Herbs & Flowers Dictionary Project Security Vulnerabilities
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to.....
4.9CVSS
7AI Score
0.001EPSS
Malicious code in pd-ui-kit (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b46ebcb2f76102916a1ab764b5af360b8c6cdd1dc56a269538132bcc4e307983) The OpenSSF Package Analysis project identified 'pd-ui-kit' @ 1.5.1 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version...
9.1CVSS
7.1AI Score
0.0005EPSS
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline...
5.9CVSS
5.9AI Score
0.003EPSS
OpenSearch is an open source distributed and RESTful search engine. In affected versions there is an issue in the implementation of field-level security (FLS) and field masking where rules written to explicitly exclude fields are not correctly applied for certain queries that rely on their...
6.5CVSS
6.1AI Score
0.001EPSS
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data...
6.3CVSS
6.4AI Score
0.001EPSS
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should...
6.5CVSS
6.9AI Score
0.001EPSS
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native.....
9.8CVSS
8AI Score
0.001EPSS
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....
4.3CVSS
4.3AI Score
0.0004EPSS
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with...
8.8CVSS
7.1AI Score
0.001EPSS
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to...
9.8CVSS
8.3AI Score
0.001EPSS
Malicious code in internal-udfc-pkg (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (25708e4f5f0536339a12c9bf28e659c821359f2733ff51d193cd6d74443c3650) The OpenSSF Package Analysis project identified 'internal-udfc-pkg' @ 5.5.5 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the...
6.8CVSS
6.6AI Score
0.001EPSS
Malicious code in tempomati-omega-5-emcuf311 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (865979d6590ceed06ce4e4e3bcc1ad05be4caec6967f82f7654fa9e709ca97fc) The OpenSSF Package Analysis project identified 'tempomati-omega-5-emcuf311' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The.....
7.3AI Score
Malicious code in tempomati-omega-5-emcuf5 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6f86820db1cc72b3ab2076578417815de7e0bc83b54e954f68b41a7adf28dd66) The OpenSSF Package Analysis project identified 'tempomati-omega-5-emcuf5' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised.....
9.8CVSS
8.1AI Score
0.001EPSS
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS...
6.2CVSS
6AI Score
0.001EPSS
Malicious code in comet-chat-react-ui-kit (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (9a6f38c4d9dd2413e237c8d146d5fcf11d04f613910b552a32a52b3e4cf199f6) The OpenSSF Package Analysis project identified 'comet-chat-react-ui-kit' @ 1.0.1 (npm) as malicious. It is considered malicious because: The...
7.4AI Score
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. Notes Author| Note ---|--- alexmurray | Only affectes GitLab...
7.5CVSS
6.6AI Score
0.001EPSS
Malicious code in nt4padyp3 (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6999b5e1cf4a39c5ee73a61b953c0592465267806362b2485d61f8372242370d) The OpenSSF Package Analysis project identified 'nt4padyp3' @ 0.0.2 (pypi) as malicious. It is considered malicious because: The package executes...
7.4AI Score
Malicious code in test-pkg-blabla (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3bfaca810c52dc5570fa40d75892333e31b5783eb2daa0f64c6db415c0e4ef79) The OpenSSF Package Analysis project identified 'test-pkg-blabla' @ 1.0.11 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline...
5.9CVSS
5.6AI Score
0.003EPSS
The Internet Key Exchange v1 main mode is vulnerable to offline dictionary or brute force attacks. Reusing a key pair across different versions and modes of IKE could lead to cross-protocol authentication bypasses. It is well known, that the aggressive mode of IKEv1 PSK is vulnerable to offline...
5.6AI Score
0.003EPSS
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....
4.3CVSS
6.4AI Score
0.0004EPSS
Malicious code in tempomati-omega-69-emcuf7 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (a012c605870034511688f664880e997bc8423cd7707f3de28326adc144f4fb4a) The OpenSSF Package Analysis project identified 'tempomati-omega-69-emcuf7' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score
Malicious code in cptalertbox (npm)
-= Per source details. Do not edit below this line.=- Source: checkmarx (88c1f10ff1d7a9b89a479bd30b9548a7adc533c677f7913c88563b08e9d28814) Malicious packages campaign since 2021 targeting developers, steals source code and secrets Source: ossf-package-analysis...
7.2AI Score
IceWarp Mail Server v10.4.5 - Cross-Site Scripting
IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color...
6.1CVSS
6.1AI Score
0.001EPSS
According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.4 prior to 8.4.15.10, 15.x prior to 15.2.18.4, 16.x prior to 16.2.17.2, 17.x prior to 17.12.12.0, or 18.x prior to 18.8.8.0. It...
7.5CVSS
7.6AI Score
0.974EPSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. Notes Author| Note...
5.3CVSS
6.5AI Score
0.0005EPSS
ghost is vulnerable Authentication Bypass. The vulnerability is caused due to the misuse of multiple X-Forwarded-For headers with different values, which allows remote attackers to bypass the rate-limit protection mechanism. Note that the project recommends a reverse proxy to prevent this...
7AI Score
0.0004EPSS
Malicious code in wordpress-theme-core (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (11ba6949abd5e27add3ceeb9c4709ae17be63d4831af09c7f34ca236d3b06b8e) The OpenSSF Package Analysis project identified 'wordpress-theme-core' @ 0.0.123 (npm) as malicious. It is considered malicious because: The...
7.3AI Score
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:). Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. Acknowledgements:...
6CVSS
7AI Score
0.0004EPSS
Malicious code in @yu-life/react-native-yu-watch (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (461986fa4cbfe6bda33bdb99901a4c0f05e00934b4a3c5b529f1236dba9d4b1b) The OpenSSF Package Analysis project identified '@yu-life/react-native-yu-watch' @ 1.0.1 (npm) as malicious. It is considered malicious because: ...
7.3AI Score
6.7AI Score
Malicious code in tyk-developer-portal (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (9470d0dbad461aef3c32477548b1436fddb07b774a50e7d8aba76571f473eb30) The OpenSSF Package Analysis project identified 'tyk-developer-portal' @ 1.0.0 (npm) as malicious. It is considered malicious because: The...
7.3AI Score
afu_mmio_region_get_by_offset in drivers/fpga/dfl-afu-region.c in the Linux kernel through 6.1.12 has an integer...
7.8CVSS
6.3AI Score
0.0004EPSS
Malicious code in importlib-metadate (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (540e9c9d054904f5342d684bd5cabf212fdbe7e4d20bac7407c937a6b8264cab) The OpenSSF Package Analysis project identified 'importlib-metadate' @ 99.99 (pypi) as malicious. It is considered malicious because: The package...
7.4AI Score
STRIMZI incorrect access control
Incorrect access control in the Kafka Connect REST API in the STRIMZI Project 0.41.0 and earlier allows an attacker to deny the service for Kafka Mirroring, potentially mirror the topics' content to his Kafka cluster via a malicious connector (bypassing Kafka ACL if it exists), and potentially...
6.8AI Score
0.0004EPSS
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:). Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. Acknowledgements:...
6CVSS
6.8AI Score
0.0004EPSS
Malicious code in airbnb-o2 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (15a37bd4059b76c7466684dfbc565c913af0ab4af849c5a643ce44d3bb7a4a6e) The OpenSSF Package Analysis project identified 'airbnb-o2' @ 13.37.1 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page.....
5.4CVSS
7AI Score
0.0005EPSS
GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by...
7.5CVSS
6.8AI Score
0.001EPSS
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has.....
7.5CVSS
6.5AI Score
0.001EPSS
GLPI 9.2/<9.5.6 - Information Disclosure
GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...
5.3CVSS
5.2AI Score
0.001EPSS
10CVSS
7.8AI Score
0.001EPSS
An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is...
5.3CVSS
5.9AI Score
0.001EPSS
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service...
6CVSS
5.7AI Score
0.001EPSS
Malicious code in employee-schedule (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (71b36d3a13dcd71ba835e490919b150ec8fbc7de88517906ec7aecaaf89dcbab) The OpenSSF Package Analysis project identified 'employee-schedule' @ 99.9.2 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
FFmpeg prior to commit bf814 was discovered to contain an out of bounds read via the dist->alphabet_size variable in the read_vlc_prefix()...
5.5CVSS
7.4AI Score
0.001EPSS
Drupal avatar_uploader v7.x-1.0-beta8 - Local File Inclusion
In avatar_uploader v7.x-1.0-beta8 the view.php program doesn't restrict file paths, allowing unauthenticated users to retrieve arbitrary...
7.5CVSS
7.5AI Score
0.022EPSS