Lucene search
K
VeracodeRecent

38340 matches found

Veracode
Veracode
•added 2024/07/18 5:16 a.m.•19 views

Arbitrary Code Execution

Apache Airflow is vulnerable to Arbitrary Code Execution. The vulnerability is due to a flaw in the docmd parameter via airflow/models/dag.py, allowing authenticated DAG authors to craft it in a way that could execute arbitrary code in the scheduler context...

8.8CVSS6.9AI score0.01726EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/07/18 5:16 a.m.•15 views

Command Injection

org.apache.streampark:streampark is vulnerable to command injection due to insufficient input parameter validation, which allows attackers to insert malicious commands for execution. The risk level of this vulnerability is very low as it requires the user to log in with system-level permissions...

8.8CVSS7.8AI score0.01117EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/17 6:21 a.m.•15 views

SQL Injection

org.apache.streampark:streampark is vulnerable to SQL injection. The vulnerability is due to improper validation of the sort field, allowing attackers with a valid account to execute arbitrary SQL queries after logging in, which can cause information disclosure. Since no data will be written, so...

8.1CVSS7.8AI score0.00639EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/17 5:53 a.m.•11 views

SQL Injection

Apache Superset is vulnerable to SQL Injection. The vulnerability is caused due to improper handling of special elements used in SQL commands, specifically certain engine-specific functions are not checked, allowing attackers to bypass SQL authorization...

9.8CVSS7.3AI score0.04433EPSS
Exploits2References4Affected Software1
Veracode
Veracode
•added 2024/07/17 5:19 a.m.•14 views

Denial Of Service (DoS)

rexml is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient parsing of XML documents containing many specific characters such as , which can result in slow parsing times...

4.3CVSS6.6AI score0.01493EPSS
Exploits0References6Affected Software3
Veracode
Veracode
•added 2024/07/16 2:28 p.m.•13 views

Out-of-bounds Read

OpenImageIO is vulnerable to Out-of-bounds Read. The vulnerability is due to a bug in the heif input functionality, specifically in HeifInput::seeksubimage, which can potentially lead to information disclosure when using the ImageInput APIs...

4.3CVSS6.2AI score0.00448EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/16 8:48 a.m.•18 views

Denial Of Service (DoS)

org.wildfly: wildfly-domain-http is vulnerable to Denial Of Service DoS. The vulnerability is caused by a lack of sockets limits within the management interface, which can result in Denial Of Service DoS due to hitting the nofile limit. An attacker can exploit this by overwhelming the system with...

4.1CVSS6.6AI score0.00275EPSS
Exploits0References10Affected Software2
Veracode
Veracode
•added 2024/07/16 8:34 a.m.•18 views

Denial Of Service (DoS)

golang.org/x/net is vulnerable to Denial Of Service DoS. The vulnerability is due to the client mishandling cases where a server responds with a non-informational status, which leaves the client connection in an invalid state. Attackers can exploit this by sending "Expect: 100-continue" requests ...

7.5CVSS6.8AI score0.01414EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2024/07/16 7:18 a.m.•12 views

Remote Code Execution (RCE)

torrentpier/torrentpier is vulnerable to Remote Code Execution RCE. The vulnerability is due to the unsafe handling of user-controlled data specifically cookies within the gettracks function in torrentpier/library/includes/functions.php, where unsafe usage of PHP's native serialization format...

9.8CVSS8.1AI score0.00995EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/16 6:41 a.m.•17 views

Username Enumeration

web-auth/webauthn-framework and web-auth/webauthn-lib are vulnerable to Username Enumeration. The vulnerability is due to the ProfileBasedRequestOptionsBuilder method returning allowedCredentials without any credentials if no username was found. This allows an attacker to enumerate valid username...

5.3CVSS6.7AI score0.00394EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/07/16 6:32 a.m.•14 views

Path Traversal

@jmondi/url-to-png is vulnerable to Path Traversal. The vulnerability is due to the lack of proper sanitization or validation of the ImageId input within extractqueryparams.ts, which allows an attacker to store an image in an arbitrary location that the server has permission to access...

4.3CVSS6.8AI score0.00523EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/07/16 6:29 a.m.•19 views

JNDI Injection

org.apache.linkis: linkis-common is vulnerable to JNDI Injection. The vulnerability is due to insufficient filtering of db2 parameters, allowing an attacker with access to an authorized Linkis account to configure malicious parameters in the DataSource Manager Module which results in JNDI Injecti...

8.8CVSS8.6AI score0.00845EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/16 6:11 a.m.•14 views

Information Disclosure

@jmondi/url-to-png is vulnerable to Information Disclosure. The vulnerability is caused due to a lack of a blocklist mechanism to restrict which URLs can be captured as screenshots. This allows an attacker to potentially capture screenshots of sensitive information from local web services...

3.1CVSS6.1AI score0.0037EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/16 5:59 a.m.•13 views

Code Injection

langchain-experimental is vulnerable to Code Injection. The vulnerability is due to the use of 'eval' on all retrieved values from the database when the server is configured with VectorSQLDatabaseChain...

8.5CVSS6.8AI score0.01864EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2024/07/16 5:50 a.m.•13 views

Information Disclosure

fastapi-opa is vulnerable to Information Disclosure. The vulnerability is due to lack of authentication enforcement for HTTP OPTIONS requests by OpaMiddleware, allowing an unauthenticated attacker to determine the existence of entities within the application based on the responses to these reques...

5.8CVSS7AI score0.00563EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/16 5:32 a.m.•15 views

Arbitrary File Read

org.apache.linkis: linkis-common is vulnerable to Arbitrary File Read. The vulnerability is due to a lack of effective filtering of parameters, allowing an attacker with an authorized linkis account to configure malicious MySQL JDBC parameters in the DataSource Manager Module which results in...

6.5CVSS6.4AI score0.00728EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/16 5:8 a.m.•18 views

Cross Site Scripting (XSS)

@udecode/plate-media is vulnerable to Cross Site Scripting XSS. The vulnerability is due to lack of proper URL sanitization in MediaEmbedElement and custom urlParsers and direct consumption of the url property, which allows an attacker to embed malicious URLs using javascript:, data:, or vbscript...

8.1CVSS6.4AI score0.00498EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/16 5:0 a.m.•12 views

Remote Code Execution (RCE)

org.apache.linkis: linkis-datasource is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper deserialization of untrusted data in the data source management module when adding a MySQL data source. If an attacker obtains an authorized linkis account, they can exploit JRMP ...

8.8CVSS8.9AI score0.01228EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/15 10:16 a.m.•19 views

Code Injection

setuptools is vulnerable to Code Injection. The vulnerability is due to the packageindex module's download function, which can execute arbitrary OS commands when exposed to user-controlled inputs such as package URLs...

8.8CVSS7.5AI score0.01939EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/07/15 9:36 a.m.•10 views

Improper Restriction Of Excessive Authentication Attempts

xrdp is vulnerable to Improper Restriction of Excessive Authentication Attempts. The vulnerability is due to a configuration parameter MaxLoginRetry not effectively limiting the number of login attempts...

9.8CVSS7AI score0.00602EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2024/07/15 9:13 a.m.•21 views

Remote Code Execution (RCE)

Microsoft.ChakraCore is vulnerable to Remote Code Execution RCE. The vulnerability is due to memory corruption bug triggered by a crafted web page, which can result in Remote Code Execution RCE...

8.8CVSS7.9AI score0.8249EPSS
Exploits6References14Affected Software1
Veracode
Veracode
•added 2024/07/15 8:28 a.m.•16 views

Denial Of Service (DoS)

Envoy is vulnerable to Denial Of Service DoS. The vulnerability is due to how Envoy invoked the nlohmann JSON library via source/common/json/jsoninternal.cc, which could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The vulnerability allows an...

7.5CVSS7AI score0.00674EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/07/15 7:56 a.m.•25 views

Remote Code Execution (RCE)

org.apache.wicket: wicket-core is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe default XML parsing configuration, allowing attackers to inject malicious code that can execute arbitrary commands on the server through a crafted XSLT document...

9.8CVSS8.5AI score0.02127EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2024/07/15 7:24 a.m.•17 views

SQL Injection

github.com/openclarity/kubeclarity is vulnerable to SQL Injection. The vulnerability is due to manipulating the packageID parameter in the /api/applicationResources endpoint, where the fmt.Sprintf function is used to build the SQL query string without validating the input. It allows an attacker t...

6.5CVSS7.4AI score0.00443EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/15 7:16 a.m.•24 views

Remote Code Execution (RCE)

Microsoft.ChakraCore is vulnerable to Remote Code Execution RCE. The vulnerability is due to a memory corruption bug which results from a crafted website, allowing an attacker to execute arbitrary code or cause a Denial of Service DoS...

8.8CVSS8.1AI score0.79687EPSS
Exploits6References14Affected Software1
Veracode
Veracode
•added 2024/07/15 5:11 a.m.•15 views

Local File Inclusion (LFI)

solara is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper ../ validation within URI fragments when serving static files, which allows an attacker to manipulate the fragment part of the URI to read arbitrary files on the local file system, resulting in directory...

8.6CVSS6.8AI score0.02884EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2024/07/12 8:56 a.m.•11 views

Cross-Site Scripting (XSS)

auth0/wordpress is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of the wle parameter, which could accept an arbitrary string and be improperly rendered on the login page, resulting in Cross-Site Scripting XSS...

6.1CVSS6.3AI score0.00359EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/12 6:59 a.m.•18 views

Authentication Bypass

github.com/nats-io/nats-server is vulnerable to Authentication bypass. The vulnerability is due to a failure to enforce negative user permissions in one scenario. Attackers can exploit this by using a queue subscription on the wildcard to access denied subjects...

6.3CVSS6.6AI score0.00478EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/12 6:56 a.m.•47 views

Regular Expression Denial Of Service (ReDoS)

Wagtail is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression handling in the parsequerystring process for long query strings without spaces, allowing attackers to submit crafted queries that consume excessive server resources and...

6.5CVSS7AI score0.0061EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/07/12 6:46 a.m.•13 views

Arbitrary File Overwrite

aim is vulnerable to Arbitrary File Overwrite. The vulnerability is due to improper handling of the runhash and repo.path parameters in the backuprun-function, allowing any file on the host server to be overwritten and arbitrary data to be exfiltrated...

9.8CVSS6.9AI score0.53394EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2024/07/12 5:16 a.m.•12 views

Incorrect Authorization

reddiscordbot is vulnerable to Incorrect Authorization. The vulnerability is due to the absence of a permission check in the commands.canmanagechannel command permission, allowing unauthorized users to execute commands intended for those with channel management permissions. Attackers can exploit...

5.3CVSS7.5AI score0.0041EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/12 5:0 a.m.•19 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /admins endpoint, allowing low privileged users to create high privileged users admins, resulting in privilege escalation...

9.9CVSS6.5AI score0.00435EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/12 4:54 a.m.•12 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, DELETE /admins/adminId endpoints, allowing low privileged users to fetch, modify, or delete high privileged users admins, resulting in unauthorize...

9.9CVSS6.4AI score0.004EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/12 4:45 a.m.•16 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, DELETE /webhooks/webhookId endpoints, allowing low privileged users to fetch, modify, or delete webhooks of any user, resulting in unauthorized...

9.1CVSS6.6AI score0.00355EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/12 4:37 a.m.•20 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /customers endpoint, allowing low privileged users to create customer accounts, resulting in unauthorized data manipulation...

5CVSS6.5AI score0.00295EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/12 4:22 a.m.•16 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /services endpoint, allowing low privileged users to create services for any user including admin, resulting in unauthorized data manipulation...

7.7CVSS6.8AI score0.00327EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 10:50 a.m.•15 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /secretaries endpoint, allowing low privileged users to create other low privileged users secretaries, resulting in unauthorized data manipulation...

7.7CVSS6.5AI score0.00327EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 10:44 a.m.•15 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /providers endpoint, allowing low privileged users to create privileged users providers, resulting in privilege escalation...

8.8CVSS6.6AI score0.00349EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 10:40 a.m.•11 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, and DELETE endpoints for /customers/customerId, allowing low privileged users to fetch, modify, or delete other low privileged users customers...

9.9CVSS6.8AI score0.004EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 10:6 a.m.•12 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, and DELETE endpoints for /settings/settingName, allowing low privileged users to fetch, modify, or delete settings of any user, including admin...

9.9CVSS6.8AI score0.004EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 9:1 a.m.•21 views

Denial Of Service (DoS)

Django is vulnerable to Denial of Service DoS. The vulnerability is caused by insufficient input validation when handling very long strings containing specific characters in the django.utils.translation.getsupportedlanguagevariant function. This allows an attacker to exploit the function,...

7.5CVSS6.5AI score0.28637EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/07/11 8:56 a.m.•16 views

Authorization Bypass

alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, and DELETE endpoints for /services/serviceId, allowing low privileged users to fetch, modify, or delete services of any user, including admin...

9.6CVSS6.8AI score0.0039EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 6:51 a.m.•15 views

Path Traversal

Django is vulnerable to Path Traversal. The vulnerability is due to derived classes of the django.core.files.storage.Storage base class that override generatefilename without replicating the file-path validations from the parent class, potentially allowing path traversal via certain inputs during...

4.3CVSS6.5AI score0.01008EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2024/07/11 6:45 a.m.•12 views

Cross Site Scripting

decidim-admin is vulnerable to Cross Site Scripting. The vulnerability is due to lack of input validation while modifying some records being uploaded to the server. An attacker can exploit this by altering records that get uploaded, leading to the execution of malicious scripts in the admin panel...

5.4CVSS6.7AI score0.00341EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/11 6:37 a.m.•10 views

Denial Of Service (DoS)

images is vulnerable to Denial Of Service DoS. The vulnerability is due to unexpected input types provided to multiple functions, which can result in a process crash. The attacker can cause a Segmentation fault error by providing specific integer values to the size function...

7.5CVSS6.7AI score0.00597EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2024/07/11 6:33 a.m.•7 views

Denial Of Service (DoS)

audify is vulnerable to Denial Of Service DoS. The vulnerability is due to frameSize not being checked for negative values when provided to the new OpusDecoder.decode or new OpusDecoder.decodeFloat functions, which can lead to a process crash...

7.5CVSS6.7AI score0.00611EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2024/07/11 6:27 a.m.•9 views

Cross Site Scripting (XSS)

decidim is vulnerable to Cross Site Scripting XSS. The vulnerability is due to the pagination feature used in searches and filters, which is susceptible XSS through a malformed URL using the GET parameter perpage. An attacker can exploit this by crafting a malicious URL to execute arbitrary scrip...

7.1CVSS6.1AI score0.00417EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/11 6:21 a.m.•11 views

Denial Of Service (DoS)

next is vulnerable to Denial of Service DoS. The vulnerability is due to an unspecified bug which can trigger an application crash, resulting in Denial of Service DoS...

7.5CVSS6.7AI score0.0049EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2024/07/11 6:20 a.m.•12 views

Authorization Bypass

org.opensearch.plugin, opensearch-observability is vulnerable to Authorization Bypass. The vulnerability is due to improper verification of the resource author, allowing attackers to access private tenant resources such as notebooks...

5.4CVSS6.7AI score0.0029EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2024/07/11 6:19 a.m.•13 views

Improper Access Control

ssddanbrown/bookstack is vulnerable to Improper Access Control. The vulnerability is due to the lack of proper validation in BookStack, that allowing attackers to confirm existing system users and perform targeted notification email DoS via public facing forms...

7.5CVSS6.7AI score0.00646EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities38340