Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 2.6 days (on average).

CVE-2020-17048

Improper Restriction of Operations within the Bounds of a Memory Buffer in nuget/Microsoft.ChakraCore

Chakra Scripting Engine Memory Corruption Vulnerability. This CVE ID is unique from CVE-2020-17054.

Added on 2020-11-27

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-27

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-rt-rs-security-xml

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-26

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-api

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-26

CVE-2020-28271

Improper Input Validation in npm/deephas

Prototype pollution vulnerability in deephas may allow an attacker to cause a denial of service, or possibly lead to remote code execution.

Added on 2020-11-26

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-core

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-26

CVE-2020-7769

Injection Vulnerability in npm/nodemailer

Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending emails.

Added on 2020-11-26

CVE-2020-7770

Improper Input Validation in npm/json8

The `apply` function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.

Added on 2020-11-26

CVE-2020-28268

Improper Input Validation in npm/controlled-merge

A prototype pollution vulnerability in controlled-merge may allow an attacker to cause a denial of service, or possibly lead to remote code execution.

Added on 2020-11-26

CVE-2020-7766

Injection Vulnerability in npm/json-ptr

This affects all versions of package json-ptr. The issue occurs in the set operation `https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#set` when the force flag is set to true. The function recursively sets the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.

Added on 2020-11-26

CVE-2020-17054

Improper Restriction of Operations within the Bounds of a Memory Buffer in nuget/Microsoft.ChakraCore

Chakra Scripting Engine Memory Corruption Vulnerability This CVE ID is unique from CVE-2020-17048.

Added on 2020-11-26

CVE-2020-28267

Improper Input Validation in npm/@strikeentco/set

A prototype pollution vulnerability in @strikeentco/set may allow an attacker to cause a denial of service, or possibly lead to remote code execution.

Added on 2020-11-26

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-rt-transports-http

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-26

CVE-2020-13954

Cross-site Scripting in maven/org.apache.cxf/cxf-rt-frontend-jaxrs

By default, Apache CXF creates a `/services` page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the `styleSheetPath`, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Added on 2020-11-26

CVE-2020-27589

Improper Certificate Validation in pypi/blackduck

Synopsys hub-rest-api-python (aka blackduck on PyPI) - does not validate SSL certificates in certain cases.

Added on 2020-11-24

CVE-2020-28270

Improper Input Validation in npm/object-hierarchy-access

A prototype pollution vulnerability in `object-hierarchy-access` allows attacker to cause a denial of service and may lead to remote code execution.

Added on 2020-11-24

CVE-2020-7767

Uncontrolled Resource Consumption in npm/express-validators

The express-validators package is vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.

Added on 2020-11-24

CVE-2020-28269

Improper Input Validation in npm/field

A prototype pollution vulnerability in field allows attackers to cause a denial of service and may lead to remote code execution.

Added on 2020-11-24

CVE-2020-8268

Improper Input Validation in npm/json8-merge-patch

Prototype pollution vulnerability in json8-merge-patch npm package may allow attackers to inject or modify methods and properties of the global object constructor.

Added on 2020-11-20

CVE-2020-26168

Improper Authentication in maven/com.hazelcast/hazelcast

The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise, and Jet Enterprise, does not verify properly the password in some system-user-dn scenarios. As a result, users (`clients/members`) can be authenticated even if they provide invalid passwords.

Added on 2020-11-19

CVE-2020-28364

Cross-site Scripting in pypi/locust

A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust, if the installation violates the usage expectations by exposing this UI to outside users.

Added on 2020-11-18

CVE-2020-15703

Path Traversal in pypi/aptdaemon

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

Added on 2020-11-18

CVE-2020-27193

Cross-site Scripting in npm/ckeditor4

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEdit allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

Added on 2020-11-18

CVE-2020-14366

Path Traversal in maven/org.keycloak/keycloak-services

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

Added on 2020-11-18

CVE-2020-26214

Improper Authentication in pypi/alerta-server

In Alerta, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented that returns HTTP Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.

Added on 2020-11-18

CVE-2020-16846

OS Command Injection in pypi/salt

An issue was discovered in SaltStack Salt Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Added on 2020-11-17

CVE-2020-25592

Improper Input Validation in pypi/salt

In SaltStack Salt, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

Added on 2020-11-17

CVE-2020-17490

Incorrect Permission Assignment for Critical Resource in pypi/salt

The TLS module within SaltStack Salt creates certificates with weak file permissions.

Added on 2020-11-17

CVE-2020-28168

Server-Side Request Forgery (SSRF) in npm/axios

Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Added on 2020-11-17

CVE-2020-7764

Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) in npm/find-my-way

This affects the package find-my-way, from It accepts the `Accept-Version` header by default, and if versioned routes are not being used, this could lead to a denial of service. `Accept-Version` can be used as an unkeyed header in a cache poisoning attack.

Added on 2020-11-17

CVE-2020-17510

Missing Authentication for Critical Function in maven/org.apache.shiro/shiro-all

Apache Shiro, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Added on 2020-11-16

CVE-2020-7761

Uncontrolled Resource Consumption in npm/@absolunet/kafe

This affects the package `@absolunet/kafe` It allows cause a denial of service when validating crafted invalid emails.

Added on 2020-11-16

CVE-2020-25201

Excessive Iteration in go/github.com/hashicorp/consul/acl

HashiCorp Consul Enterprise up to includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes.

Added on 2020-11-16

CVE-2020-15271

OS Command Injection in pypi/lookatme

In lookatme, the package automatically loaded the built-in `terminal` and `file_loader` extensions. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

Added on 2020-11-16

CVE-2020-10937

Unintended Proxy or Intermediary in go/github.com/ipfs/go-ipfs

An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later versions, in particular go-ipfs, mitigate this.

Added on 2020-11-16

CVE-2020-27196

Out-of-bounds Write in maven/com.typesafe.play/play-ws_2.12

The body parsing of HTTP requests eagerly parses a payload given a `Content-Type` header. A deep JSON structure sent to a valid `POST` endpoint (that may or may not expect JSON payloads) causes a `StackOverflowError` and Denial of Service.

Added on 2020-11-16

CVE-2020-27196

Out-of-bounds Write in maven/com.typesafe.play/play_2.11

The body parsing of HTTP requests eagerly parses a payload given a `Content-Type` header. A deep JSON structure sent to a valid `POST` endpoint (that may or may not expect JSON payloads) causes a `StackOverflowError` and Denial of Service.

Added on 2020-11-16

CVE-2020-7760

Uncontrolled Resource Consumption in npm/codemirror

There is a ReDOS vulnerability in codemirror which is mainly due to the sub-pattern (s|/*.*?*/)*

Added on 2020-11-16

CVE-2020-26207

Deserialization of Untrusted Data in nuget/DatabaseSchemaReader

`DatabaseSchemaViewer` is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted `.dbschema` file. As a workaround, ensure `.dbschema` files from untrusted sources are not opened.

Added on 2020-11-16

CVE-2020-22278

Improper Neutralization of Escape, Meta, or Control Sequences in packagist/phpmyadmin/phpmyadmin

phpMyAdmin may allow CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents".

Added on 2020-11-16

CVE-2020-24407

Unrestricted Upload of File with Dangerous Type in packagist/magento/community-edition

Magento This vulnerability could be abused by authenticated users with administrative permissions to the `System/Data` and `Transfer/Import` components.

Added on 2020-11-16

CVE-2020-24404

Improper Authorization in packagist/magento/community-edition

Magento This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.

Added on 2020-11-15

CVE-2020-24405

Improper Authorization in packagist/magento/community-edition

Magento This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.

Added on 2020-11-15

CVE-2020-24403

Improper Authorization in packagist/magento/community-edition

Magento This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.

Added on 2020-11-15

CVE-2020-24402

Improper Authorization in packagist/magento/community-edition

Magento This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

Added on 2020-11-15

CVE-2020-24401

Incorrect Authorization in packagist/magento/community-edition

Magento A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.

Added on 2020-11-15

CVE-2020-24400

SQL Injection in packagist/magento/community-edition

Magento This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.

Added on 2020-11-15

CVE-2020-24406

Path Traversal in packagist/magento/community-edition

When in maintenance mode, Magento This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.

Added on 2020-11-15

CVE-2020-28249

Cross-site Scripting in npm/joplin

Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note.

Added on 2020-11-15

CVE-2020-7198

Improper Privilege Management in gem/oneview

There is a remote escalation of privilege possible for a malicious user that has a OneView account in OneView and Synergy Composer. HPE has provided updates to Oneview and Synergy Composer: Update to version 5.5 of OneView, Composer, or Composer2.

Added on 2020-11-15