Recently added

xml2rfc has file inclusion irregularities

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new –allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect –allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below …

SFTPGo has insufficient sanitization of user provided rsync command

SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being rsync: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided rsync command, an authenticated remote user can use some options of …

SFTPGo has insufficient sanitization of user provided rsync command

SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being rsync: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided rsync command, an authenticated remote user can use some options of …

Connect-CMS information that is restricted to viewing is visible

Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0). Impact by version v1.8.0 ~ v1.8.3: It will be displayed in the text. v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link. Target viewing restriction function Frame …

Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts

Withdrawn Advisory This advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references. Original Description A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users.

Recently updated

Code Injection in PHPUnit

Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

Connection leaking on idle timeout when TCP congested

If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed …

Connection leaking on idle timeout when TCP congested

If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed …