Herbs & Flowers Dictionary Project Security Vulnerabilities
AIX is vulnerable to security restrictions bypass due to cURL libcurl (CVE-2024-0853)
IBM SECURITY ADVISORY First Issued: Thu Jun 20 15:10:42 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/curl_advisory5.asc Security Bulletin: AIX is vulnerable to security restrictions bypass due to cURL libcurl...
5.3CVSS
6.2AI Score
0.001EPSS
Impact An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as permissive instead of strict) to potentially use artifacts with signatures that are no...
6.8CVSS
7.1AI Score
0.001EPSS
CVE-2024-31990 Argo CD' API server does not enforce project sourceNamespaces
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and...
4.8CVSS
5.2AI Score
0.0004EPSS
CVE-2023-49675 CODESYS: Out-of-bounds write through corrupted project files
An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write...
7.8CVSS
8.2AI Score
0.001EPSS
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...
5CVSS
5.1AI Score
0.0004EPSS
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...
5CVSS
6.1AI Score
0.0004EPSS
ntpd has Dependency on Vulnerable Third-Party Component
During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki. Impact This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS Patches...
6.9AI Score
Directory creation by malicious user in saltstack
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...
5CVSS
5.1AI Score
0.0004EPSS
AIX is affected by information disclosure due to Python (CVE-2024-28757)
IBM SECURITY ADVISORY First Issued: Thu Jun 13 15:37:38 CDT 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/security/python_advisory9.asc Security Bulletin: AIX is affected by information disclosure due to Python (CVE-2024-28757)...
7.3AI Score
0.0004EPSS
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to...
6.5CVSS
6.4AI Score
0.001EPSS
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol.....
5.3CVSS
7AI Score
0.041EPSS
Directory creation by malicious user in saltstack
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...
5CVSS
6.6AI Score
0.0004EPSS
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbitrary directory on a Salt...
5CVSS
5.1AI Score
0.0004EPSS
Exploit for Deserialization of Untrusted Data in Apache Log4J
Vm4J A tool for detect vmware product log4j vulnerability....
8.8AI Score
GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This...
5.4CVSS
7.4AI Score
0.001EPSS
SP Project & Document Manager <= 4.71 - Data Update via IDOR
Description The plugin is missing validation in its upload function, allowing a user to manipulate the user_id to make it appear that a file was uploaded by another...
6.7AI Score
0.0004EPSS
Exploit for SQL Injection in Progress Moveit Cloud
CVE-2023-34362 POC for CVE-2023-34362 affecting MOVEit...
9.8CVSS
8.4AI Score
0.969EPSS
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Ncast Project Ncast
cve-2024-0305exp cve-2024-0305可用的exp,如需引用请转明出处,感谢! 0x01...
7.5CVSS
6.8AI Score
0.01EPSS
uWebSockets 18.11.0 and 18.12.0 has a stack-based buffer overflow in uWS::TopicTree::trimTree (called from uWS::TopicTree::unsubscribeAll). NOTE: the vendor's position is that this is "a minor issue or not even an issue at all" because the developer of an application (that uses uWebSockets) should....
8.8CVSS
8.9AI Score
0.006EPSS
CVE-2024-3749 SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR
The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another...
6.5AI Score
0.0004EPSS
CVE-2024-3749 SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR
The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another...
6.6AI Score
0.0004EPSS
Ecava IntegraXor < 4.1.4369 Project Directory Information Disclosure
The version of IntegraXor installed on the remote host is a version prior to 4.1 Build 4369. It is, therefore, reportedly affected by an information disclosure vulnerability due to credentials being stored in plaintext. An attacker can potentially exploit this vulnerability to disclose credentials....
3.5AI Score
CVE-2024-5519 ItsourceCode Learning Management System Project In PHP login.php sql injection
A vulnerability classified as critical was found in ItsourceCode Learning Management System Project In PHP 1.0. This vulnerability affects unknown code of the file login.php. The manipulation of the argument user_email leads to sql injection. The attack can be initiated remotely. The exploit has...
7.3CVSS
7.6AI Score
0.0004EPSS
CVE-2024-5519 ItsourceCode Learning Management System Project In PHP login.php sql injection
A vulnerability classified as critical was found in ItsourceCode Learning Management System Project In PHP 1.0. This vulnerability affects unknown code of the file login.php. The manipulation of the argument user_email leads to sql injection. The attack can be initiated remotely. The exploit has...
7.3CVSS
7.6AI Score
0.0004EPSS
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue....
7.5CVSS
7.5AI Score
0.008EPSS
Using the Jira Python library to make REST API calls with cookie auth bypasses Jira rate limiting
h3. Issue Summary When using the open-source [Jira Python library|https://github.com/pycontribs/jira] to make REST API calls to Jira, if [cookie-based authentication|https://jira.readthedocs.io/examples.html#cookie-based-authentication] is used then Jira's rate limits will be bypassed. This can...
6.9AI Score
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native...
9.8CVSS
7.8AI Score
0.001EPSS
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the...
9.8CVSS
7.9AI Score
0.001EPSS
Malicious code in webpack-cli.legacy (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (22737261df7f74819a3f3f968e6516db5e37f6621827d6148b290f7650b9992f) The OpenSSF Package Analysis project identified 'webpack-cli.legacy' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package.....
7.1AI Score
Malicious code in fkletbbpoc (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (125b0aa54538899871c0071ae4b76678012092032ff03d6ad08c4ecf1a2fc7d7) The OpenSSF Package Analysis project identified 'fkletbbpoc' @ 0.0.1 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Malicious code in commentrating (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (87db588ebd8e7a42cbbbbf7fc21caa36fc553172a0ff4c4e9a58ce9354d62e7f) The OpenSSF Package Analysis project identified 'commentrating' @ 99.9.1 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Malicious code in verycoolzpac2 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (50b609e8ebccac67716745b1447224238ae17c0a78499f90c48aa684d971cded) The OpenSSF Package Analysis project identified 'verycoolzpac2' @ 0.0.3 (npm) as malicious. It is considered malicious because: - The package...
6.9AI Score
Malicious code in idcs-dialog (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (1f9e71c07d690c8293d57afe2530d560684f82b76c844f9904256c1d330fc5af) The OpenSSF Package Analysis project identified 'idcs-dialog' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public...
7.5CVSS
6.6AI Score
0.001EPSS
Malicious code in falsepositivecheck6969 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (cef392714b654bd14df8ba24c491e8844b54e08fee392bff62632f7f3e5d6fa1) The OpenSSF Package Analysis project identified 'falsepositivecheck6969' @ 9999.9.9 (npm) as malicious. It is considered malicious because: - The...
7.1AI Score
Malicious code in zsbpwebsdktest (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (347bc418b55e9092cd6a48ff3f93f328085fa2c4192ba6dc2c5cf062c3d10c20) The OpenSSF Package Analysis project identified 'zsbpwebsdktest' @ 9999.99.91 (npm) as malicious. It is considered malicious because: - The package....
7.1AI Score
Malicious code in zsbpwebsdk (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (bf63d69adabe277a69df70ff7c39dd42b81fad4f512f8204458dc438d7edfb7d) The OpenSSF Package Analysis project identified 'zsbpwebsdk' @ 9999.9.9 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Malicious code in stateful-fastclick (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (5a06e5b71a04fa67ca20937e8e438c638644db87d181799a046d22c568e6c4c5) The OpenSSF Package Analysis project identified 'stateful-fastclick' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package.....
7.1AI Score
Malicious code in myattenuator (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (ea4131b4858e840e02fe12b2a8719cfe85598245a84e842b917dd595ea1af4e4) The OpenSSF Package Analysis project identified 'myattenuator' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is...
6.1CVSS
5.9AI Score
0.001EPSS
GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user...
8.1CVSS
6.8AI Score
0.001EPSS
Malicious code in policycms (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6fcf99ac2d853174c6d17fd728c94d9fd33306bddfc79312ba47ffe026e42606) The OpenSSF Package Analysis project identified 'policycms' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Malicious code in back-alley (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (83d1eb07b6ba84ecc98bdd4ad2a1313b540e69509c08d8d66f4b2fe54a1986a7) The OpenSSF Package Analysis project identified 'back-alley' @ 1.1.0 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
Malicious code in confusedatma (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (5708cd21986870186d2bf74eddcd5583472dd093668db44c4be3d889ce1417df) The OpenSSF Package Analysis project identified 'confusedatma' @ 9.9.9 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using ParseVector, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag v0.4.0, by...
7.5CVSS
6.7AI Score
0.001EPSS
GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to...
8.1CVSS
7.7AI Score
0.001EPSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to...
4.3CVSS
6.3AI Score
0.0004EPSS
Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain...
4.3CVSS
4.3AI Score
0.001EPSS
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the...
8.8CVSS
7.8AI Score
0.001EPSS
Malicious code in smart-commons (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3d5cef67a87cd4a497f6879379a3829535212f7d703197ce6d3130dd03fd2da6) The OpenSSF Package Analysis project identified 'smart-commons' @ 19.6.1 (npm) as malicious. It is considered malicious because: - The package...
7.1AI Score