Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 0.7 days (on average).

GHSA-hcvf-pfrm-jxgf, CVE-2023-24451

Missing Authorization in maven/org.jenkins-ci.plugins/cisco-spark-notifier-plugin

A missing permission check in Jenkins Cisco Spark Notifier Plugin 1.1.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2023-02-03

GHSA-3fwq-qv5v-2wxf, CVE-2020-36651

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in npm/web-node-server

A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation leads to path traversal. The name of the patch is c4c0f0138ab5afbac58e03915d446680421bde28. It is recommended to apply a patch to fix this issue. The identifier VDB-218461 was assigned to this vulnerability.

Added on 2023-02-03

GHSA-6j27-3xfw-cj2w, CVE-2023-24438

Missing permissions check in Jenkins JIRA Pipeline Steps Plugin in maven/org.jenkins-ci.plugins/jira-steps

A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-02-03

GHSA-pj97-r83v-vj7f, CVE-2023-0608

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/microweber/microweber

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

Added on 2023-02-03

GHSA-m2hm-hrr2-6p2q, CVE-2019-10215

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/bassjobsen/bootstrap-3-typeahead

Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.

Added on 2023-02-03

GHSA-qwx8-mxxx-mg96, CVE-2023-0609

Improper Authorization in packagist/wallabag/wallabag

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

Added on 2023-02-03

GHSA-mrqx-mjc4-vfh3, CVE-2023-0610

Improper Authorization in packagist/wallabag/wallabag

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

Added on 2023-02-03

GHSA-xjch-wqmw-fgcp, CVE-2019-10388

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/relution-publisher

A cross-site request forgery vulnerability in Jenkins Relution Enterprise Appstore Publisher Plugin 1.24 and earlier allows attackers to have Jenkins initiate an HTTP connection to an attacker-specified server.

Added on 2023-02-03

GHSA-prcg-mc23-hgjh, CVE-2020-22452

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/phpmyadmin/phpmyadmin

SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.

Added on 2023-02-03

GHSA-r4rv-cq77-6p24, CVE-2019-10359

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins.m2release/m2release

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

Added on 2023-02-03

GHSA-p4xx-w6fr-c4w9, CVE-2023-25015

Cross-Site Request Forgery (CSRF) in gem/clockwork_web

Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF.

Added on 2023-02-03

GHSA-2275-rpf5-xv8h, CVE-2022-25906

is-http2 vulnerable to Command Injection in npm/is-http2

All versions of the package is-http2 is vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.

Added on 2023-02-03

CVE-2022-25927

Inefficient Regular Expression Complexity in npm/ua-parser-js

Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 is vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.

Added on 2023-02-03

GHSA-q9p5-w2v9-6wxf, CVE-2023-24977

Out-of-bounds Read in maven/org.apache.inlong/inlong

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 https://github.com/apache/inlong/pull/7214 to solve it.

Added on 2023-02-03

GHSA-6fxv-38xc-h866, CVE-2009-0026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.jackrabbit/jackrabbit

Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.

Added on 2023-02-03

GHSA-22j4-qc48-j8f8, CVE-2023-24997

Deserialization of Untrusted Data in maven/org.apache.inlong/inlong

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223 https://github.com/apache/inlong/pull/7223 to solve it.

Added on 2023-02-03

GHSA-rx76-xw35-6rh8, CVE-2022-44644

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.linkis/linkis

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, an authenticated attacker could read arbitrary local file by connecting a rogue mysql server, By adding allowLoadLocalInfile to true in the jdbc parameter. Therefore, the parameters in the jdbc url should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3

Added on 2023-02-02

GHSA-r4hg-4cpq-q57c, CVE-2022-25979

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/jsuites

Versions of the package jsuites before 5.0.1 is vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the Editor() function.

Added on 2023-02-02

GHSA-rc47-6667-2j5j, CVE-2022-25881

http-cache-semantics vulnerable to Regular Expression Denial of Service in npm/http-cache-semantics

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Added on 2023-02-02

GHSA-36fh-84j7-cv5h, CVE-2022-48285

JSZip contains Path Traversal via loadAsync in npm/jszip

loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.

Added on 2023-02-02

GHSA-rc47-6667-2j5j, CVE-2022-25881

http-cache-semantics vulnerable to Regular Expression Denial of Service in maven/org.webjars.npm/http-cache-semantics

This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

Added on 2023-02-02

CVE-2022-38266

Divide By Zero in conan/leptonica

An issue in the Leptonica linked library (v1.79.0) allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.

Added on 2023-02-02

GHSA-h6w8-52mq-4qxc, CVE-2022-44645

Deserialization of Untrusted Data in maven/org.apache.linkis/linkis

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

Added on 2023-02-02

GHSA-4wj7-rh5h-5qmr, CVE-2019-10349

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.plugins/depgraph-view

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

Added on 2023-02-02

CVE-2023-21538

.NET Denial of Service Vulnerability in nuget/powershell

.NET Denial of Service Vulnerability.

Added on 2023-02-02

GHSA-c6rx-gxqv-vr5j, CVE-2022-21129

nemo-appium vulnerable to OS Command Injection in npm/nemo-appium

Versions of the package nemo-appium before 0.0.9 is vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. **Note:** In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies.

Added on 2023-02-02

GHSA-3cw5-7cxw-v5qg, CVE-2023-23924

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization in packagist/dompdf/dompdf

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

Added on 2023-02-01

GHSA-w7w4-qjgg-372x, CVE-2023-0566

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') in packagist/froxlor/froxlor

Static Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.

Added on 2023-02-01

GHSA-9mq4-9556-6qxq, CVE-2021-4315

Improper Neutralization of Special Elements Used in a Template Engine in pypi/psiTurk

A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676.

Added on 2023-02-01

GHSA-vp2x-3mc3-3cj4, CVE-2023-0591

Relative Path Traversal in pypi/ubi-reader

ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dent_node.name) is considered trusted and joined to the extraction directory path during processing, then the node content is written to that joined path. By crafting a malicious UBIFS file with node names holding path traversal payloads (e.g. ../../tmp/outside.txt), it's possible to force ubi_reader to write outside of the extraction directory. This issue affects ubi-reader before 0.8.5.

Added on 2023-02-01

CVE-2023-22742, GHSA-8643-3wh5-rmjq

Improper Verification of Cryptographic Signature in gem/rugged

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

Added on 2023-02-01

GHSA-g7gf-2rqw-5rwx, CVE-2023-0569

Weak Password Requirements in gem/publify_core

Weak Password Requirements in GitHub repository publify/publify prior to 9.2.10.

Added on 2023-02-01

GHSA-88v8-v46g-6c9w, CVE-2022-25936

Servst vulnerable to Path Traversal in npm/servst

Versions of the package servst before 2.0.3 is vulnerable to Directory Traversal due to improper sanitization of the filePath variable.

Added on 2023-02-01

GHSA-94rj-c4jj-v476, CVE-2019-10346

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/io.jenkins.plugins/embeddable-build-status-plugin

A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.

Added on 2023-02-01

GHSA-3chw-8jq2-w769, CVE-2023-0572

Unchecked Error Condition in packagist/froxlor/froxlor

Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10.

Added on 2023-02-01

GHSA-g5vm-525q-r66c, CVE-2023-0242

Missing Authorization in go/www.velocidex.com/golang/velociraptor

Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.

Added on 2023-02-01

GHSA-7jf5-fvgf-48c6, CVE-2023-0290

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/www.velocidex.com/golang/velociraptor

Rapid7 Velociraptor does not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task could be written. It was possible to provide a client id of "../clients/server" to schedule the collection for the server (as a server artifact), but only require privileges to schedule collections on the client. Normally, to schedule an artifact on the server, the COLLECT_SERVER permission is required. This permission is normally only granted to "administrator" role. Due to this issue, it is sufficient to have the COLLECT_CLIENT privilege, which is normally granted to the "investigator" role. To exploit this vulnerability, the attacker must already have a Velociraptor user account at least "investigator" level, and be able to authenticate to the GUI and issue an API call to the backend. Typically, most users deploy Velociraptor with limited access to a trusted group, and most users will already be administrators within the GUI. This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.

Added on 2023-02-01

GHSA-pp4w-9x82-6r47, CVE-2023-24830

Improper Authentication in maven/org.apache.iotdb/iotdb-parent

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 before 0.13.3.

Added on 2023-02-01

CVE-2022-48281

Out-of-bounds Write in conan/libtiff

processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.

Added on 2023-02-01

GHSA-mf6x-hrgr-658f, CVE-2022-25967

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/eta

Versions of the package eta before 2.0.0 is vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.

Added on 2023-02-01

GHSA-xrh7-m5pp-39r6, CVE-2023-23630

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/eta

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.

Added on 2023-02-01

GHSA-vqqm-c9gx-773q, CVE-2023-0565

Froxlor contains Business Logic Errors in packagist/froxlor/froxlor

Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.

Added on 2023-02-01

CVE-2023-22742, GHSA-8643-3wh5-rmjq

Improper Verification of Cryptographic Signature in conan/libgit2

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.

Added on 2023-02-01

CVE-2023-0564, GHSA-pm72-27mg-fc28

Weak Password Requirements in packagist/froxlor/froxlor

Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.

Added on 2023-02-01

GHSA-c732-xvv8-g94c, CVE-2023-22884

Improper Neutralization of Special Elements used in a Command ('Command Injection') in pypi/apache-airflow-providers-mysql

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Added on 2023-01-31

CVE-2022-25847, GHSA-j8x7-qcw4-xx85

Improper Neutralization in npm/serve-lite

All versions of the package serve-lite is vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding.

Added on 2023-01-31

GHSA-mxhp-79qh-mcx6, CVE-2019-10790

Exposure of Resource to Wrong Sphere in npm/taffydb

taffy through 2.6.2 allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, taffyDB will ignore other query conditions and directly return the indexed data item. Moreover, the internal index is in an easily-guessable format (e.g., T000002R000001). As such, attackers can use this vulnerability to access any data items in the DB.

Added on 2023-01-31

CVE-2022-21192, GHSA-5qq4-m6c3-xxmf

Directory Traversal vulnerability in serve-lite in npm/serve-lite

All versions of the package serve-lite is vulnerable to Directory Traversal due to missing input sanitization or other checks and protections employed to the req.url passed as-is to path.join().

Added on 2023-01-31

GHSA-3mpg-q26j-83j5, CVE-2020-36655

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/yiisoft/yii2-gii

Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file.

Added on 2023-01-31

GHSA-c732-xvv8-g94c, CVE-2023-22884

Improper Neutralization of Special Elements used in a Command ('Command Injection') in pypi/apache-airflow

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.

Added on 2023-01-31

CVE-2023-22602

Interpretation Conflict in maven/org.apache.shiro/shiro-spring-boot-web-starter

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

Added on 2023-01-30

CVE-2022-47194

Insecure Default Variable Initialization in npm/ghost

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.

Added on 2023-01-30

GHSA-fw3g-2h3j-qmm7, CVE-2023-23627

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/sanitize

Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, is vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.

Added on 2023-01-30

CVE-2022-45748

Use After Free in conan/assimp

An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp.

Added on 2023-01-30

GHSA-3g5w-6pw7-6hrp, CVE-2022-2712

Relative Path Traversal in maven/org.glassfish.main.web/web

In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.

Added on 2023-01-30

CVE-2023-0406

Cross-Site Request Forgery (CSRF) in pypi/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Added on 2023-01-30

GHSA-x73w-g8hx-v7rp, CVE-2020-23256

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/electerm

An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.

Added on 2023-01-30

CVE-2022-47197

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ghost

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

Added on 2023-01-30

CVE-2022-47195

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ghost

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.

Added on 2023-01-30

CVE-2023-0040, GHSA-v3r5-pjpm-mwgq

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in maven/org.asynchttpclient/async-http-client-project

Versions of Async HTTP Client prior to 1.13.2 is vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users is vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields. This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours.

Added on 2023-01-27

CVE-2023-24436, GHSA-ccf4-9hjc-xxc4

Missing permission check in Jenkins GitHub Pull Request Builder Plugin allows enumerating credentials IDs in maven/org.jenkins-ci.plugins/ghprb

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2023-01-27

CVE-2023-24435, GHSA-w4v5-54p8-m4j5

Missing permission checks in Jenkins GitHub Pull Request Builder Plugin in maven/org.jenkins-ci.plugins/ghprb

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-01-27

GHSA-6hw7-x86v-wrgf, CVE-2023-24450

Passwords stored in plain text by Jenkins view-cloner Plugin in maven/org.jenkins-ci.plugins/view-cloner

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Added on 2023-01-27

GHSA-3g2g-rcm6-rrq2, CVE-2023-24440

Cleartext Transmission of Sensitive Information in Jenkins JIRA Pipeline Steps Plugin in maven/org.jenkins-ci.plugins/jira-steps

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Added on 2023-01-27

GHSA-r3gm-jwf4-xgv2, CVE-2023-24437

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/jira-steps

A cross-site request forgery (CSRF) vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-01-27

GHSA-qgjq-hrhg-f24h, CVE-2023-24448

Missing permission check in Jenkins RabbitMQ Consumer Plugin in maven/org.jenkins-ci.plugins/rabbitmq-consumer

A missing permission check in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

Added on 2023-01-27

GHSA-g29v-5pwh-wxx4, CVE-2023-24439

Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin in maven/org.jenkins-ci.plugins/jira-steps

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Added on 2023-01-27

GHSA-wj79-9fxj-j86p, CVE-2023-24447

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/rabbitmq-consumer

A cross-site request forgery (CSRF) vulnerability in Jenkins RabbitMQ Consumer Plugin 2.8 and earlier allows attackers to connect to an attacker-specified AMQP(S) URL using attacker-specified username and password.

Added on 2023-01-27

GHSA-h8p8-6378-649p, CVE-2023-24430

XML external entity reference vulnerability on agents in Jenkins Semantic Versioning Plugin in maven/org.jenkins-ci.plugins/semantic-versioning-plugin

Jenkins Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2023-01-27

GHSA-pcc2-w6m8-x5w4, CVE-2023-24429

Agent-to-controller security bypass in Jenkins Semantic Versioning Plugin in maven/org.jenkins-ci.plugins/semantic-versioning-plugin

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Added on 2023-01-27

GHSA-9963-gmh8-vvm6, CVE-2023-24456

Session fixation vulnerability in Jenkins Keycloak Authentication Plugin in maven/org.jenkins-ci.plugins/keycloak

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

Added on 2023-01-27

GHSA-xr8h-wj4v-rx7f, CVE-2023-24453

Missing permission check in Jenkins TestQuality Updater Plugin in maven/org.jenkins-ci.plugins/testquality-updater

A missing check in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Added on 2023-01-27

GHSA-98qc-v8vg-mcx4, CVE-2023-24454

Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin in maven/org.jenkins-ci.plugins/testquality-updater

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Added on 2023-01-27

GHSA-px2f-cqrf-f2qg, CVE-2023-24452

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/testquality-updater

A cross-site request forgery (CSRF) vulnerability in Jenkins TestQuality Updater Plugin 1.3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password.

Added on 2023-01-27

GHSA-vxmh-p52j-h33m, CVE-2023-24424

Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin in maven/org.jenkins-ci.plugins/oic-auth

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

Added on 2023-01-27

CVE-2023-24443, GHSA-g5mj-c26g-vmpm

XML Entity Expansion in Jenkins TestComplete support Plugin in maven/org.jenkins-ci.plugins/TestComplete

Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2023-01-27

GHSA-9wrr-4r9v-26xc, CVE-2023-24457

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/keycloak

A cross-site request forgery (CSRF) vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account.

Added on 2023-01-27

GHSA-5xhh-6xfv-7q42, CVE-2023-24458

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/bearychat

A cross-site request forgery (CSRF) vulnerability in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers to connect to an attacker-specified URL.

Added on 2023-01-27

CVE-2023-24422, GHSA-76qj-9gwh-pvv3

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.jenkins-ci.plugins/script-security

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Added on 2023-01-27

GHSA-65v6-3c9m-hmrp, CVE-2022-47042

Arbitrary file write in net.mingsoft:ms-mcms in maven/net.mingsoft/ms-mcms

MCMS v5.2.10 and below was discovered to contain an arbitrary file write vulnerability via the component ms/template/writeFileContent.do.

Added on 2023-01-27

CVE-2023-24428, GHSA-685j-36qx-3vp2

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/bitbucket-oauth

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.

Added on 2023-01-27

CVE-2023-24427, GHSA-x9q4-qwfh-9gjq

Session fixation vulnerability in Jenkins Bitbucket OAuth Plugin in maven/org.jenkins-ci.plugins/bitbucket-oauth

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

Added on 2023-01-27

GHSA-f976-24hc-mjvr, CVE-2023-24444

Session fixation vulnerability in Jenkins OpenID Plugin in maven/org.jenkins-ci.plugins/openid

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

Added on 2023-01-27

GHSA-8m9f-c5p9-wqch, CVE-2022-25894

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/com.bstek.uflo/uflo-core

All versions of the package com.bstek.uflo:uflo-core is vulnerable to Remote Code Execution (RCE) in the ExpressionContextImpl class via jexl.createExpression(expression).evaluate(context); functionality, due to improper user input validation.

Added on 2023-01-27

CVE-2023-24434, GHSA-m6q8-mwf6-6mmc

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/ghprb

A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-01-27

CVE-2023-0040, GHSA-v3r5-pjpm-mwgq

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in maven/org.asynchttpclient/async-http-client

Versions of Async HTTP Client prior to 1.13.2 is vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users is vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields. This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours.

Added on 2023-01-27

GHSA-96jv-c7m6-q43g, CVE-2023-24446

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/openid

A cross-site request forgery (CSRF) vulnerability in Jenkins OpenID Plugin 2.4 and earlier allows attackers to trick users into logging in to the attacker's account.

Added on 2023-01-27

CVE-2023-0296

Use of a Broken or Risky Cryptographic Algorithm in go/github.com/openshift/builder/pkg/build/builder

The Birthday attack against 64-bit block ciphers flaw (CVE-2016-2183) was reported for the health checks port (9979) on etcd grpc-proxy component. Even though the CVE-2016-2183 has been fixed in the etcd components, to enable periodic health checks from kubelet, it was necessary to open up a new port (9979) on etcd grpc-proxy, hence this port might be considered as still vulnerable to the same type of vulnerability. The health checks on etcd grpc-proxy do not contain sensitive data (only metrics data), therefore the potential impact related to this vulnerability is minimal. The CVE-2023-0296 has been assigned to this issue to track the permanent fix in the etcd component.

Added on 2023-01-27

GHSA-mj62-m63x-mh84, CVE-2023-24445

Open redirect vulnerability in Jenkins OpenID Plugin in maven/org.jenkins-ci.plugins/openid

Jenkins OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

Added on 2023-01-27

GHSA-2jpx-h8j2-g8m4, CVE-2023-24425

Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin in maven/com.cloudbees.jenkins.plugins/kubernetes-credentials-provider

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

Added on 2023-01-27

GHSA-4x65-4fjx-r7m6, CVE-2023-24442

Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin in maven/org.jenkins-ci.plugins/github-pr-coverage-status

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Added on 2023-01-27

CVE-2023-24423, GHSA-95jq-24cr-pgrq

Cross-Site Request Forgery (CSRF) in maven/com.sonyericsson.hudson.plugins.gerrit/gerrit-trigger

A cross-site request forgery (CSRF) vulnerability in Jenkins Gerrit Trigger Plugin 2.38.0 and earlier allows attackers to rebuild previous builds triggered by Gerrit.

Added on 2023-01-27

GHSA-6vvc-c2m3-cjf3, CVE-2014-9390

Improper Input Validation in maven/org.eclipse.jgit/org.eclipse.jgit

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Added on 2023-01-27

CVE-2022-25860, GHSA-9w5j-4mwv-2wj8

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/simple-git

Versions of the package simple-git before 3.16.0 is vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() methods, due to improper input sanitization. This vulnerability exists due to an incomplete fix of [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221).

Added on 2023-01-27

GHSA-8v53-23mx-hcf9, CVE-2023-0509

Improper Certificate Validation in pypi/pyload-ng

Improper Certificate Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev44.

Added on 2023-01-27

GHSA-3c6g-pvg8-gqw2, CVE-2020-7712

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.webjars.npm/json

This affects the package json before 10.0.0. It is possible to inject arbritary commands using the parseLookup function.

Added on 2023-01-27

GHSA-69f2-4375-qv9h, CVE-2022-21810

Command injection in smartctl in npm/smartctl

All versions of the package smartctl is vulnerable to Command Injection via the info method due to improper input sanitization.

Added on 2023-01-27

CVE-2022-25350, GHSA-g5qr-xgg7-8q2w

Command Injection in puppet-facter in npm/puppet-facter

All versions of the package puppet-facter is vulnerable to Command Injection via the getFact function due to improper input sanitization.

Added on 2023-01-27

GHSA-5xpc-c4xv-7w62, CVE-2023-24449

Path traversal vulnerability in Jenkins PWauth Security Realm Plugin in maven/org.jvnet.hudson.plugins/pwauth

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Added on 2023-01-27

GHSA-3ppr-72x5-x67q, CVE-2023-24441

XML external entity vulnerability on agents in Jenkins MSTest Plugin in maven/org.jvnet.hudson.plugins/mstest

Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Added on 2023-01-27

GHSA-9jwh-qvg7-gr59, CVE-2023-24432

Cross-Site Request Forgery (CSRF) in maven/io.jenkins.plugins/macstadium-orka

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-01-27

GHSA-gmhf-37fx-c4q8, CVE-2023-24433

Missing permission checks in Jenkins Orka Plugin allow capturing credentials in maven/io.jenkins.plugins/macstadium-orka

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2023-01-27

GHSA-87rh-wc85-xqvc, CVE-2023-24431

Missing permission checks in Jenkins Orka Plugin allow enumerating credentials IDs in maven/io.jenkins.plugins/macstadium-orka

A missing permission check in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2023-01-27

GHSA-4jqw-vfmj-9rmh, CVE-2021-36686

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/yapi-vendor

Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.

Added on 2023-01-27

GHSA-8mmh-h4jh-2g34, CVE-2023-24455

Path Traversal in Jenkins visualexpert Plugin in maven/io.jenkins.plugins/visualexpert

Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Added on 2023-01-27

GHSA-ffxj-547x-5j7c, CVE-2022-25882

Directory Traversal in onnx in pypi/onnx

Versions of the package onnx before 1.13.0 is vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory, for example "../../../etc/passwd"

Added on 2023-01-27

GHSA-wcm6-wv95-7jw6, CVE-2023-0488

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/pyload-ng

Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.

Added on 2023-01-27

CVE-2022-25908, GHSA-j8wr-fwf2-vvr9

Command Injection in create-choo-electron in npm/create-choo-electron

All versions of the package create-choo-electron is vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.

Added on 2023-01-27

CVE-2023-0519, GHSA-jm3m-wr3p-hjrq

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/modoboa

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Added on 2023-01-27

CVE-2023-0470, GHSA-c467-5c2g-jp86

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/modoboa

Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.

Added on 2023-01-27

CVE-2022-25962, GHSA-54jw-jqr9-6cj9

Command injection in vagrant.js in npm/vagrant.js

All versions of the package vagrant.js is vulnerable to Command Injection via the boxAdd function due to improper input sanitization.

Added on 2023-01-27

GHSA-f489-655r-x6gr, CVE-2017-2096

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in gem/smalruby

smalruby-editor v0.4.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.

Added on 2023-01-27

GHSA-67w4-w877-jv29, CVE-2023-24459

Missing permission check in Jenkins BearyChat Plugin in maven/org.jenkins-ci.plugins/bearychat

A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Added on 2023-01-27

CVE-2022-41417

Improper Input Validation in nuget/SitemapFileXML

BlogEngine.NET v3.3.8.0 allows an attacker to create any folder with "files" prefix under ~/App_Data/.

Added on 2023-01-26

CVE-2023-0298

Incorrect Authorization in packagist/grumpydictator/firefly-iii

Improper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.

Added on 2023-01-26

GHSA-6g8q-qfpv-57wp, CVE-2023-22727

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/cakephp/database

CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods is vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by using CakePHP's Pagination library. Manually validating or casting parameters to these methods will also mitigate the issue.

Added on 2023-01-26

CVE-2021-32837

Inefficient Regular Expression Complexity in gem/mechanize

mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.

Added on 2023-01-26

CVE-2022-47196

Insecure Default Variable Initialization in npm/ghost

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_head` for a post.

Added on 2023-01-26

CVE-2023-22478, GHSA-gqx8-hxmv-c4v4

Missing Authorization in go/github.com/KubeOperator/KubePi

KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.

Added on 2023-01-26

CVE-2023-22480, GHSA-jxgp-jgh3-8jc8

Incorrect Authorization in go/github.com/KubeOperator/KubeOperator

KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used to take over the cluster under certain conditions. This issue has been patched in version 3.16.4.

Added on 2023-01-26

CVE-2022-3782

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.keycloak/keycloak-services

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.

Added on 2023-01-26

CVE-2023-0297

Improper Control of Generation of Code ('Code Injection') in pypi/pyload-ng

Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31.

Added on 2023-01-26

CVE-2022-43721

URL Redirection to Untrusted Site ('Open Redirect') in pypi/superset

An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

GHSA-8hcf-2m4v-f2rq, CVE-2016-15020

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/liftkit/database

A vulnerability was found in liftkit database up to 2.13.1. It has been classified as critical. This affects the function processOrderBy of the file src/Query/Query.php. The manipulation leads to sql injection. Upgrading to version 2.13.2 is able to address this issue. The name of the patch is 42ec8f2b22e0b0b98fb5b4444ed451c1b21d125a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218391.

Added on 2023-01-25

CVE-2022-46648

Improper Control of Generation of Code ('Code Injection') in gem/git

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.

Added on 2023-01-25

CVE-2022-43718

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/superset

Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

CVE-2023-22298

URL Redirection to Untrusted Site ('Open Redirect') in pypi/pgadmin4

Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

Added on 2023-01-25

CVE-2023-0105

Improper Authentication in maven/org.keycloak/keycloak-parent

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

Added on 2023-01-25

CVE-2022-41703

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in pypi/superset

A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag "ALLOW_ADHOC_SUBQUERY" disabled (default value). This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

CVE-2022-43720

Improper Neutralization of Escape, Meta, or Control Sequences in pypi/superset

An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

CVE-2022-45438

Exposure of Resource to Wrong Sphere in pypi/superset

When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

CVE-2023-0091

Incorrect Authorization in maven/org.keycloak/keycloak-parent

A flaw was found in Keycloak, where it does not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

Added on 2023-01-25

GHSA-m4f8-p58g-j8mj, CVE-2010-10006

Observable Discrepancy in maven/org.expressme/JOpenId

A vulnerability, which was classified as problematic, was found in michaelliao jopenid. Affected is the function getAuthentication of the file JOpenId/src/org/expressme/openid/OpenIdManager.java. The manipulation leads to observable timing discrepancy. Upgrading to version 1.08 is able to address this issue. The name of the patch is c9baaa976b684637f0d5a50268e91846a7a719ab. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218460.

Added on 2023-01-25

CVE-2022-47318

Improper Control of Generation of Code ('Code Injection') in gem/git

ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.

Added on 2023-01-25

CVE-2022-43717

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/superset

Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

GHSA-chgc-rqjr-46gg, CVE-2010-10008

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/simplesamlphp/simplesamlphp-module-openidprovider

A vulnerability was found in simplesamlphp simplesamlphp-module-openidprovider up to 0.8.x. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file templates/trust.tpl.php. The manipulation of the argument StateID leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The name of the patch is 8365d48c863cf06ccf1465cc0a161cefae29d69d. It is recommended to upgrade the affected component. The identifier VDB-218473 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2023-01-25

CVE-2022-43719

Cross-Site Request Forgery (CSRF) in pypi/superset

Two legacy REST API endpoints for approval and request access is vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Added on 2023-01-25

GHSA-96x6-jf5w-84c5, CVE-2023-0306

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/thorsten/phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

Added on 2023-01-24

CVE-2023-22491, GHSA-7ch4-rr99-cqcw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/gatsby

Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `gatsby-transformer-remark@5.25.1` and `gatsby-transformer-remark@6.3.2` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.

Added on 2023-01-24

CVE-2023-22488, GHSA-8gcg-vwmw-rxj4

Missing Authorization in packagist/flarum/flarum

Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out. This means that, for extensions which restrict access to posts, any actor can bypass the restriction by subscribing to the discussion if the Subscriptions extension is enabled. The attack allows the leaking of some posts in the forum database, including posts awaiting approval, posts in tags the user has no access to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party extensions. All Flarum versions prior to v1.6.3 are affected. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible to v1.6.3. As a workaround, disable the Flarum Subscriptions extension or disable email notifications altogether. There are no other supported workarounds for this issue for Flarum versions below 1.6.3.

Added on 2023-01-24

CVE-2023-22489, GHSA-hph3-hv3c-7725

Missing Authorization in packagist/flarum/flarum

Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between `v1.3.0` and `v1.6.3` are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.

Added on 2023-01-24

CVE-2023-22488, GHSA-8gcg-vwmw-rxj4

Missing Authorization in packagist/flarum/core

Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the receiver, and proceeds to send notifications through their different channels. The alerts do not leak data despite this as they are listed based on a visibility check, however, emails are still sent out. This means that, for extensions which restrict access to posts, any actor can bypass the restriction by subscribing to the discussion if the Subscriptions extension is enabled. The attack allows the leaking of some posts in the forum database, including posts awaiting approval, posts in tags the user has no access to if they could subscribe to a discussion before it becomes private, and posts restricted by third-party extensions. All Flarum versions prior to v1.6.3 are affected. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible to v1.6.3. As a workaround, disable the Flarum Subscriptions extension or disable email notifications altogether. There are no other supported workarounds for this issue for Flarum versions below 1.6.3.

Added on 2023-01-24

CVE-2023-22489, GHSA-hph3-hv3c-7725

Missing Authorization in packagist/flarum/core

Flarum is a discussion platform for websites. If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to. In combination with the email notification settings, this could also be used as a way to send unsolicited emails. Versions between `v1.3.0` and `v1.6.3` are impacted. The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible. There are no known workarounds.

Added on 2023-01-24

CVE-2023-0105

Improper Authentication in npm/keycloak-connect

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

Added on 2023-01-24

CVE-2023-0091

Incorrect Authorization in npm/keycloak-connect

A flaw was found in Keycloak, where it does not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

Added on 2023-01-24

CVE-2022-25901, GHSA-h452-7996-h45h

cookiejar Regular Expression Denial of Service via Cookie.parse function in npm/cookiejar

Versions of the package cookiejar before 2.1.4 is vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Added on 2023-01-24

CVE-2022-1812

Integer Overflow or Wraparound in gem/publify_core

Integer Overflow or Wraparound in GitHub repository publify/publify prior to 9.2.10.

Added on 2023-01-24

CVE-2023-22493, GHSA-64wp-jh9p-5cg2

Server-Side Request Forgery (SSRF) in npm/rsshub

RSSHub is an open source RSS feed generator. RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. An attacker could also use this vulnerability to send requests to internal or any other servers or resources on the network, potentially gain access to sensitive information that would not normally be accessible and amplifying the impact of the attack. The patch for this issue can be found in commit a66cbcf.

Added on 2023-01-24

CVE-2023-0438, GHSA-9c64-x3cx-vgmm

Cross-Site Request Forgery (CSRF) in pypi/modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.

Added on 2023-01-24

GHSA-2x48-p6cq-5xcw, CVE-2022-46959

Path Traversal in github.com/go-sonic/sonic in go/github.com/go-sonic/sonic

An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal.

Added on 2023-01-24

CVE-2023-0435, GHSA-6jmx-pv77-wm5w

Excessive Attack Surface in pypi/pyload-ng

Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.

Added on 2023-01-24

GHSA-h452-7996-h45h, CVE-2022-25901

cookiejar Regular Expression Denial of Service via Cookie.parse function in maven/org.webjars.npm/cookiejar

Versions of the package cookiejar before 2.1.4 is vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.

Added on 2023-01-24

CVE-2023-0434, GHSA-x9vc-5q77-m7x4

Improper Input Validation in pypi/pyload-ng

Improper Input Validation in GitHub repository pyload/pyload prior to 0.5.0b3.dev40.

Added on 2023-01-24