.5AI score0.00684EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/10/04 6:27 a.m.•12 views

Cross-site Scripting (XSS)

Zenario is vulnerable to Cross-site Scripting XSS. The vulnerability is due to allowing authenticated admin users to upload PDF files containing malicious code, which can execute when the PDF is accessed through the website...

4.8CVSS6.4AI score0.00334EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/10/04 4:46 a.m.•7 views

Cross Site Scripting(XSS)

LibreNMS is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the lack of proper validation and sanitization of user-uploaded SVG files, allowing users with the "admin" role to upload these files as backgrounds for custom maps without sufficient security checks, which enables...

4.8CVSS6.6AI score0.00377EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/04 4:44 a.m.•7 views

Cross Site Scripting(XSS)

librenms/librenms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient validation and sanitization of user input in the "Alert Transports" feature, specifically in the "Details" section, which allows authenticated users to inject arbitrary JavaScript code executable...

7.5CVSS6.1AI score0.00585EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/10/04 4:42 a.m.•9 views

Cross Site Scripting(XSS)

librenms/librenms is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to improper input sanitization in the Device Groups name, allowing JavaScript code to be executed when the details of the Device Group are viewed...

7.2CVSS6.7AI score0.005EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/04 4:40 a.m.•5 views

Cross Site Scripting(XSS)

librenms/librenms is vulnerable to Cross-Site Scripting Self-XSS. The vulnerability is due to a lack of proper input validation and sanitization in the "Alert Templates" feature of LibreNMS, allows users to inject arbitrary JavaScript into the alert template's name without any restrictions...

3.5CVSS6AI score0.00442EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2024/10/04 4:39 a.m.•6 views

Cross Site Scripting(XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper input validation in the "Alert Rules" feature, where the "Title" field does not properly sanitize user input, allowing the injection of arbitrary JavaScript...

7.5CVSS6.2AI score0.26242EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/10/04 4:37 a.m.•9 views

Cross Site Scripting(XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient input validation or sanitization of the "hostname" parameter in the "Device Dependencies" feature, allows attackers to inject arbitrary JavaScript, which can then be stored and executed in...

7.5CVSS5.7AI score0.0049EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/10/04 2:55 a.m.•7 views

Cross-site Scripting (XSS)

Zenario is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of input in the "Organizer tags" field within the Image library, allowing attackers to inject malicious scripts...

4.8CVSS6.3AI score0.00336EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/10/03 11:32 a.m.•5 views

Cross-site Scripting (XSS)

Contao is vulnerable to stored Cross-site Scripting XSS. The vulnerability is due to improper validation of SVG file uploads, allowing an authenticated admin to upload a file containing malicious JavaScript that can be executed when accessed through the website...

6.4CVSS6AI score0.0031EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/03 10:7 a.m.•9 views

Improper Authorization

github.com/pomerium/pomerium is vulnerable to Improper Authorization. The vulnerability is due to incomplete validation of JSON Web Tokens JWT, allowing certain service account access tokens to be incorrectly treated as valid for databroker API authorization, potentially leading to data...

6.8CVSS6.7AI score0.00569EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/03 8:45 a.m.•8 views

Malicious File Download

scoutbrowser is vulnerable to Malicious File Download. The vulnerability is due to insufficient input validation for filenames, which does not properly sanitize the file extensions before serving the files to users, allowing attackers to manipulate file extensions and deliver malicious content...

4.6CVSS6.8AI score0.00303EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/03 8:44 a.m.•8 views

Open Redirect

scoutbrowser is vulnerable to Open Redirect. The vulnerability is due to inadequate input validation and sanitization in the /login API endpoint, which does not properly handle the next parameter, and lack of scheme validation, which allows for both open redirects and HTTPS downgrade attacks...

6.1CVSS6.5AI score0.00379EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/03 8:16 a.m.•9 views

Cross Site Scripting(XSS)

github.com/alist-org/alist is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to inadequate input validation in the /i/:linkname endpoint, which fails to sanitize user-provided values, allowing malicious HTML tags to be executed in the application context...

6.1CVSS5.8AI score0.00387EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2024/10/03 7:48 a.m.•11 views

Prototype Pollution

uplot is vulnerable to Prototype Pollution. The vulnerability is due to lack of safeguards to prevent unauthorized modifications to the object's prototype, allowing attackers to pollute the prototype with malicious properties...

8.2CVSS6.6AI score0.00634EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/03 7:11 a.m.•11 views

Insecure Direct Object Reference (IDOR)

org.eclipse.edc,control-plane-catalog is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to missing filtering on single dataset requests, which fails to properly verify access permissions for restricted datasets. It allows unauthorized parties to access sensitive...

5.3CVSS6.4AI score0.00372EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2024/10/01 11:11 a.m.•6 views

Cross-site Scripting (XSS)

github.com/schollz/rwtxt is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input validation, allowing a remote attacker to inject arbitrary scripts through unspecified vectors...

6.1CVSS6.5AI score0.00877EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/01 10:48 a.m.•5 views

Improper Access Control

github.com/google/exposure-notifications-server is vulnerable to Improper Access Control. The vulnerability is due to the service incorrectly assuming that the source server had properly embargoed keys for at least 2 hours after their expiry, which could allow expired keys to be re-published and...

7AI score
Exploits0
Veracode
Veracode
•added 2024/10/01 10:11 a.m.•7 views

Denial Of Service (DoS)

Mattermost is vulnerable to Denial of Service DoS. The vulnerability is due to Mattermost failing to properly check plugin versions when installed from the Marketplace, allowing authorized users to install outdated versions with known vulnerabilities...

8.8CVSS6.5AI score0.0063EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/10/01 10:1 a.m.•3 views

Cross-site Scripting (XSS)

github.com/gotify/server is vulnerable to Cross-site Scripting XSS. The vulnerability is due to outdated Swagger UI, which uses a vulnerable version of DOMPurify, allowing an attacker to execute arbitrary JavaScript through external Swagger config files...

7.1AI score
Exploits0
Veracode
Veracode
•added 2024/10/01 10:0 a.m.•5 views

Information Disclosure

mantisbt/mantisbt is vulnerable to Information Disclosure. The vulnerability is due to inadequate validation of user permissions in handling requests, allows unprivileged, registered users to access and retrieve sensitive information about other users’ personal system profiles through crafted POS...

6.5CVSS6.2AI score0.00523EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/01 9:55 a.m.•11 views

Deserialization

org.apache.lucene,lucene-replicator is vulnerable to Deserialization. The vulnerability is due to improper validation of serialized input in the org.apache.lucene.replicator.http package, allows attackers to exploit the deserialization process by sending malicious data...

8CVSS6.6AI score0.00586EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/10/01 9:8 a.m.•7 views

Insecure Direct Object Reference (IDOR)

aimeos/ai-controller-frontend is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to a lack of proper access control and authorization checks, allowing attackers to manipulate object references like user IDs without verification...

5.3CVSS6.6AI score0.00473EPSS
Exploits0References12Affected Software1
Veracode
Veracode
•added 2024/10/01 6:30 a.m.•5 views

Improper Access Control

S3 Gateway is vulnerable to Improper Access Control. The vulnerability is due to inadequate authorization checks, allowing authenticated users to send requests to the delete-objects API and delete files they are not authorized to access...

6.9AI score
Exploits0
Veracode
Veracode
•added 2024/10/01 6:12 a.m.•10 views

Open Redirect

org.glassfish.main.admin,rest-service is vulnerable to Open redirect. The vulnerability is due to the improper handling of the Host HTTP parameter, which allows an attacker to manipulate URL redirection when accessing the '/management/domain' endpoint. It allows attackers to redirect users to...

6.9CVSS6.6AI score0.00661EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2024/10/01 6:0 a.m.•10 views

Information Disclosure

RestrictedPython is vulnerable to Information Disclosure. The vulnerability is due to the combination of the AttributeError.obj and the string module, which allows unauthorized access to sensitive information within the RestrictedPython execution environment...

8.7CVSS6.3AI score0.00726EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/10/01 4:17 a.m.•5 views

Cross Site Scripting(XSS)

starcitizentools/citizen-skin is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to insufficient input validation on the "real name" field, allowing users to inject malicious XSS payloads without proper sanitization...

5.4CVSS5.7AI score0.00422EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2024/10/01 3:37 a.m.•8 views

Timing Attack

basic-auth-connect is vulnerable to Timing Attack. The vulnerability is due to improper implementation of the equality comparison, where the comparison function reveals differences in the time taken to process incorrect versus correct input, allowing an attacker to infer sensitive information bas...

8.7CVSS6.2AI score0.00504EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2024/09/30 5:10 p.m.•12 views

Cross-site Scripting (XSS)

LayUI is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to DOM Clobbering caused by unsanitized attacker-controlled HTML elements, such as img tags with name attributes...

6.4CVSS6AI score0.00311EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/09/30 4:49 p.m.•10 views

Keygen Protocol Exploitation

The Binance tss-lib is vulnerable to keygen protocol exploitation. The vulnerability is due to inadequate validation of the h1 and h2 parameters within the keygen protocol implementation, allows attackers to craft malicious parameters that can exploit the signing round process...

8.2CVSS6.6AI score0.01424EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2024/09/30 4:32 p.m.•4 views

Cross Site Request Forgery (CSRF)

github.com/go-gitea/gitea is vulnerable to Cross Site Request Forgery CSRF. The vulnerability is due to the lack of proper validation and protection mechanisms in the API routes of Gitea, allows unauthorized state-altering POST requests to be executed by attackers on behalf of authenticated users...

8.8CVSS6.4AI score0.00577EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities38332