The package postcss are vulnerable to Regular Expression Denial of Service (ReDoS) via `getAnnotationURL()` and `loadAnnotation()` in `lib/previous-map.js`.
In SaltStack Salt, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
sopel-channelmgnt is a channelmgnt plugin for sopel.
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.
`Authentication.logout()` uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.
An issue was discovered in Jansson Due to a parsing error in `json_loads`, there's an out-of-bounds read-access bug.
When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched
A flaw was found in the Ansible Engine, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.
pgsync Syncing the schema with the `--schema-first` and `--schema-only` options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.
jose is an npm library providing a number of cryptographic operations.
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions.
jose-browser-runtime is an npm package which provides a number of cryptographic functions.
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions.
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.
The package underscore from , from are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
An issue was discovered in giflib DumpScreen2RGB in `gif2rgb.c` has a heap-based buffer over-read.
Non-constant-time comparison of CSRF tokens in endpoint request handler allows attacker to guess a security token for Fusion endpoints via timing attack.
Non-constant-time comparison of CSRF tokens in UIDL request handler in com.vaadin:flow-server (Vaad ) (Vaad ) (Vaad ) (Vaad ) (Vaad ) allows attacker to guess a security token via timing attack.
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-deparam allows a malicious user to inject properties into `Object.prototype`.
The xmlhttprequest-ssl package for Node.js disables SSL certificate validation by default, because `rejectUnauthorized` (when the property exists but is undefined) is considered to be false within the `https.request` function of Node.js. In other words, no certificate is ever rejected.
Prototype pollution vulnerability in `safe-obj` allows an attacker to cause a denial of service and may lead to remote code execution.
This affects all versions of package portkiller. If (attacker-controlled) user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in purl allows a malicious user to inject properties into `Object.prototype`.
The package postcss from are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in mootools-more allows a malicious user to inject properties into `Object.prototype`.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in jquery-bbq allows a malicious user to inject properties into `Object.prototype`.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in backbone-query-parameters allows a malicious user to inject properties into Object.prototype.
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process `exec` function without input sanitization.
A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
This affects all versions of package picotts. If attacker-controlled user input is given to the say function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
This affects the package chrono-node; it hangs on a date-like string with lots of embedded spaces.
If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the `child_process` `exec` function without input sanitization.
The Nextcloud dialogs library insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag.
A new HAL-Form was added to allow editing users This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change.
If attacker-controlled user input is given to the stat function of this package on certain operating systems, it is possible for an attacker to execute arbitrary commands. This is due to use of the `child_process` exec function without input sanitization.
If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
The REXML gem does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account credentials.
phpseclib mishandles RSA PKCS#1 v1.5 signature verification.
Eclipse Jersey to and Eclipse Jersey to contains a local information disclosure vulnerability.
When the attacker can separate query parameters using a semicolon (`;`), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
In Apache Commons IO, When invoking the method `FileNameUtils.normalize` with an improper input string, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above, if the calling code would use the result to construct a path value.
Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
Portofino is an open source web development framework. Portofino did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming release.
A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form.
When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail (for the branch) and Wagtail (for the current branch).
The `ReplicationHandler` (normally registered at `/replication` under a Solr core) in Apache Solr has a `masterUrl` (also `leaderUrl` alias) parameter that is used to designate another `ReplicationHandler` on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the `shards` parameter.
A heap-based buffer over-read was discovered in cpp-peglib's `peg::resolve_escape_sequence()` in `peglib.h`.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL previews are affected. This could cause Synapse to make requests to internal infrastructure on dual-stack networks. See referenced GitHub security advisory for details and workarounds.
A NULL pointer dereference was discovered in cpp-peglib's `peg::AstOptimizer::optimize()` located in `peglib.h`. It allows an attacker to cause a Denial of Service.
HashiCorp Consul Enterprise's audit log can be bypassed by specifically crafted HTTP events. An attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterprise’s audit log.
A vulnerability was identified in Consul and Consul Enterprise such that a specially crafted key-value entry could be used to perform a cross-site scripting (XSS) attack when viewed in Consul KV API’s raw mode.
In Gradle, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through `TextResourceFactory` are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers. This could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them.
Integer Overflow in OpenJPEG allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option `-ImgDir` on a directory that contains files.
In Gradle, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.
Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.
A critical unauthenticated remote code execution vulnerability was found in Apache Tapestry. The vulnerability found is a bypass of the fix for CVE-2019-0195. Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was an ignore filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Unfortunately, the ignore list solution can simply be bypassed by appending a `/` at the end of the URL `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the ignore list check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. `CommonsBeanUtils1` from `ysoserial`).
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.
SQL Injection in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cID" parameter when creating a new HTML component.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (`io.netty:netty-codec-http2`), which is used by zookeeper, there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single `Http2HeaderFrame` with the `endStream` set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identifiers. This could cause excessive use of disk space and memory leading to resource exhaustion. Note that the groups feature is not part of the Matrix specification and the chosen maximum lengths are arbitrary. Not all clients might abide by them.