Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 1.3 days (on average).

CVE-2022-28066

Out-of-bounds Read in conan/libarchive

Libarchive v3.6.0 was discovered to contain a read memory access vulnerability via the function lzma_decode.

Added on 2022-05-13

CVE-2022-25645

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/dset

All versions of package dset is vulnerable to Prototype Pollution via `dset/merge` mode, as the dset function checks for prototype pollution by validating if the top-level path contains `__proto__`, constructor or protorype. By crafting a malicious object, it is possible to bypass this check and achieve prototype pollution.

Added on 2022-05-13

CVE-2022-21230, GHSA-2r85-x9cf-8fcg

Incorrect Permission Assignment for Critical Resource in maven/org.nanohttpd/nanohttpd

Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a `RandomAccessFile` when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. **Workaround:** Manually specifying the `-Djava.io.tmpdir=` argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.

Added on 2022-05-13

CVE-2022-1473

Improper Resource Shutdown or Release in conan/openssl

The `OPENSSL_LH_flush()` function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication.

Added on 2022-05-13

CVE-2022-0985

Improper Authentication in packagist/moodle/moodle

Insufficient capability checks could allow users with the `moodle/site:uploadusers` capability to delete users, without having the necessary `moodle/user:delete` capability.

Added on 2022-05-13

CVE-2022-1292

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in conan/openssl

The `c_rehash` script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the `c_rehash` script is considered obsolete and should be replaced by the OpenSSL `rehash` command line tool.

Added on 2022-05-13

CVE-2022-24892, GHSA-3qrq-r688-vvh4

Weak Password Recovery Mechanism for Forgotten Password in packagist/shopware/core

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

Added on 2022-05-12

CVE-2022-29265

Improper Restriction of XML External Entity Reference in maven/org.apache.nifi/nifi

Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - `EvaluateXPath` - `EvaluateXQuery` - `ValidateXml` Apache NiFi flow configurations that include these Processors is vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.

Added on 2022-05-12

CVE-2021-41959

Missing Release of Memory after Effective Lifetime in conan/jerryscript

JerryScript Git version 14ff5bf does not sufficiently track and release allocated memory via `jerry-core/ecma/operations/ecma-regexp-object.c` after `RegExp`, which causes a memory leak.

Added on 2022-05-12

CVE-2022-0984

Incorrect Authorization in packagist/moodle/moodle

Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.

Added on 2022-05-12

CVE-2021-22573

Improper Verification of Cryptographic Signature in maven/com.google.oauth-client/google-oauth-client

The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above

Added on 2022-05-12

CVE-2022-24892, GHSA-3qrq-r688-vvh4

Weak Password Recovery Mechanism for Forgotten Password in packagist/shopware/platform

Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.

Added on 2022-05-12

CVE-2022-27313

Improper Input Validation in go/github.com/go-gitea/gitea

An arbitrary file deletion vulnerability in Gitea v1.16.3 allows attackers to cause a Denial of Service (DoS) via deleting the configuration file.

Added on 2022-05-12

CVE-2021-46440

Insecure Storage of Sensitive Information in npm/strapi

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.

Added on 2022-05-12

CVE-2022-29824

Integer Overflow or Wraparound in nuget/libxml2.vc140_xp.mt.static.x86

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Added on 2022-05-10

CVE-2022-29167

Regular Expression Denial of Service in npm/hawk

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

Added on 2022-05-10

GHSA-269q-hmxg-m83q, CVE-2022-24823

Local Information Disclosure Vulnerability in io.netty:netty-codec-http in maven/io.netty/netty-codec-http

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Added on 2022-05-10

CVE-2022-29824

Integer Overflow or Wraparound in conan/libxml2

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Added on 2022-05-10

CVE-2022-29824

Integer Overflow or Wraparound in nuget/libxml2

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Added on 2022-05-10

CVE-2022-23063

Insufficient Session Expiration in maven/com.shopizer/shopizer

In Shopizer versions 2.3.0 to 3.0.1 is vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Added on 2022-05-10

CVE-2022-1214

Exposure of Sensitive Information to an Unauthorized Actor in npm/axios

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.

Added on 2022-05-10

CVE-2022-24873, GHSA-4g29-fccr-p59w

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/shopware/core

Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

Added on 2022-05-09

CVE-2022-1511

Incorrect Authorization in packagist/snipe/snipe-it

Improper Access Control in GitHub repository snipe/snipe-it prior to 5.4.4.

Added on 2022-05-09

CVE-2022-24873, GHSA-4g29-fccr-p59w

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/shopware/platform

Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

Added on 2022-05-09

CVE-2022-24879, GHSA-pf38-v6qj-j23h

Cross-Site Request Forgery (CSRF) in packagist/shopware/platform

Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

Added on 2022-05-09

CVE-2022-24879, GHSA-pf38-v6qj-j23h

Cross-Site Request Forgery (CSRF) in packagist/shopware/core

Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.

Added on 2022-05-09

CVE-2022-23060

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.shopizer/shopizer

A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer versions 2.0 through 2.17.0, where a privileged user (attacker) can inject malicious JavaScript in the filename under the “Manage files” tab

Added on 2022-05-09

CVE-2022-23061

Authorization Bypass Through User-Controlled Key in maven/com.shopizer/shopizer

In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently delete a superadmin (although this cannot happen according to the documentation) via Insecure Direct Object Reference (IDOR) vulnerability.

Added on 2022-05-09

CVE-2022-1466

Incorrect Authorization in npm/keycloak-connect

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

Added on 2022-05-09

GHSA-5pv7-hx9m-8jh3, CVE-2022-29051

Missing Authorization in maven/org.jenkins-ci.plugins/publish-over-ftp

Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

Added on 2022-05-06

CVE-2022-28366

Uncontrolled Resource Consumption in maven/org.owasp.antisamy/antisamy

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.

Added on 2022-05-06

GHSA-6346-5r4h-ff5x, CVE-2022-1555

Microweber vulnerable to cross-site scripting (XSS) in packagist/microweber/microweber

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

Added on 2022-05-06

GHSA-8wp2-vxpg-xcvp, CVE-2022-1457

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/neorazorx/facturascripts

Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

Added on 2022-05-06

CVE-2022-28506

Out-of-bounds Write in conan/giflib

There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45.

Added on 2022-05-06

GHSA-6jv7-28mv-qp9c, CVE-2022-25195

Missing Authorization in maven/io.jenkins.plugins/autonomiq

A missing permission check in Jenkins autonomiq Plugin 1.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Added on 2022-05-05

CVE-2022-28366

Uncontrolled Resource Consumption in maven/net.sourceforge.htmlunit/htmlunit

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.

Added on 2022-05-05

GHSA-g5wh-fw4m-2v28, CVE-2022-25194

Cross-Site Request Forgery (CSRF) in maven/io.jenkins.plugins/autonomiq

A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq Plugin 1.15 and earlier allows attackers to connect to an attacker-specified URL server using attacker-specified credentials.

Added on 2022-05-05

CVE-2022-29546, GHSA-6jmm-mp6w-4rrg

Uncontrolled Resource Consumption in maven/net.sourceforge.htmlunit/htmlunit

HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.

Added on 2022-05-05

GHSA-gg9m-x3cg-69vh, CVE-2022-20621

Insufficiently Protected Credentials in maven/org.jenkins-ci.plugins/metrics

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Added on 2022-05-05

CVE-2022-29548

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.wso2.identity/identity-server-parent

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Added on 2022-05-05

GHSA-773h-w45w-f2f9, CVE-2022-21144

Denial of service vulnerability exists in libxmljs in npm/libxmljs

This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.

Added on 2022-05-05

GHSA-m2h2-264f-f486, CVE-2022-25844

angular vulnerable to regular expression denial of service (ReDoS) in npm/angular

The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.

Added on 2022-05-05

GHSA-6w39-qhmq-g8cp, CVE-2022-29050

Cross-Site Request Forgery (CSRF) in maven/org.jenkins-ci.plugins/publish-over-ftp

A cross-site request forgery (CSRF) vulnerability in Jenkins Publish Over FTP Plugin 1.16 and earlier allows attackers to connect to an FTP server using attacker-specified credentials.

Added on 2022-05-05

GHSA-qf8x-vqjv-92gr, CVE-2022-24901

Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter in npm/parse-server

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.

Added on 2022-05-05

CVE-2021-41948, GHSA-jv64-2m3x-6v4q

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/intelliants/subrion

A cross-site scripting (XSS) vulnerability exists in the "contact us" plugin for Subrion CMS <= 4.2.1 version via "List of subjects".

Added on 2022-05-05

GHSA-5hjh-c26m-xw8w, CVE-2022-25850

ProxyScotch is vulnerable to a server-side Request Forgery (SSRF) in go/github.com/hoppscotch/proxyscotch

The package github.com/hoppscotch/proxyscotch before 1.0.0 is vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted URL submitted by a user. It leads to a leakage of sensitive information from the server.

Added on 2022-05-05

GHSA-27rq-4943-qcwp, CVE-2022-29810

Insertion of Sensitive Information into Log File in Hashicorp go-getter in go/github.com/hashicorp/go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

Added on 2022-05-04

GHSA-vmp5-c5hp-6c65, CVE-2022-29947

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/woodpecker-ci/woodpecker

Woodpecker before 0.15.1 allows XSS via build logs because web/src/components/repo/build/BuildLog.vue lacks escaping.

Added on 2022-05-04

CVE-2022-29970, GHSA-qp49-3pvw-x4m5

sinatra does not validate expanded path matches in gem/sinatra

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Added on 2022-05-04

GHSA-f9p3-h6cg-2cjr, CVE-2022-1544

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/luyadev/yii-helpers

Formula Injection/CSV Injection due to Improper Neutralization of Formula Elements in CSV File in GitHub repository luyadev/yii-helpers prior to 1.2.1. Successful exploitation can lead to impacts such as client-sided command injection, code execution, or remote ex-filtration of contained confidential data.

Added on 2022-05-04

CVE-2022-29548

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.wso2.am.microgw/org.wso2.micro.gateway.core

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Added on 2022-05-04

GHSA-6v73-fgf6-w5j7, CVE-2022-22963

Improper Control of Generation of Code ('Code Injection') in maven/org.springframework.cloud/spring-cloud-function-context

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

Added on 2022-05-04

CVE-2022-1445

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/snipe/snipe-it

Stored Cross Site Scripting vulnerability in the checked_out_to parameter in GitHub repository snipe/snipe-it prior to 5.4.3. The vulnerability is capable of stolen the user Cookie.

Added on 2022-05-04

CVE-2022-23064, GHSA-9vh6-qfv6-vcqp

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in packagist/snipe/snipe-it

In Snipe-IT, versions v3.0-alpha to v5.3.7 is vulnerable to Host Header Injection. By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which once clicked lead to an attacker controlled server and thus leading to password reset token leak. This leads to account take over.

Added on 2022-05-04

GHSA-7jvx-f994-rfw2, CVE-2022-25349

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/materialize-css

All versions of package materialize-css is vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as &lt;not-a-tag /&gt;) that is being parsed as HTML/JavaScript, and inserted into the Document Object Model (DOM). This vulnerability can be exploited when the user-input is provided to the autocomplete component.

Added on 2022-05-04

CVE-2022-24872, GHSA-9wrv-g75h-8ccc

Incorrect Permission Assignment for Critical Resource in packagist/shopware/shopware

Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.

Added on 2022-05-04

GHSA-9hgc-wpc5-v8p9, CVE-2022-1530

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/remdex/livehelperchat

Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious JS on Application :)

Added on 2022-05-04

CVE-2022-29548

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.wso2.carbon.analytics-common/org.wso2.carbon.event.publisher.core

A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.

Added on 2022-05-03

GHSA-pxpf-v376-7xx5, CVE-2022-25854

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/@yaireo/tagify

This affects the package @yaireo/tagify before 4.9.8. The package is used for rendering UI components inside the input or text fields, and an attacker can pass a malicious placeholder value to it to fire the XSS payload.

Added on 2022-05-03

CVE-2022-1227, GHSA-66vw-v2x9-hw75

Podman publishes a malicious image to public registries in go/github.com/containers/podman

A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.

Added on 2022-05-03

GHSA-hx8w-ghh8-r4xf, CVE-2021-4200

Improper Privilege Management in go/github.com/rancher/rancher

A Improper Privilege Management vulnerability in SUSE Rancher allows write access to the Catalog for any user when restricted-admin role is enabled. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

Added on 2022-05-03

GHSA-4fc7-hc63-7fjg, CVE-2021-36778

Exposure of repository credentials to external third-party sources in Rancher in go/github.com/rancher/rancher

A Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.

Added on 2022-05-03

CVE-2021-3450

Improper Certificate Validation in maven/mysql-connector-java

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Added on 2022-05-03

GHSA-jwvr-vv7p-gpwq, CVE-2021-36784

Improper Privilege Management in go/github.com/rancher/rancher

A Improper Privilege Management vulnerability in SUSE Rancher allows users with the restricted-admin role to escalate to full admin. This issue affects: SUSE Rancher Rancher versions prior to 2.5.13; Rancher versions prior to 2.6.4.

Added on 2022-05-03

CVE-2021-3450

Improper Certificate Validation in pypi/mysql-connector-python

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Added on 2022-05-03