Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 2.0 days (on average).

CVE-2022-31183, GHSA-2cpx-6pqp-wf35

Improper Certificate Validation in maven/co.fs2/fs2-io_sjs1_3

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

Added on 2022-08-10

CVE-2022-31183, GHSA-2cpx-6pqp-wf35

Improper Certificate Validation in maven/co.fs2/fs2-io_sjs1_2.13

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

Added on 2022-08-10

CVE-2022-34871

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/centreon/centreon

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-16335.

Added on 2022-08-10

CVE-2022-34872

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/centreon/centreon

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16336.

Added on 2022-08-10

CVE-2022-31183, GHSA-2cpx-6pqp-wf35

Improper Certificate Validation in maven/co.fs2/fs2-io_sjs1_2.12

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in 3.1.0. A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised. If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

Added on 2022-08-10

CVE-2022-36359

Download of Code Without Integrity Check in pypi/Django

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Added on 2022-08-10

CVE-2022-24912

Observable Discrepancy in go/github.com/runatlantis/atlantis

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Added on 2022-08-10

CVE-2022-35915, GHSA-7grf-83vw-6f5x

Uncontrolled Resource Consumption in npm/@openzeppelin/contracts

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-10

CVE-2022-35916, GHSA-9j3m-g383-29qr

Incorrect Resource Transfer Between Spheres in npm/@openzeppelin/contracts

OpenZeppelin Contracts is a library for secure smart contract development. Contracts using the cross chain utilities for Arbitrum L2, `CrossChainEnabledArbitrumL2` or `LibArbitrumL2`, will classify direct interactions of externally owned accounts (EOAs) as cross chain calls, even though they are not started on L1. This issue has been patched in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-10

CVE-2022-31179, GHSA-jjc5-fp7p-6f8w

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in npm/shescape

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

Added on 2022-08-10

CVE-2022-31180, GHSA-44vr-rwwj-p88h

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in npm/shescape

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

Added on 2022-08-10

CVE-2022-31189, GHSA-c2j7-66m3-r4ff

Generation of Error Message Containing Sensitive Information in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack. This vulnerability only impacts the JSPUI. This issue has been fixed in version 6.4. users are advised to upgrade. Users unable to upgrade should disable the display of error messages in their internal.jsp file.

Added on 2022-08-09

GHSA-8gpg-466c-5cpj, CVE-2022-36127

Apache SkyWalking NodeJS Agent can lose availability if header includes illegal SkyWalking header in npm/skywalking-backend-js

A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.

Added on 2022-08-09

GHSA-gq75-5gc3-rfwg, CVE-2020-7649

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in npm/snyk-broker

This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.

Added on 2022-08-09

GHSA-4wm8-c2vv-xrpq, CVE-2022-31192

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.dspace/dspace-jspui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2022-08-09

GHSA-vqgr-mfxm-47f3, CVE-2020-28422

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/git-archive

All versions of package git-archive is vulnerable to Command Injection via the exports function.

Added on 2022-08-09

GHSA-6367-p3v8-7mgw, CVE-2020-28436

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/google-cloudstorage-commands

This affects all versions of package google-cloudstorage-commands.

Added on 2022-08-09

GHSA-c558-5gfm-p2r8, CVE-2022-31191

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.dspace/dspace-jspui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both is vulnerable to XSS. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-7w85-pp86-p4pq, CVE-2022-31190

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.dspace/dspace-xmlui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn Item. This vulnerability only impacts the XMLUI. Users are advised to upgrade to version 6.4 or newer.

Added on 2022-08-09

GHSA-74wf-cwjg-9cf2, CVE-2020-28447

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/xopen

This affects all versions of package xopen. The injection point is located in line 14 in index.js in the exported function xopen(filepath)

Added on 2022-08-09

CVE-2022-35923, GHSA-xrx9-gj26-5wx9

Inefficient Regular Expression Complexity in npm/v8n

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-4vm8-j95f-j6v5, CVE-2022-32114

Unrestricted Upload of File with Dangerous Type in npm/@strapi/strapi

An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file.

Added on 2022-08-09

GHSA-m939-vrfp-9v8p, CVE-2020-28461

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/js-ini

This affects the package js-ini before 1.3.0. If an attacker submits a malicious INI file to an application that parses it with parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Added on 2022-08-09

GHSA-pc62-cq5x-3j5g, CVE-2020-7678

node-import `params` argument can be controlled by users without any sanitization in npm/node-import

This affects all versions of package node-import. The "params" argument of module function can be controlled by users without any sanitization.b. This is then provided to the “eval” function located in line 79 in the index file "index.js".

Added on 2022-08-09

GHSA-r38f-c4h4-hqq2, CVE-2022-31197

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in maven/org.postgresql/postgresql

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-c2j7-66m3-r4ff, CVE-2022-31189

Generation of Error Message Containing Sensitive Information in maven/org.dspace/dspace-jspui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack. This vulnerability only impacts the JSPUI. This issue has been fixed in version 6.4. users are advised to upgrade. Users unable to upgrade should disable the display of error messages in their internal.jsp file.

Added on 2022-08-09

CVE-2022-31175, GHSA-42wq-rch8-6f6j

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@ckeditor/ckeditor5-markdown-gfm

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `<textarea>` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-31191, GHSA-c558-5gfm-p2r8

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI spellcheck "Did you mean" HTML escapes the data-spell attribute in the link, but not the actual displayed text. Similarly, the JSPUI autocomplete HTML does not properly escape text passed to it. Both is vulnerable to XSS. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-42wq-rch8-6f6j, CVE-2022-31175

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@ckeditor/ckeditor5-html-support

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `<textarea>` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-wfvx-fx73-3rfj, CVE-2020-28455

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/markdown-it-toc

This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped.

Added on 2022-08-09

GHSA-qp5m-c3m9-8q2p, CVE-2022-31194

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.dspace/dspace-jspui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest is vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds. However, this vulnerability cannot be exploited by an anonymous user or a basic user. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability.

Added on 2022-08-09

GHSA-v42q-78w8-8fcc, CVE-2021-23373

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/set-deep-prop

All versions of package set-deep-prop is vulnerable to Prototype Pollution via the main functionality.

Added on 2022-08-09

GHSA-rwvf-c3wm-qm6w, CVE-2020-28435

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/ffmpeg-sdk

This affects all versions of package ffmpeg-sdk. The injection point is located in line 9 in index.js.

Added on 2022-08-09

GHSA-7vrv-5m2h-rjw9, CVE-2020-28462

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/ion-parser

This affects all versions of package ion-parser. If an attacker submits a malicious INI file to an application that parses it with parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Added on 2022-08-09

GHSA-8rmh-55h4-93h5, CVE-2022-31195

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.dspace/dspace-api

DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. Users are advised to upgrade. As a basic workaround, users may block all access to the following URL paths: If you are using the XMLUI, block all access to /admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/xmlui", then you'd need to block access to /xmlui/admin/batchimport. If you are using the JSPUI, block all access to /dspace-admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/jspui", then you'd need to block access to /jspui/dspace-admin/batchimport. Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Added on 2022-08-09

CVE-2022-2576

Uncontrolled Resource Consumption in maven/org.eclipse.californium/californium-core

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

Added on 2022-08-09

GHSA-jxqv-jcvh-7gr4, CVE-2022-24912

Observable Discrepancy in go/github.com/runatlantis/atlantis/server/controllers/events

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 is vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.

Added on 2022-08-09

CVE-2022-31186, GHSA-p6mm-27gq-9v3p

Insertion of Sensitive Information into Log File in npm/next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in `next-auth` before `v4.10.2` and `v3.29.9` allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions. This issue has been patched in `v4.10.2` and `v3.29.9` by moving the log for `provider` information to the debug level. In addition, we added a warning for having the `debug: true` option turned on in production. If for some reason you cannot upgrade, you can user the `logger` configuration option by sanitizing the logs.

Added on 2022-08-09

GHSA-6x93-h9g3-9phr, CVE-2021-23451

Use of Insufficiently Random Values in npm/otp-generator

The package otp-generator before 3.0.0 is vulnerable to Insecure Randomness due to insecure generation of random one-time passwords, which may allow a brute-force attack.

Added on 2022-08-09

GHSA-j47c-j42c-mwqq, CVE-2022-35917

Always-Incorrect Control Flow Implementation in npm/@solana/pay

Solana Pay is a protocol and set of reference implementations that enable developers to incorporate decentralized payments into their apps and services. When a Solana Pay transaction is located using a reference key, it may be checked to represent a transfer of the desired amount to the recipient, using the supplied `validateTransfer` function. An edge case regarding this mechanism could cause the validation logic to validate multiple transfers. This issue has been patched as of version `0.2.1`. Users of the Solana Pay SDK should upgrade to it. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-31148, GHSA-5834-xv5q-cgfw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/shopware/platform

Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-35915, GHSA-7grf-83vw-6f5x

Uncontrolled Resource Consumption in npm/openzeppelin-solidity

OpenZeppelin Contracts is a library for secure smart contract development. The target contract of an EIP-165 `supportsInterface` query can cause unbounded gas consumption by returning a lot of data, while it is generally assumed that this operation has a bounded cost. The issue has been fixed in v4.7.2. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-wr4v-3f2h-6hhh, CVE-2020-28443

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/sonar-wrapper

This affects all versions of package sonar-wrapper. The injection point is located in lib/sonarRunner.js.

Added on 2022-08-09

GHSA-54w4-2f2p-f48h, CVE-2020-28438

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/deferred-exec

This affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js

Added on 2022-08-09

GHSA-v4hr-4jpx-56gc, CVE-2022-35918

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/streamlit

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components is vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-4vq7-8699-4xgc, CVE-2022-34558

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/reqmgr2

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

Added on 2022-08-09

CVE-2022-31177, GHSA-32ff-4g79-vgfc

Use of Password Hash With Insufficient Computational Effort in pypi/Flask-AppBuilder

Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-31148, GHSA-5834-xv5q-cgfw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/shopware/shopware

Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Added on 2022-08-09

GHSA-4vq7-8699-4xgc, CVE-2022-34558

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/wmagent

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

Added on 2022-08-09

GHSA-4vq7-8699-4xgc, CVE-2022-34558

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/reqmon

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

Added on 2022-08-09

GHSA-4vq7-8699-4xgc, CVE-2022-34558

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/global-workqueue

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

Added on 2022-08-09

GHSA-w7f5-jrpr-5c2m, CVE-2022-36364

Improper Initialization in maven/org.apache.calcite.avatica/avatica-core

Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.

Added on 2022-08-09

CVE-2022-35920, GHSA-8cw9-5hmv-77w6

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/sanic

Sanic is an opensource python web server/framework. Affected versions of sanic allow access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted. Users are advised to upgrade. There is no known workaround for this issue.

Added on 2022-08-09

GHSA-q8hg-3vqv-f8v3, CVE-2022-2523

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/fava

Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2.

Added on 2022-08-09

GHSA-xrf4-39fm-j5f2, CVE-2022-2514

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/fava

The time and filter parameters in Fava prior to v1.22 is vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim.

Added on 2022-08-09

CVE-2022-31194, GHSA-qp5m-c3m9-8q2p

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI resumable upload implementations in SubmissionController and FileUploadRequest is vulnerable to multiple path traversal attacks, allowing an attacker to create files/directories anywhere on the server writable by the Tomcat/DSpace user, by modifying some request parameters during submission. This path traversal can only be executed by a user with special privileges (submitter rights). This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds. However, this vulnerability cannot be exploited by an anonymous user or a basic user. The user must first have submitter privileges to at least one Collection and be able to determine how to modify the request parameters to exploit the vulnerability.

Added on 2022-08-09

GHSA-763j-q7wv-vf3m, CVE-2022-31193

URL Redirection to Untrusted Site ('Open Redirect') in maven/org.dspace/dspace-jspui

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

Added on 2022-08-09

CVE-2022-31190, GHSA-7w85-pp86-p4pq

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-xmlui is a UI component for DSpace. In affected versions metadata on a withdrawn Item is exposed via the XMLUI "mets.xml" object, as long as you know the handle/URL of the withdrawn Item. This vulnerability only impacts the XMLUI. Users are advised to upgrade to version 6.4 or newer.

Added on 2022-08-09

CVE-2022-31193, GHSA-763j-q7wv-vf3m

URL Redirection to Untrusted Site ('Open Redirect') in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI controlled vocabulary servlet is vulnerable to an open redirect attack, where an attacker can craft a malicious URL that looks like a legitimate DSpace/repository URL. When that URL is clicked by the target, it redirects them to a site of the attacker's choice. This issue has been patched in versions 5.11 and 6.4. Users are advised to upgrade. There are no known workaround for this vulnerability.

Added on 2022-08-09

CVE-2022-31148, GHSA-5834-xv5q-cgfw

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/shopware/core

Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exists in the customer module. Users are recommend to update to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-31109, GHSA-8274-h5jp-97vr

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/laminas/laminas-diactoros

laminas-diactoros is a PHP package containing implementations of the PSR-7 HTTP message interfaces and PSR-17 HTTP message factory interfaces. Applications that use Diactoros, and are either not behind a proxy, or can be accessed via untrusted proxies, can potentially have the host, protocol, and/or port of a `Laminas\Diactoros\Uri` instance associated with the incoming server request modified to reflect values from `X-Forwarded-*` headers. Such changes can potentially lead to XSS attacks (if a fully-qualified URL is used in links) and/or URL poisoning. Since the `X-Forwarded-*` headers do have valid use cases, particularly in clustered environments using a load balancer, the library offers mitigation measures only in the v2 releases, as doing otherwise would break these use cases immediately. Users of v2 releases from 2.11.1 can provide an additional argument to `Laminas\Diactoros\ServerRequestFactory::fromGlobals()` in the form of a `Laminas\Diactoros\RequestFilter\RequestFilterInterface` instance, including the shipped `Laminas\Diactoros\RequestFilter\NoOpRequestFilter` implementation which ignores the `X-Forwarded-*` headers. Starting in version 3.0, the library will reverse behavior to use the `NoOpRequestFilter` by default, and require users to opt-in to `X-Forwarded-*` header usage via a configured `Laminas\Diactoros\RequestFilter\LegacyXForwardedHeaderFilter` instance. Users are advised to upgrade to version 2.11.1 or later to resolve this issue. Users unable to upgrade may configure web servers to reject `X-Forwarded-*` headers at the web server level.

Added on 2022-08-09

GHSA-6gjm-6wj6-4px5, CVE-2022-35921

Improper Privilege Management in packagist/fof/byobu

fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1 should upgrade to Flarum 1.2 or later, or evaluate the impact this issue has on your forum's users and choose to disable the extension if needed. There are no workarounds for this issue.

Added on 2022-08-09

CVE-2022-31192, GHSA-4wm8-c2vv-xrpq

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. dspace-jspui is a UI component for DSpace. The JSPUI "Request a Copy" feature does not properly escape values submitted and stored from the "Request a Copy" form. This means that item requests could be vulnerable to XSS attacks. This vulnerability only impacts the JSPUI. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2022-08-09

GHSA-vjmr-6pmm-rprf, CVE-2022-34115

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in maven/io.dataease/dataease-plugin-common

DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.

Added on 2022-08-09

CVE-2022-31195, GHSA-8rmh-55h4-93h5

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.dspace/dspace-parent

DSpace open source software is a repository application which provides durable access to digital resources. In affected versions the ItemImportServiceImpl is vulnerable to a path traversal vulnerability. This means a malicious SAF (simple archive format) package could cause a file/directory to be created anywhere the Tomcat/DSpace user can write to on the server. However, this path traversal vulnerability is only possible by a user with special privileges (either Administrators or someone with command-line access to the server). This vulnerability impacts the XMLUI, JSPUI and command-line. Users are advised to upgrade. As a basic workaround, users may block all access to the following URL paths: If you are using the XMLUI, block all access to /admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/xmlui", then you'd need to block access to /xmlui/admin/batchimport. If you are using the JSPUI, block all access to /dspace-admin/batchimport path (this is the URL of the Admin Batch Import tool). Keep in mind, if your site uses the path "/jspui", then you'd need to block access to /jspui/dspace-admin/batchimport. Keep in mind, only an Administrative user or a user with command-line access to the server is able to import/upload SAF packages. Therefore, assuming those users do not blindly upload untrusted SAF packages, then it is unlikely your site could be impacted by this vulnerability.

Added on 2022-08-09

GHSA-42wq-rch8-6f6j, CVE-2022-31175

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@ckeditor/ckeditor5-html-embed

CKEditor 5 is a JavaScript rich text editor. A cross-site scripting vulnerability has been discovered affecting three optional CKEditor 5's packages in versions prior to 35.0.1. The vulnerability allowed to trigger a JavaScript code after fulfilling special conditions. The affected packages are `@ckeditor/ckeditor5-markdown-gfm`, `@ckeditor/ckeditor5-html-support`, and `@ckeditor/ckeditor5-html-embed`. The specific conditions are 1) Using one of the affected packages. In case of `ckeditor5-html-support` and `ckeditor5-html-embed`, additionally, it was required to use a configuration that allows unsafe markup inside the editor. 2) Destroying the editor instance and 3) Initializing the editor on an element and using an element other than `<textarea>` as a base. The root cause of the issue was a mechanism responsible for updating the source element with the markup coming from the CKEditor 5 data pipeline after destroying the editor. This vulnerability might affect a small percent of integrators that depend on dynamic editor initialization/destroy and use Markdown, General HTML Support or HTML embed features. The problem has been recognized and patched. The fix is available in version 35.0.1. There are no known workarounds for this issue.

Added on 2022-08-09

CVE-2022-34558

Code Injection in pypi/wmcore

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.

Added on 2022-08-05

CVE-2022-2596

Uncontrolled Resource Consumption in npm/node-fetch

Denial of Service in GitHub repository node-fetch/node-fetch prior to 3.2.10.

Added on 2022-08-05

GHSA-6qq8-5wq3-86rp, CVE-2020-15129

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/traefik/traefik/v2/pkg/api

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Added on 2022-08-05

GHSA-m6mg-jvjf-w44x, CVE-2020-28441

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/conf-cfg-ini

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

Added on 2022-08-05

CVE-2022-35118

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/pyrocms/pyrocms

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

Added on 2022-08-05

CVE-2022-34526

Out-of-bounds Write in conan/libtiff

A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file.

Added on 2022-08-05

GHSA-6qq8-5wq3-86rp, CVE-2020-15129

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/containous/traefik

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Added on 2022-08-05

GHSA-6qq8-5wq3-86rp, CVE-2020-15129

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/containous/traefik/v2/pkg/api

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Added on 2022-08-05

GHSA-6qq8-5wq3-86rp, CVE-2020-15129

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/traefik/traefik/api

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Added on 2022-08-05

GHSA-6qq8-5wq3-86rp, CVE-2020-15129

URL Redirection to Untrusted Site ('Open Redirect') in go/github.com/containous/traefik/v2

In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists a potential open redirect vulnerability in Traefik's handling of the "X-Forwarded-Prefix" header. The Traefik API dashboard component does not validate that the value of the header "X-Forwarded-Prefix" is a site relative path and will redirect to any header provided URI. Successful exploitation of an open redirect can be used to entice victims to disclose sensitive information. Active Exploitation of this issue is unlikely as it would require active header injection, however the Traefik team addressed this issue nonetheless to prevent abuse in e.g. cache poisoning scenarios.

Added on 2022-08-05

CVE-2022-36902

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.moded.extendedchoiceparameter/dynamic_extended_choice_parameter

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Added on 2022-08-04

CVE-2022-36904

Missing Authorization in maven/org.jvnet.hudson.plugins/repository-connector

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Added on 2022-08-04

CVE-2022-36903

Missing Authorization in maven/org.jvnet.hudson.plugins/repository-connector

A missing permission check in Jenkins Repository Connector Plugin 2.2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2022-08-04

CVE-2022-34140

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/feehi/cms

A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.

Added on 2022-08-04

CVE-2022-36883

Missing Authorization in maven/org.jenkins-ci.plugins/git

A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Added on 2022-08-04

CVE-2022-31169, GHSA-7f6x-jwh5-m9r4

Incorrect Calculation in pypi/wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected. The translation rules for constants does not take into account whether sign or zero-extension should happen which resulted in an incorrect value being placed into a register when a division was encountered. The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly but does affect the correctness of guest programs. This bug has been patched in Wasmtime version 0.38.2 and cranelift-codegen 0.85.2. There are no known workarounds.

Added on 2022-08-04

CVE-2022-36882

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/git

A cross-site request forgery (CSRF) vulnerability in Jenkins Git Plugin 4.11.3 and earlier allows attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.

Added on 2022-08-04

CVE-2022-31169, GHSA-7f6x-jwh5-m9r4

Incorrect Calculation in conan/wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected. The translation rules for constants does not take into account whether sign or zero-extension should happen which resulted in an incorrect value being placed into a register when a division was encountered. The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly but does affect the correctness of guest programs. This bug has been patched in Wasmtime version 0.38.2 and cranelift-codegen 0.85.2. There are no known workarounds.

Added on 2022-08-04

CVE-2022-2564

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/mongoose

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Added on 2022-08-04

CVE-2022-31169, GHSA-7f6x-jwh5-m9r4

Incorrect Calculation in nuget/Wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected. The translation rules for constants does not take into account whether sign or zero-extension should happen which resulted in an incorrect value being placed into a register when a division was encountered. The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly but does affect the correctness of guest programs. This bug has been patched in Wasmtime version 0.38.2 and cranelift-codegen 0.85.2. There are no known workarounds.

Added on 2022-08-04

CVE-2022-36884

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.jenkins-ci.plugins/git

The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.

Added on 2022-08-04

CVE-2022-36885

Observable Timing Discrepancy in maven/com.coravy.hudson.plugins.github/github

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

Added on 2022-08-04

CVE-2022-36919

Missing Authorization in maven/org.jenkins-ci.plugins/coverity

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Added on 2022-08-04

CVE-2022-31169, GHSA-7f6x-jwh5-m9r4

Incorrect Calculation in go/github.com/bytecodealliance/wasmtime-go

Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2. This issue only affects the AArch64 platform. Other platforms are not affected. The translation rules for constants does not take into account whether sign or zero-extension should happen which resulted in an incorrect value being placed into a register when a division was encountered. The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly but does affect the correctness of guest programs. This bug has been patched in Wasmtime version 0.38.2 and cranelift-codegen 0.85.2. There are no known workarounds.

Added on 2022-08-04

GHSA-hxrm-9w7p-39cc, CVE-2020-1045

Cookie parsing failure in nuget/Microsoft.AspNetCore.App.Ref

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.

Added on 2022-08-04

CVE-2022-36891

Missing Authorization in maven/org.jenkins-ci.plugins/deployer-framework

A missing permission check in Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier allows attackers with Item/Read permission but without Deploy Now/Deploy permission to read deployment logs.

Added on 2022-08-04

CVE-2022-36920

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/coverity

A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2022-08-04

CVE-2022-36889

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.jenkins-ci.plugins/deployer-framework

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service.

Added on 2022-08-04

CVE-2022-36921

Missing Authorization in maven/org.jenkins-ci.plugins/coverity

A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Added on 2022-08-04

CVE-2022-36890

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.jenkins-ci.plugins/deployer-framework

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Added on 2022-08-04

CVE-2022-34971

Unrestricted Upload of File with Dangerous Type in packagist/feehi/cms

An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.

Added on 2022-08-03

GHSA-xg72-6c83-ghh4, CVE-2022-2495

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/microweber/microweber

Cross-site Scripting (XSS) prior to 1.2.21.

Added on 2022-08-03

CVE-2021-33452

Missing Release of Memory after Effective Lifetime in nuget/nasm

An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_malloc() in nasmlib/alloc.c.

Added on 2022-08-03

GHSA-w868-4576-rv24, CVE-2020-28446

Improper Neutralization of Special Elements used in a Command ('Command Injection') in npm/ntesseract

The package ntesseract before 0.2.9 is vulnerable to Command Injection via lib/tesseract.js.

Added on 2022-08-03

CVE-2021-33450

Missing Release of Memory after Effective Lifetime in nuget/nasm

An issue was discovered in NASM version 2.16rc0. There are memory leaks in nasm_calloc() in nasmlib/alloc.c.

Added on 2022-08-03

CVE-2022-35924, GHSA-xv97-c62v-4587

Improper Input Validation in npm/next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.

Added on 2022-08-03

CVE-2022-35650

Improper Input Validation in packagist/moodle/moodle

The vulnerability was found in Moodle, occurs due to input validation error when importing lesson questions. This insufficient path checks results in arbitrary file read risk. This vulnerability allows a remote attacker to perform directory traversal attacks. The capability to access this feature is only available to teachers, managers and admins by default.

Added on 2022-08-02

CVE-2022-35652

URL Redirection to Untrusted Site ('Open Redirect') in packagist/moodle/moodle

An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Added on 2022-08-02

CVE-2022-24294

Inefficient Regular Expression Complexity in maven/org.bytedeco/mxnet

A regular expression used in Apache MXNet (incubating) is vulnerable to a potential denial-of-service by excessive resource consumption. The bug could be exploited when loading a model in Apache MXNet that has a specially crafted operator name that would cause the regular expression evaluation to use excessive resources to attempt a match. This issue affects Apache MXNet versions prior to 1.9.1.

Added on 2022-08-02

CVE-2022-31471

Improper Restriction of XML External Entity Reference in pypi/untangle

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts XML external entity references. By exploiting this vulnerability, a remote unauthenticated attacker may read the contents of local files.

Added on 2022-08-02

CVE-2022-33977

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in pypi/untangle

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on the server where the product is running.

Added on 2022-08-02

CVE-2021-23397

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/merge

All versions of package @ianwalter/merge is vulnerable to Prototype Pollution via the main (merge) function. Maintainer suggests using @generates/merger instead.

Added on 2022-08-02

CVE-2022-35649

Improper Input Validation in packagist/moodle/moodle

The vulnerability was found in Moodle, occurs due to improper input validation when parsing PostScript code. An omitted execution parameter results in a remote code execution risk for sites running GhostScript versions older than 9.50. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Added on 2022-08-02

CVE-2022-34983

Code Injection in pypi/scu_captcha

The scu-captcha package in PyPI v0.0.1 to v0.0.4 included a code execution backdoor inserted by a third party.

Added on 2022-08-01

CVE-2022-34981

Code Injection in pypi/PyCrowdTangle

The PyCrowdTangle package in PyPI before v0.0.1 included a code execution backdoor inserted by a third party.

Added on 2022-08-01

CVE-2022-35131, GHSA-ww2v-frv5-pj5x

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/joplin

Joplin v2.8.8 allows attackers to execute arbitrary commands via a crafted payload injected into the Node titles.

Added on 2022-08-01

CVE-2022-34509

Code Injection in pypi/wikifaces

The wikifaces package in PyPI v1.0 included a code execution backdoor inserted by a third party.

Added on 2022-08-01

CVE-2022-34749, GHSA-fw3v-x4f2-v673

Mistune v2.0.2 vulnerable to catastrophic backtracking in pypi/mistune

In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

Added on 2022-08-01

CVE-2022-35653

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. This vulnerability does not impact authenticated users.

Added on 2022-08-01

GHSA-xg72-6c83-ghh4, CVE-2022-2495

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/microweber/microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

Added on 2022-08-01

CVE-2022-21824

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in pypi/mysql-connector-python

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

Added on 2022-08-01

CVE-2022-35651

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.

Added on 2022-08-01

CVE-2022-21824

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in maven/mysql-connector-java

Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.

Added on 2022-08-01

GHSA-678x-xfp4-r92r, CVE-2009-0039

Cross-Site Request Forgery (CSRF) in maven/org.apache.geronimo.plugins/console

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.

Added on 2022-08-01

GHSA-r4mw-gxf7-vxr9, CVE-2020-0606

Improper Input Validation in nuget/Microsoft.WindowsDesktop.App.Ref

A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file.An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user, aka '.NET Framework Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0605.

Added on 2022-08-01

CVE-2022-34266

Use of Uninitialized Resource in conan/libtiff

The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

Added on 2022-08-01

GHSA-hxrm-9w7p-39cc, CVE-2020-1045

Cookie parsing failure in nuget/Microsoft.AspNetCore.Owin

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names. The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded. The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.

Added on 2022-08-01

CVE-2022-31146, GHSA-5fhj-g3p3-pq9g

Use After Free in conan/wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

Added on 2022-07-29

CVE-2022-31146, GHSA-5fhj-g3p3-pq9g

Use After Free in go/github.com/bytecodealliance/wasmtime-go

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

Added on 2022-07-29

CVE-2022-34037, GHSA-m7gr-5w5g-36jf

Out-of-bounds Read can lead to client side denial of service in go/github.com/caddyserver/caddy

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI.

Added on 2022-07-29

CVE-2022-31146, GHSA-5fhj-g3p3-pq9g

Use After Free in nuget/Wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

Added on 2022-07-29

CVE-2022-21802

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/grapesjs

The package grapesjs before 0.19.5 is vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.

Added on 2022-07-29

CVE-2022-35912, GHSA-6rh6-x8ww-9h97

Remote Code Execution in maven/org.grails/grails-core

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.

Added on 2022-07-29

CVE-2022-31146, GHSA-5fhj-g3p3-pq9g

Use After Free in pypi/wasmtime

Wasmtime is a standalone runtime for WebAssembly. There is a bug in the Wasmtime's code generator, Cranelift, where functions using reference types may be incorrectly missing metadata required for runtime garbage collection. This means that if a GC happens at runtime then the GC pass will mistakenly think these functions do not have live references to GC'd values, reclaiming them and deallocating them. The function will then subsequently continue to use the values assuming they had not been GC'd, leading later to a use-after-free. This bug was introduced in the migration to the `regalloc2` register allocator that occurred in the Wasmtime 0.37.0 release on 2022-05-20. This bug has been patched and users should upgrade to Wasmtime version 0.38.2. Mitigations for this issue can be achieved by disabling the reference types proposal by passing `false` to `wasmtime::Config::wasm_reference_types` or downgrading to Wasmtime 0.36.0 or prior.

Added on 2022-07-29

GHSA-9772-cwx9-r4cj, CVE-2014-4616

Improper Validation of Array Index in pypi/simplejson

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

Added on 2022-07-29

GHSA-gwf7-vfjf-wf6x, CVE-2019-11842

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in pypi/matrix-sydent

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

Added on 2022-07-29

GHSA-v64w-96p6-fx7w, CVE-2013-1777

Improper Control of Generation of Code ('Code Injection') in maven/org.apache.geronimo.framework/geronimo-jmx-remoting

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.

Added on 2022-07-29

GHSA-cv78-v957-jx34, CVE-2020-7599

Insertion of Sensitive Information into Log File in maven/com.gradle.plugin-publish/com.gradle.plugin-publish.gradle.plugin

All versions of com.gradle.plugin-publish before 0.11.0 is vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

Added on 2022-07-29

GHSA-c2pj-rr68-pw94, CVE-2022-34112

Dataease before 1.11.2 access control issue allows attackers to arbitrarily uninstall plugin in maven/io.dataease/dataease-plugin-common

An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator.

Added on 2022-07-29

GHSA-5469-c5p2-xv5g, CVE-2022-34113

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/io.dataease/dataease-plugin-common

An issue in the component /api/plugin/upload of Dataease v1.11.1 allows attackers to execute arbitrary code via a crafted plugin.

Added on 2022-07-29

GHSA-2jxh-3cx8-xw65, CVE-2006-0254

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/geronimo/geronimo-console-standard

Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.

Added on 2022-07-29

GHSA-cfcg-2qgr-v243, CVE-2022-2470

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/microweber/microweber

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

Added on 2022-07-29