CAGE Web Design | Rolf Van Gelder Security Vulnerabilities

Malicious code in hearsay-design-system (npm)

-= Per source details. Do not edit below this...

Malicious code in design-system (npm)

-= Per source details. Do not edit below this...

Malicious code in inside-design-stencil (npm)

-= Per source details. Do not edit below this...

Malicious code in design-system-components (npm)

-= Per source details. Do not edit below this...

CVE-2024-1681 vulnerabilities

Vulnerabilities for packages: py3-flask-cors, kubeflow-jupyter-web-app,...

Security Bulletin: Security fixes available for The IBM® Engineering System Design Rhapsody products on IBM Jazz Technology

Summary The IBM® Engineering System Design Rhapsody 10.0 iFix001, The IBM® Engineering System Design Rhapsody 9.0.2 iFix002 and The IBM® Engineering System Design Rhapsody 9.0.1 iFix006 contain fixes for vulnerabilities identified in the Vulnerabilities Details section. The refererred iFix...

GHSA-X7M3-JPRG-WC5G vulnerabilities

Vulnerabilities for packages: kubeflow-jupyter-web-app,...

CVE-2023-41419 vulnerabilities

Vulnerabilities for packages: kubeflow-jupyter-web-app,...

GHSA-84PR-M4JR-85G5 vulnerabilities

Vulnerabilities for packages: py3-flask-cors, kubeflow-jupyter-web-app,...

CVE-2023-45803 vulnerabilities

Vulnerabilities for packages: py3-urllib3, kubeflow-volumes-web-app, jwt-tool, kubeflow-jupyter-web-app,...

GHSA-G4MX-Q9VG-27P4 vulnerabilities

Vulnerabilities for packages: py3-urllib3, kubeflow-volumes-web-app, jwt-tool, kubeflow-jupyter-web-app,...

GHSA-2G68-C3QC-8985 vulnerabilities

Vulnerabilities for packages: py3-werkzeug, py3.10-tensorflow-core, kubeflow-volumes-web-app, superset,...

CVE-2024-34069 vulnerabilities

Vulnerabilities for packages: py3-werkzeug, py3.10-tensorflow-core, kubeflow-volumes-web-app, superset,...

CVE-2024-34064 vulnerabilities

Vulnerabilities for packages: reflex, dask-gateway, py3-jinja2, confluent-docker-utils, kubeflow-volumes-web-app, superset, kubeflow-jupyter-web-app,...

GHSA-H75V-3VVJ-5MFJ vulnerabilities

Vulnerabilities for packages: reflex, dask-gateway, py3-jinja2, confluent-docker-utils, kubeflow-volumes-web-app, superset, kubeflow-jupyter-web-app,...

CVE-2023-46136 vulnerabilities

Vulnerabilities for packages: py3-werkzeug, kubeflow-volumes-web-app, kubeflow-jupyter-web-app, airflow,...

GHSA-HRFV-MQP8-Q5RW vulnerabilities

Vulnerabilities for packages: py3-werkzeug, kubeflow-volumes-web-app, kubeflow-jupyter-web-app, airflow,...

SonarQube logs sensitive information

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs,...

GHSA-V845-JXX5-VC9F vulnerabilities

Vulnerabilities for packages: dask-gateway, py3-urllib3, kubeflow-volumes-web-app, kube-downscaler, kubeflow-jupyter-web-app,...

CVE-2023-43804 vulnerabilities

Vulnerabilities for packages: dask-gateway, py3-urllib3, kubeflow-volumes-web-app, kube-downscaler, kubeflow-jupyter-web-app,...

CVE-2024-37891 vulnerabilities

Vulnerabilities for packages: mlflow, dask-gateway, ggshield, kubeflow-katib, az, confluent-docker-utils, py3-urllib3, kubeflow-volumes-web-app, superset, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, airflow, reflex,...

GHSA-9WX4-H78V-VM56 vulnerabilities

Vulnerabilities for packages: mlflow, patroni, ggshield, kubeflow-katib, az, confluent-docker-utils, py3.10-tensorflow-core, kubeflow-volumes-web-app, superset, jwt-tool, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, airflow, datadog-agent, reflex,...

Malicious code in scm-design-system-cra (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (a41692a79d6b73b049dbff75d56c8a18218a4878d024ef4c0da7b19b16ebab3a) The OpenSSF Package Analysis project identified 'scm-design-system-cra' @ 0.1.1 (npm) as malicious. It is considered malicious because: The...

Malicious code in apm-web-vitals (npm)

-= Per source details. Do not edit below this...

GHSA-34JH-P97F-MPXF vulnerabilities

Vulnerabilities for packages: mlflow, dask-gateway, ggshield, kubeflow-katib, az, confluent-docker-utils, py3-urllib3, kubeflow-volumes-web-app, superset, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, airflow, reflex,...

GHSA-JJG7-2V4V-X38H vulnerabilities

Vulnerabilities for packages: dask-gateway, ggshield, kubeflow-katib, az, confluent-docker-utils, py3.10-tensorflow-core, kubeflow-volumes-web-app, jwt-tool, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-pipelines-visualization-server, datadog-agent, py3-idna,...

CVE-2024-3651 vulnerabilities

Vulnerabilities for packages: dask-gateway, ggshield, kubeflow-katib, az, confluent-docker-utils, py3.10-tensorflow-core, kubeflow-volumes-web-app, jwt-tool, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-pipelines-visualization-server, datadog-agent, py3-idna,...

Malicious code in nespresso-design-system (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (e4df4d16cd100a965fef42c58150e9688849a5acfa8de2f809b3ed66f5ef9f29) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL...

CVE-2024-35195 vulnerabilities

Vulnerabilities for packages: mlflow, patroni, ggshield, kubeflow-katib, az, confluent-docker-utils, py3.10-tensorflow-core, kubeflow-volumes-web-app, superset, jwt-tool, py3-cassandra-medusa, k8s-sidecar, kubeflow-jupyter-web-app, airflow, datadog-agent, reflex,...

Spring Framework URL Parsing with Host Validation Vulnerability

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...

Spring Web vulnerable to Open Redirect or Server Side Request Forgery

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation...

Malicious code in epc-staticpages-web (npm)

-= Per source details. Do not edit below this...

Malicious code in dist-web (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (ff355bd5f2422ce630aeb0652869d4bdaa8f3f18cf576fc60a76588f3acf36b4) The OpenSSF Package Analysis project identified 'dist-web' @ 99.1.1 (npm) as malicious. It is considered malicious because: - The package...

Malicious code in identity-web (npm)

-= Per source details. Do not edit below this...

Open Redirect

org.springframework: spring-web is vulnerable Open Redirect. The vulnerability is caused due to improper validation checks on the host of the parsed URL, which could lead to potential SSRF attacks if the URL is utilized...

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forgery....

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forgery....

Malicious code in virtuoso-web-chat (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (09f5be1f1f3cad8c43378afb0ddb0aed39e00e1e3169ff5e1559ab4c39d1bf06) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in sift-web-sdk (npm)

-= Per source details. Do not edit below this...

Malicious code in grablink-web-sdk (npm)

-= Per source details. Do not edit below this...

Malicious code in plumo-verifier-web (npm)

-= Per source details. Do not edit below this...

Malicious code in spg-web-tools-compressor (npm)

-= Per source details. Do not edit below this...

Spring Web vulnerable to Open Redirect or Server Side Request Forgery

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation...

Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL...

Spring Framework URL Parsing with Host Validation Vulnerability

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...

CVE-2022-46478

The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized...

CVE-2015-5236

It was discovered that the IcedTea-Web used codebase attribute of the tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase...

Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Secure Email Gateway, formerly Email Security Appliance (ESA); and Secure Web Appliance could allow a remote attacker to conduct a cross-site scripting (XSS) attack...

CVE-2021-4236

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...