Summary The IBM® Engineering System Design Rhapsody 10.0 iFix001, The IBM® Engineering System Design Rhapsody 9.0.2 iFix002 and The IBM® Engineering System Design Rhapsody 9.0.1 iFix006 contain fixes for vulnerabilities identified in the Vulnerabilities Details section. The refererred iFix...
5.3CVSS
8AI Score
0.033EPSS
Vulnerabilities for packages: kubeflow-volumes-web-app, py3-flask-cors,...
5.3CVSS
5.5AI Score
0.0004EPSS
7.5AI Score
9.8CVSS
9.7AI Score
0.002EPSS
Malicious code in nespresso-design-system (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (e4df4d16cd100a965fef42c58150e9688849a5acfa8de2f809b3ed66f5ef9f29) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7AI Score
CVE-2023-46136 vulnerabilities
Vulnerabilities for packages: airflow, py3-tensorflow-serving-api, kubeflow-volumes-web-app, kubeflow-jupyter-web-app,...
8CVSS
7.9AI Score
0.001EPSS
GHSA-HRFV-MQP8-Q5RW vulnerabilities
Vulnerabilities for packages: airflow, py3-tensorflow-serving-api, kubeflow-volumes-web-app, kubeflow-jupyter-web-app,...
7.5AI Score
Malicious code in scm-design-system-cra (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (a41692a79d6b73b049dbff75d56c8a18218a4878d024ef4c0da7b19b16ebab3a) The OpenSSF Package Analysis project identified 'scm-design-system-cra' @ 0.1.1 (npm) as malicious. It is considered malicious because: The...
7.1AI Score
GHSA-84PR-M4JR-85G5 vulnerabilities
Vulnerabilities for packages: kubeflow-volumes-web-app, py3-flask-cors,...
7.5AI Score
CVE-2023-45803 vulnerabilities
Vulnerabilities for packages: jwt-tool, py3-urllib3, py3-tensorflow-serving-api, kubeflow-volumes-web-app,...
4.2CVSS
7.1AI Score
0.0004EPSS
GHSA-V845-JXX5-VC9F vulnerabilities
Vulnerabilities for packages: py3-urllib3, kube-downscaler, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, k8s-sidecar,...
7.5AI Score
CVE-2023-43804 vulnerabilities
Vulnerabilities for packages: py3-urllib3, kube-downscaler, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, k8s-sidecar,...
8.1CVSS
7.6AI Score
0.001EPSS
GHSA-G4MX-Q9VG-27P4 vulnerabilities
Vulnerabilities for packages: jwt-tool, py3-urllib3, py3-tensorflow-serving-api, kubeflow-volumes-web-app,...
7.5AI Score
GHSA-2G68-C3QC-8985 vulnerabilities
Vulnerabilities for packages: kubeflow-volumes-web-app, kubeflow-jupyter-web-app, superset, py3.10-tensorflow-core,...
7.5AI Score
CVE-2024-34069 vulnerabilities
Vulnerabilities for packages: kubeflow-volumes-web-app, kubeflow-jupyter-web-app, superset, py3.10-tensorflow-core,...
7.5CVSS
7.7AI Score
0.0004EPSS
CVE-2024-34064 vulnerabilities
Vulnerabilities for packages: pytorch, py3-jinja2, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, superset, dask-gateway, reflex,...
5.4CVSS
6.1AI Score
0.0004EPSS
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in...
6.1CVSS
6.1AI Score
0.001EPSS
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing...
8.8CVSS
6.8AI Score
0.001EPSS
The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of "opensisBackup.sql" (e.g....
9.8CVSS
7AI Score
0.001EPSS
The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of...
7.5CVSS
7AI Score
0.001EPSS
GHSA-H75V-3VVJ-5MFJ vulnerabilities
Vulnerabilities for packages: pytorch, py3-jinja2, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, superset, dask-gateway, reflex,...
7.5AI Score
Spring Framework URL Parsing with Host Validation
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL...
8.1CVSS
7.9AI Score
0.0004EPSS
GHSA-9WX4-H78V-VM56 vulnerabilities
Vulnerabilities for packages: jwt-tool, az, airflow, mlflow, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, datadog-agent, superset, py3-cassandra-medusa, py3.10-tensorflow-core, kubeflow-pipelines, confluent-docker-utils,...
7.5AI Score
A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The name of.....
6.1CVSS
6.3AI Score
0.001EPSS
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting...
7.5CVSS
7.1AI Score
0.001EPSS
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or...
6.1CVSS
6.1AI Score
0.001EPSS
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in...
6.1CVSS
6.1AI Score
0.001EPSS
Spring Framework URL Parsing with Host Validation Vulnerability
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...
8.1CVSS
7AI Score
0.0004EPSS
Spring Web vulnerable to Open Redirect or Server Side Request Forgery
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation...
8.1CVSS
6.7AI Score
0.0004EPSS
Server Side Request Forgery (SSRF)
org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forgery....
8.1CVSS
6.7AI Score
0.0004EPSS
Server Side Request Forgery (SSRF)
org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forgery....
8.1CVSS
8AI Score
0.0004EPSS
CVE-2024-35195 vulnerabilities
Vulnerabilities for packages: jwt-tool, az, airflow, mlflow, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, datadog-agent, superset, py3-cassandra-medusa, py3.10-tensorflow-core, kubeflow-pipelines, confluent-docker-utils,...
5.6CVSS
6.1AI Score
0.0004EPSS
org.springframework: spring-web is vulnerable Open Redirect. The vulnerability is caused due to improper validation checks on the host of the parsed URL, which could lead to potential SSRF attacks if the URL is utilized...
8.1CVSS
7AI Score
0.0004EPSS
The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized...
9.8CVSS
7.7AI Score
0.001EPSS
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
9.8CVSS
9.7AI Score
0.002EPSS
Spring Framework URL Parsing with Host Validation
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL...
8.1CVSS
6.5AI Score
0.0004EPSS
Vulnerabilities for packages: jwt-tool, py3-idna, az, kubeflow-pipelines-visualization-server, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, datadog-agent, dask-gateway, py3-cassandra-medusa, ggshield, py3.10-tensorflow-core, kubeflow-pipelines, confluent-docker-utils,...
8AI Score
EPSS
GHSA-JJG7-2V4V-X38H vulnerabilities
Vulnerabilities for packages: jwt-tool, py3-idna, az, kubeflow-pipelines-visualization-server, k8s-sidecar, kubeflow-jupyter-web-app, kubeflow-volumes-web-app, datadog-agent, dask-gateway, py3-cassandra-medusa, ggshield, py3.10-tensorflow-core, kubeflow-pipelines, confluent-docker-utils,...
7.5AI Score
Spring Framework URL Parsing with Host Validation Vulnerability
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...
8.1CVSS
7AI Score
0.0004EPSS
Spring Web vulnerable to Open Redirect or Server Side Request Forgery
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation...
8.1CVSS
7AI Score
0.0004EPSS
Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can...
5.3CVSS
5.9AI Score
0.001EPSS
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...
9CVSS
8.1AI Score
0.001EPSS
Symfony Cross-Site Request Forgery vulnerability in the Web Profiler
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony WebProfiler bundle are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore....
7.4AI Score
EPSS
Multiple vulnerabilities in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager; Secure Email Gateway, formerly Email Security Appliance (ESA); and Secure Web Appliance could allow a remote attacker to conduct a cross-site scripting (XSS) attack...
5.9AI Score
0.0004EPSS
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version...
6.1CVSS
6.8AI Score
0.0004EPSS
symfony is vulnerable to Code Injection. The vulnerability is due to lack of CSRF protection for the import/export feature, allowing attackers to exploit the PHP serialized string...
6.9AI Score
EPSS
OMERO.web must check that the JSONP callback is a valid function
Background There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation ^1 it is quite.....
6.1CVSS
6.6AI Score
0.0004EPSS
A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (aka web_progress) v. 11.0 through 11.0.2, v12.0 through v12.0.2, v.13.0 through v13.0.2, v.14.0 through v14.0.2.1, v.15.0 through v15.0.2, and v16.0 through v16.0.2.1 allows a remote attacker to gain privileges via the...
9.8CVSS
8.1AI Score
0.001EPSS
A vulnerability was found in ytti Oxidized Web. It has been classified as problematic. Affected is an unknown function of the file lib/oxidized/web/views/conf_search.haml. The manipulation of the argument to_research leads to cross site scripting. It is possible to launch the attack remotely. The.....
5.4CVSS
5.3AI Score
0.001EPSS
Reportico Web fails to invalidate cookies upon logout
An issue in Reportico Web before v.8.1.0. This vulnerability arises from the failure of the web application to properly invalidate session cookies upon logout. When a user logs out of the application, the session cookie should be invalidated to prevent unauthorized access. However, due to the...
6.4AI Score
EPSS