Recently Added Advisories

Advisories that have been merged within the last 14 days are listed below (sorted from newest to oldest).
Advisories published through NVD are available in the GitLab Advisory Database within 1.6 days (on average).

GHSA-r833-w756-h5p2, CVE-2024-24776

Improper Access Control in go/github.com/mattermost/mattermost/server/v8

Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

Added on 2024-02-20

GHSA-x7r4-26m9-hmgq, CVE-2008-5153

Improper Link Resolution Before File Access ('Link Following') in packagist/moodle/moodle

spell-check-logic.cgi in Moodle 1.8.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/spell-check-debug.log, (2) /tmp/spell-check-before, or (3) /tmp/spell-check-after temporary file.

Added on 2024-02-20

GHSA-9qr2-fx2g-pfvh, CVE-2008-4104

Improper Link Resolution Before File Access ('Link Following') in packagist/joomla/framework

Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a "passed in" URL.

Added on 2024-02-20

GHSA-2mx7-xvfg-fg53, CVE-2023-47798

Session Fixation in maven/com.liferay.portal/release.portal.bom

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Added on 2024-02-19

GHSA-x337-43mr-gg3h, CVE-2008-1728

Ignite Realtime Openfire allows remote authenticated users to cause a denial of service in maven/org.igniterealtime.openfire/openfire

ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages.

Added on 2024-02-19

GHSA-x337-43mr-gg3h, CVE-2008-1728

Ignite Realtime Openfire allows remote authenticated users to cause a denial of service in maven/org.igniterealtime.openfire/parent

ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages.

Added on 2024-02-19

GHSA-9v9h-cgj8-h64p, CVE-2024-0727

Null pointer dereference in PKCS12 parsing in pypi/cryptography

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that is vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Added on 2024-02-19

GHSA-2jv5-9r88-3w3p, CVE-2024-24762

Uncontrolled Resource Consumption in pypi/starlette

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

Added on 2024-02-19

GHSA-8h4x-xvjp-vf99, CVE-2023-45860

Hazelcast Platform permission checking in CSV File Source connector in maven/com.hazelcast/hazelcast

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.

Added on 2024-02-19

GHSA-2mx7-xvfg-fg53, CVE-2023-47798

Session Fixation in maven/com.liferay.portal/release.dxp.bom

Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay DXP 7.2 before fix pack 5, and older unsupported versions does not invalidate existing user sessions, which allows remote authenticated users to remain authenticated after an account has been locked.

Added on 2024-02-19

CVE-2023-39196

Improper Authentication in maven/org.apache.ozone/ozone

Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Added on 2024-02-19

GHSA-5pvv-f8h3-gw96, CVE-2009-3696

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/phpmyadmin/phpmyadmin

Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.

Added on 2024-02-19

CVE-2023-39196

Improper Authentication in maven/org.apache.ozone/ozone-datanode

Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Added on 2024-02-19

CVE-2023-50298

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.solr/solr-core

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.

Added on 2024-02-19

GHSA-xrf8-cmrg-7436, CVE-2023-31506

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/getgrav/grav

A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.

Added on 2024-02-19

GHSA-8h4x-xvjp-vf99, CVE-2023-45860

Hazelcast Platform permission checking in CSV File Source connector in maven/com.hazelcast/hazelcast-enterprise

In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.

Added on 2024-02-19

GHSA-qh4q-fwf8-qqrw, CVE-2010-3198

Zope Denial of Service (DoS) vulnerability in ZServer in pypi/zope

ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions.

Added on 2024-02-19

GHSA-pmgm-h3cc-m4hj, CVE-2024-25466

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/react-native-document-picker

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library component.

Added on 2024-02-19

GHSA-3787-6prv-h9w3, CVE-2024-24758

Exposure of Sensitive Information to an Unauthorized Actor in npm/undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but does not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-19

GHSA-8r33-q5j5-rh7g, CVE-2024-23448

Insertion of Sensitive Information into Log File in go/github.com/elastic/apm-server

An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this could lead to the insertion of sensitive or private information in the APM Server logs.

Added on 2024-02-19

GHSA-9f24-jqhm-jfcw, CVE-2024-24750

Uncontrolled Resource Consumption in npm/undici

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgrade should make sure to always consume the incoming body.

Added on 2024-02-19

GHSA-v53g-5gjp-272r, CVE-2024-25620

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in go/helm.sh/helm/v3

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting does not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies.

Added on 2024-02-16

CVE-2023-25365

Unrestricted Upload of File with Dangerous Type in packagist/october/october

Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3

Added on 2024-02-16

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/net.hasor/cobble-lang

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.checkerframework.annotatedlib/commons-io

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.commons/commons-io

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.diamondq.common/common-thirdparty.jcasbin

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-5mp4-32rr-v3x5, CVE-2024-25125

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/io.digdag/digdag-server

Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.liferay/com.liferay.sass.compiler.jsass

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.virjar/ratel-api

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.smartboot.servlet/servlet-core

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

CVE-2023-51437

Observable Discrepancy in maven/org.apache.pulsar/pulsar-broker

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker. 2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions. For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

Added on 2024-02-15

GHSA-gwrp-pvrq-jmwv, CVE-2021-29425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/com.cosium.vet/vet

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Added on 2024-02-15

GHSA-qr7h-8pv2-xvx2, CVE-2023-1971

Server-Side Request Forgery (SSRF) in packagist/yuan1994/tpadmin

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in yuan1994 tpAdmin 1.3.12. Affected is the function remote of the file application\admin\controller\Upload.php. The manipulation of the argument url leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225408. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-4576-pgh2-g34j, CVE-2024-24751

Incorrect Authorization in packagist/derhansen/sf_event_mgt

sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-14

GHSA-27pg-4cj6-8994, CVE-2023-1970

Unrestricted Upload of File with Dangerous Type in packagist/yuan1994/tpadmin

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in yuan1994 tpAdmin 1.3.12. This issue affects the function Upload of the file application\admin\controller\Upload.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225407. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Added on 2024-02-14

GHSA-xwmv-cx7p-fqfc, CVE-2023-52430

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in go/github.com/greenpau/caddy-security

The caddy-security plugin 1.1.20 for Caddy allows reflected XSS via a GET request to a URL that contains an XSS payload and begins with either a /admin or /settings/mfa/delete/ substring.

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.win-x64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-x64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-arm

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.win-x86

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.osx-x64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.win-arm

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-4w4v-5hc9-xrr2, CVE-2024-21490

Inefficient Regular Expression Complexity in npm/angular

This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

Added on 2024-02-14

GHSA-h47m-3f78-qp9g, CVE-2024-25119

Exposure of Sensitive Information to an Unauthorized Actor in packagist/typo3/cms-core

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The plaintext value of `$GLOBALS['SYS']['encryptionKey']` was displayed in the editing forms of the TYPO3 Install Tool user interface. This allowed attackers to utilize the value to generate cryptographic hashes used for verifying the authenticity of HTTP request parameters. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this vulnerability.

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-5w2h-59j3-8x5w, CVE-2024-22188

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/typo3/cms-core

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in typo3/cms-core.

Added on 2024-02-14

GHSA-38r2-5695-334w, CVE-2024-25118

Exposure of Sensitive Information to an Unauthorized Actor in packagist/typo3/cms-core

TYPO3 is an open source PHP based web content management system released under the GNU GPL. Password hashes were being reflected in the editing forms of the TYPO3 backend user interface. This allowed attackers to crack the plaintext password using brute force techniques. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

Added on 2024-02-14

GHSA-rj3x-wvc6-5j66, CVE-2024-25121

Improper Access Control in packagist/typo3/cms-core

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`.

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-wf85-8hx9-gj7c, CVE-2024-25120

Improper Access Control in packagist/typo3/cms-core

TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue.

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.win-arm64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-68w7-72jg-6qpp, CVE-2024-0057

NuGet Client Security Feature Bypass Vulnerability in nuget/NuGet.CommandLine

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

Added on 2024-02-14

GHSA-g74q-5xw3-j7q9, CVE-2024-21386

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64

.NET Denial of Service Vulnerability

Added on 2024-02-14

GHSA-68w7-72jg-6qpp, CVE-2024-0057

NuGet Client Security Feature Bypass Vulnerability in nuget/NuGet.Packaging

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

Added on 2024-02-14

GHSA-6cwm-wm82-hgrw, CVE-2020-7924

Improper Certificate Validation in go/github.com/mongodb/mongo-tools

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

Added on 2024-02-14

GHSA-cmh9-rx85-xj38, CVE-2024-25122

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gem/sidekiq-unique-jobs

sidekiq-unique-jobs is an open source project which prevents simultaneous Sidekiq jobs with the same unique arguments to run. Specially crafted GET request parameters handled by any of the following endpoints of sidekiq-unique-jobs' "admin" web UI, allow a super-user attacker, or an unwitting, but authorized, victim, who has received a disguised / crafted link, to successfully execute malicious code, which could potentially steal cookies, session data, or local storage data from the app the sidekiq-unique-jobs web UI is mounted in. 1. `/changelogs`, 2. `/locks` or 3. `/expiring_locks`. This issue has been addressed in versions 7.1.33 and 8.0.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-14

GHSA-3hv4-r2fm-h27f, CVE-2023-6152

Incorrect Authorization in go/github.com/grafana/grafana

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

Added on 2024-02-14

GHSA-5p2x-8427-9fgp, CVE-2024-1439

Improper Access Control in packagist/moodle/moodle

Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

Added on 2024-02-13

GHSA-gccq-h3xj-jgvf, CVE-2024-25108

Incorrect Authorization in packagist/pixelfed/pixelfed

Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-13

GHSA-h5jm-jjgx-q2wf, CVE-2006-7223

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.xwiki.platform/xwiki-platform-oldcore

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

Added on 2024-02-13

GHSA-jcwh-rj6j-vm75, CVE-2006-1711

Plone allows remote users to modify arbitrary portraits in pypi/Plone

Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the (1) changeMemberPortrait, (2) deletePersonalPortrait, and (3) testCurrentPassword methods, which allows remote attackers to modify portraits.

Added on 2024-02-13

GHSA-c5vw-342h-x5rx, CVE-2006-3936

Alkacon OpenCms Exposes JSP Source Code in maven/org.opencms/opencms-core

system/workplace/editors/editor.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to read the source code of arbitrary JSP files by specifying the file in the resource parameter, as demonstrated using index.jsp.

Added on 2024-02-13

GHSA-qmgj-5h75-jr67, CVE-2006-2758

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.mortbay.jetty/jetty

Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (encoded ../) in the URL. NOTE: this might be the same issue as CVE-2005-3747.

Added on 2024-02-13

GHSA-h9w8-4376-j344, CVE-2006-4936

Improper Input Validation in packagist/moodle/moodle

Moodle before 1.6.2 does not properly validate the module instance id when creating a course module object, which has unspecified impact and remote attack vectors.

Added on 2024-02-13

GHSA-m3f4-957x-m785, CVE-2021-4437

Inefficient Regular Expression Complexity in npm/@lambda-middleware/json-deserializer

A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.

Added on 2024-02-13

GHSA-5mq8-h82p-wjf2, CVE-2002-1533

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.mortbay.jetty/jetty

Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a).

Added on 2024-02-13

GHSA-v7cq-pq7v-mh5v, CVE-2006-7217

Apache Derby SQL Injection in maven/org.apache.derby/derby

Apache Derby before 10.2.1.6 does not determine schema privilege requirements during the DropSchemaNode bind phase, which allows remote authenticated users to execute arbitrary drop schema statements in SQL authorization mode.

Added on 2024-02-13

GHSA-vwrc-g9q6-f675, CVE-2002-0687

Zope Server vulnerable to DoS via header injection in pypi/zope

The "through the web code" capability for Zope 2.0 through 2.5.1 b1 allows untrusted users to shut down the Zope server via certain headers.

Added on 2024-02-13

GHSA-7944-h5rw-qmjx, CVE-2002-0688

ZCatalog plug-in for Zope allows anonymous users to bypass access restrictions in pypi/zope

ZCatalog plug-in index support capability for Zope 2.4.0 through 2.5.1 allows anonymous users and untrusted code to bypass access restrictions and call arbitrary methods of catalog indexes.

Added on 2024-02-13

GHSA-c3rp-4cjh-cp38, CVE-2002-0170

Zope does not properly verify the access for objects with proxy roles in pypi/zope

Zope 2.2.0 through 2.5.1 does not properly verify the access for objects with proxy roles, which could allow some users to access documents in violation of the intended configuration.

Added on 2024-02-13

GHSA-99vc-xw8j-phjm, CVE-2024-23724

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in npm/ghost

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."

Added on 2024-02-13

GHSA-jpqr-vh55-xqxf, CVE-2006-7197

Apache Tomcat Buffer Over-Read in maven/org.apache.tomcat/tomcat

The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory.

Added on 2024-02-13

GHSA-jxcv-v856-j5vg, CVE-2002-1148

Apache Tomcat Source Code Disclosure in maven/org.apache.tomcat/tomcat

The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.

Added on 2024-02-13

GHSA-6p92-qfqf-qwx4, CVE-2024-23833

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.openrefine/database

OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-13

GHSA-8v5p-2cpv-c2x6, CVE-2002-1394

Apache Tomcat Source Code Disclosure in maven/org.apache.tomcat/tomcat

Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148.

Added on 2024-02-13

GHSA-8g4f-fh7f-4fwh, CVE-2002-2006

Apache Tomcat Default Installation Reveals Sensitive Information in maven/org.apache.tomcat/tomcat

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.

Added on 2024-02-13

GHSA-jg2x-r643-w2ch, CVE-2006-6969

Jetty Uses Predictable Session Identifiers in maven/org.eclipse.jetty/jetty-server

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Added on 2024-02-13

CVE-2023-34042

Incorrect Permission Assignment for Critical Resource in maven/org.springframework.security/spring-security-core

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.

Added on 2024-02-13

GHSA-pqr5-9v2j-44xg, CVE-2002-2272

Improper Restriction of Operations within the Bounds of a Memory Buffer in maven/org.apache.tomcat/tomcat

Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.

Added on 2024-02-13

GHSA-86fp-jgwm-wgj5, CVE-2002-1567

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.tomcat/tomcat

Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script.

Added on 2024-02-13

GHSA-p57v-p3fx-qgwm, CVE-2006-7195

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.tomcat/tomcat

Cross-site scripting (XSS) vulnerability in implicit-objects.jsp in Apache Tomcat 5.0.0 through 5.0.30 and 5.5.0 through 5.5.17 allows remote attackers to inject arbitrary web script or HTML via certain header values.

Added on 2024-02-13

GHSA-xmf4-j3j7-xj7q, CVE-2002-0935

Apache Tomcat DoS Via Requests Including Null Characters in maven/org.apache.tomcat/tomcat

Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.

Added on 2024-02-13

GHSA-p543-jg43-9pm5, CVE-2002-0493

Apache Tomcat may be started without proper security settings in maven/org.apache.tomcat/tomcat

Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.

Added on 2024-02-13

GHSA-wv7g-xhvw-8hcp, CVE-2008-6505

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.struts/struts2-core

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.

Added on 2024-02-12

GHSA-m8h8-6rvg-f4mg, CVE-2008-2370

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.tomcat/tomcat

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

Added on 2024-02-12

GHSA-mgp6-j658-vcw9, CVE-2024-1245

Improper Input Validation in packagist/concrete5/concrete5

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

Added on 2024-02-12

GHSA-5x5f-9r6q-q7mh, CVE-2008-0002

Apache Tomcat Sensitive Information Disclosure in maven/org.apache.tomcat/tomcat

Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception.

Added on 2024-02-12

GHSA-wcgx-2hvx-5cwr, CVE-2008-2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/struts/struts

Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."

Added on 2024-02-12

GHSA-wfrc-r6c6-7j9r, CVE-2008-4310

WEBrick Denial of Service Vulnerability in gem/webrick

httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.

Added on 2024-02-12

GHSA-7g59-hm8v-cwmc, CVE-2008-4308

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.tomcat/tomcat

The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request.

Added on 2024-02-12

GHSA-p25m-jpj4-qcrr, CVE-2023-4785

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms) in gem/grpc

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 

Added on 2024-02-12

GHSA-c866-8gpw-p3mv, CVE-2024-1329

Externally Controlled Reference to a Resource in Another Sphere in go/github.com/hashicorp/nomad

HashiCorp Nomad and Nomad Enterprise 1.5.13 up to 1.6.6, and 1.7.3 template renderer is vulnerable to arbitrary file write on the host as the Nomad client user through symlink attacks. Fixed in Nomad 1.7.4, 1.6.7, 1.5.14.

Added on 2024-02-12

GHSA-22r3-9w55-cj54, CVE-2024-24828

Incorrect Default Permissions in npm/pkg

pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21’s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.

Added on 2024-02-12

CVE-2023-50386, GHSA-37vr-vmg4-jwpw

Improper Control of Dynamically-Managed Code Resources in maven/org.apache.solr/solr-core

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

Added on 2024-02-12

GHSA-6cj8-c359-p7q9, CVE-2008-3218

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/drupal/drupal

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values.

Added on 2024-02-12

GHSA-59j8-776v-xxxg, CVE-2024-21624

Exposure of Sensitive Information to an Unauthorized Actor in pypi/nonebot2

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

Added on 2024-02-12

GHSA-583g-g682-crxf, CVE-2024-23639

Improper Control of a Resource Through its Lifetime in maven/io.micronaut/micronaut-http-server

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, is vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Added on 2024-02-12

GHSA-583g-g682-crxf, CVE-2024-23639

Improper Control of a Resource Through its Lifetime in maven/io.micronaut/micronaut-http-server-netty

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, is vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Added on 2024-02-12

GHSA-583g-g682-crxf, CVE-2024-23639

Improper Control of a Resource Through its Lifetime in maven/io.micronaut/micronaut-http-server-tck

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, is vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Added on 2024-02-12

GHSA-wqmm-q65g-2hqr, CVE-2008-0299

Paramiko Unsafe randomness usage may allow access to sensitive information in pypi/paramiko

common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Added on 2024-02-12

GHSA-rqxp-6926-hphr, CVE-2008-1937

MoinMoin vulnerable to privilege escalation in pypi/moin

The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges.

Added on 2024-02-12

GHSA-q25h-jch8-gfrp, CVE-2024-1247

Improper Input Validation in packagist/concrete5/concrete5

Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

Added on 2024-02-12

GHSA-wc8w-gh5m-62fv, CVE-2008-6603

MoinMoin Access Restrictions Bypassed due to improper ACL enforcement in pypi/moin

MoinMoin 1.6.2 and 1.7 does not properly enforce ACL checks when acl_hierarchic is set to True, which might allow remote attackers to bypass intended access restrictions, a different vulnerability than CVE-2008-1937.

Added on 2024-02-12

GHSA-9v3w-cj7m-qh5g, CVE-2024-1246

Improper Input Validation in packagist/concrete5/concrete5

Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9.

Added on 2024-02-12

GHSA-733v-22mg-7f8w, CVE-2008-5644

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-backend

Cross-site scripting (XSS) vulnerability in the file backend module in TYPO3 4.2.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Added on 2024-02-12

CVE-2023-50291, GHSA-3hwc-rqwp-v36q

Insufficiently Protected Credentials in maven/org.apache.solr/solr-core

Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue:   '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

Added on 2024-02-12

CVE-2023-5841

Out-of-bounds Write in conan/openexr

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

Added on 2024-02-12

CVE-2023-50292, GHSA-4wxw-42wx-2wfx

Incorrect Permission Assignment for Critical Resource in maven/org.apache.solr/solr-core

Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer. Users are recommended to upgrade to version 9.3.0, which fixes the issue.

Added on 2024-02-12

CVE-2023-42282, GHSA-78xj-cgh5-2h22

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/ip

An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.

Added on 2024-02-12

GHSA-f35p-hcwf-9f9f, CVE-2008-2717

TYPO3 Unrestricted File Upload vulnerability in packagist/typo3/cms-core

TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions.

Added on 2024-02-12

GHSA-xrj7-x7gp-wwqr, CVE-2023-50298

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.solr/solr-solrj-streaming

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.

Added on 2024-02-12

GHSA-p8w2-f44p-fmcj, CVE-2008-6954

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pypi/Cobbler

The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.

Added on 2024-02-12

GHSA-v759-3wr5-p294, CVE-2008-1502

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols.

Added on 2024-02-12

GHSA-gvqv-h7hh-6fcc, CVE-2024-24595

Insufficiently Protected Credentials in pypi/clearml

Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords.

Added on 2024-02-12

GHSA-32h7-7j94-8fc2, CVE-2024-1402

Uncontrolled Resource Consumption in go/github.com/mattermost/mattermost/server/v8

Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post. 

Added on 2024-02-12

GHSA-mgfr-44wv-hqv6, CVE-2019-7938

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/magento/product-community-edition

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.

Added on 2024-02-12

GHSA-m3p9-c7p3-xxmp, CVE-2008-5720

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.github.seasarorg.mayaa/mayaa

Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the default error page for the org.seasar.mayaa.impl.engine.PageNotFoundException exception and possibly other exceptions.

Added on 2024-02-12

GHSA-wmrg-w9vg-7jqx, CVE-2019-7865

Cross-Site Request Forgery (CSRF) in packagist/magento/product-community-edition

A cross-site request forgery (CSRF) vulnerability exists in the checkout cart item of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited at the time of editing or configuration.

Added on 2024-02-12

GHSA-qr8f-cjw7-838m, CVE-2024-24774

Incorrect Authorization in go/github.com/mattermost/mattermost-plugin-jira

Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

Added on 2024-02-12

GHSA-4fp6-574p-fc35, CVE-2024-23319

Cross-Site Request Forgery (CSRF) in go/github.com/mattermost/mattermost-plugin-jira

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

Added on 2024-02-12

GHSA-6qh6-v99h-vh4c, CVE-2019-7876

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in packagist/magento/product-community-edition

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with privileges to manipulate layouts can insert a malicious payload into the layout.

Added on 2024-02-12

GHSA-mgfr-44wv-hqv6, CVE-2019-7938

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/magento/magento1ce

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.

Added on 2024-02-12

GHSA-mgfr-44wv-hqv6, CVE-2019-7938

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/magento/magento1ee

A stored cross-site scripting vulnerability exists in the admin panel of Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify catalog price rules to inject malicious javascript.

Added on 2024-02-12

GHSA-gm5q-2cx5-wr2j, CVE-2008-3227

Improper Link Resolution Before File Access ('Link Following') in packagist/joomla/framework

Unspecified vulnerability in Joomla! before 1.5.4 has unknown impact and attack vectors related to a "User Redirect Spam fix," possibly an open redirect vulnerability.

Added on 2024-02-12

GHSA-9645-6g72-2pv8, CVE-2008-7252

phpMyAdmin unsafely handles temporary files in packagist/phpmyadmin/phpmyadmin

libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors.

Added on 2024-02-12

GHSA-46f9-f8jm-mw2x, CVE-2008-4571

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/Plone

Cross-site scripting (XSS) vulnerability in the LiveSearch module in Plone before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the Description field for search results, as demonstrated using the onerror Javascript even in an IMG tag.

Added on 2024-02-12

GHSA-q4mm-89q2-xffg, CVE-2011-4107

Improper Restriction of XML External Entity Reference in packagist/phpmyadmin/phpmyadmin

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Added on 2024-02-12

GHSA-p25m-jpj4-qcrr, CVE-2023-4785

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms) in pypi/grpcio

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. 

Added on 2024-02-12

GHSA-jgcr-9c2q-rvp8, CVE-2008-6682

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.struts/struts2-core

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute of an s:a tag and (2) parameters in the action attribute of an s:url tag.

Added on 2024-02-12

GHSA-76rh-xv36-9mrc, CVE-2006-0868

PEAR::Auth potential authentication bypass vulnerability in packagist/pear/auth

Multiple unspecified injection vulnerabilities in unspecified Auth Container back ends for PEAR::Auth before 1.2.4, and 1.3.x before 1.3.0r4, allow remote attackers to "falsify authentication credentials," related to the "underlying storage containers."

Added on 2024-02-12

GHSA-ph2j-5hxq-gxrr, CVE-2008-4793

Drupal Node Validation Bypass in the node module API in packagist/drupal/drupal

The node module API in Drupal 5.x before 5.11 allows remote attackers to bypass node validation and have unspecified other impact via unknown vectors related to contributed modules.

Added on 2024-02-12

GHSA-9jp4-68vc-r8wq, CVE-2008-6547

Improper Input Validation in pypi/FormEncode

schema.py in FormEncode for Python (python-formencode) 1.0 does not apply the chained_validators feature, which allows attackers to bypass intended access restrictions via unknown vectors.

Added on 2024-02-12

GHSA-f9fr-w54q-772h, CVE-2006-0743

Use of Externally-Controlled Format String in nuget/log4net

Format string vulnerability in LocalSyslogAppender in Apache log4net 1.2.9 might allow remote attackers to cause a denial of service (memory corruption and termination) via unknown vectors.

Added on 2024-02-12

GHSA-pjmx-4gc6-hwv8, CVE-2010-3094

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/drupal/drupal

Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.

Added on 2024-02-09

GHSA-xm6j-x342-gwq9, CVE-2019-16409

SilverStripe Versioned Files module Unpublished files are exposed publicly in packagist/silverstripe/framework

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the upgrade process automates the destruction of these insecure artefacts, nor alerts the user to the criticality of destruction.)

Added on 2024-02-09

GHSA-3rfr-mpfj-2jwq, CVE-2024-24822

Missing Authorization in packagist/pimcore/admin-ui-classic-bundle

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.

Added on 2024-02-09

GHSA-2q2r-xgj5-h3hm, CVE-2009-3821

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/apache-solr-for-typo3/solr

Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Added on 2024-02-09

GHSA-6m9f-8vwq-97pm, CVE-2009-5054

Smarty Does Not Consider Umask Values When Setting Permissions in packagist/smarty/smarty

Smarty before 3.0.0 beta 4 does not consider the umask value when setting the permissions of files, which might allow attackers to bypass intended access restrictions via standard filesystem operations.

Added on 2024-02-09

GHSA-7c6p-848j-wh5h, CVE-2024-24821

Inclusion of Functionality from Untrusted Control Sphere in packagist/composer/composer

Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ```

Added on 2024-02-09

GHSA-3xf8-g8gr-g7rh, CVE-2024-24823

Session Fixation in maven/org.graylog2/graylog2-server

Graylog is a free and open log management platform. Starting in version 4.3.0 and prior to versions 5.1.11 and 5.2.4, reauthenticating with an existing session cookie would re-use that session id, even if for different user credentials. In this case, the pre-existing session could be used to gain elevated access to an existing Graylog login session, provided the malicious user could successfully inject their session cookie into someone else's browser. The complexity of such an attack is high, because it requires presenting a spoofed login screen and injection of a session cookie into an existing browser, potentially through a cross-site scripting attack. No such attack has been discovered. Graylog 5.1.11 and 5.2.4, and any versions of the 6.0 development branch, contain patches to not re-use sessions under any circumstances. Some workarounds are available. Using short session expiration and explicit log outs of unused sessions can help limiting the attack vector. Unpatched this vulnerability exists, but is relatively hard to exploit. A proxy could be leveraged to clear the `authentication` cookie for the Graylog server URL for the `/api/system/sessions` endpoint, as that is the only one vulnerable.

Added on 2024-02-09

GHSA-5pjj-7m4p-wfh2, CVE-2010-4338

Improper Link Resolution Before File Access ('Link Following') in pypi/ocrodjvu

ocrodjvu 0.4.6-1 on Debian GNU/Linux allows local users to modify arbitrary files via a symlink attack on temporary files that are generated when Cuneiform is invoked as the OCR engine.

Added on 2024-02-09

GHSA-45ch-hxgr-vx8j, CVE-2010-1618

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/apereo/phpcas

Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.

Added on 2024-02-09

GHSA-7gfc-2v6g-6w9f, CVE-2010-2477

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/paste

Multiple cross-site scripting (XSS) vulnerabilities in the paste.httpexceptions implementation in Paste before 1.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving a 404 status code, related to (1) paste.urlparser.StaticURLParser, (2) paste.urlparser.PkgResourcesParser, (3) paste.urlmap.URLMap, and (4) HTTPNotFound.

Added on 2024-02-09

GHSA-xv6x-43gq-4hfj, CVE-2009-2940

PyGreSQL Might Be Vulnerable to Encoding-Based SQL Injection in pypi/PyGreSQL

The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.

Added on 2024-02-09

GHSA-p6gg-5hf4-4rgj, CVE-2024-24824

Incorrect Authorization in maven/org.graylog2/graylog2-server

Graylog is a free and open log management platform. Starting in version 2.0.0 and prior to versions 5.1.11 and 5.2.4, arbitrary classes can be loaded and instantiated using a HTTP PUT request to the `/api/system/cluster_config/` endpoint. Graylog's cluster config system uses fully qualified class names as config keys. To validate the existence of the requested class before using them, Graylog loads the class using the class loader. If a user with the appropriate permissions performs the request, arbitrary classes with 1-arg String constructors can be instantiated. This will execute arbitrary code that is run during class instantiation. In the specific use case of `java.io.File`, the behavior of the internal web-server stack will lead to information exposure by including the entire file content in the response to the REST request. Versions 5.1.11 and 5.2.4 contain a fix for this issue.

Added on 2024-02-09

GHSA-c57v-4vg5-cm2x, CVE-2023-51437

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.apache.pulsar/pulsar-broker-auth-sasl

Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider updating the configured secret in the `saslJaasServerRoleTokenSignerSecretPath` file. Any component matching an above version running the SASL Authentication Provider is affected. That includes the Pulsar Broker, Proxy, Websocket Proxy, or Function Worker. 2.11 Pulsar users should upgrade to at least 2.11.3. 3.0 Pulsar users should upgrade to at least 3.0.2. 3.1 Pulsar users should upgrade to at least 3.1.1. Any users running Pulsar 2.8, 2.9, 2.10, and earlier should upgrade to one of the above patched versions. For additional details on this attack vector, please refer to https://codahale.com/a-lesson-in-timing-attacks/ .

Added on 2024-02-09

GHSA-qj7x-wm9q-qjx8, CVE-2010-2422

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/Plone

Cross-site scripting (XSS) vulnerability in PortalTransforms in Plone 2.1 through 3.3.4 before hotfix 20100612 allows remote attackers to inject arbitrary web script or HTML via the safe_html transform.

Added on 2024-02-09

GHSA-hvp4-vrv2-8wrq, CVE-2024-1314

Kinto Attachment's attachments can be replaced on read-only records in pypi/kinto-attachment

### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucket). And if the `"read"` permission is given to `"system.Everyone"` on one of the parent, then the attachment can be replaced on a record using an anonymous request. Note that if the parent has no explicit read permission, then the records attachments are safe. ### Patches - Patch released in kinto-attachment 6.4.0 - https://github.com/Kinto/kinto-attachment/commit/f4a31484f5925cbc02b59ebd37554538ab826ca1 ### Workarounds None if the read permission has to remain granted. Updating to 6.4.0 or applying the patch individually (if updating is not feasible) is strongly recommended. ### References - https://bugzilla.mozilla.org/show_bug.cgi?id=1879034

Added on 2024-02-09

GHSA-3jx9-mgwx-4q83, CVE-2010-3863

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.shiro/shiro-root

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

Added on 2024-02-09

GHSA-9vgq-w5pv-v77q, CVE-2024-25145

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.liferay.portal/release.portal.bom

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

Added on 2024-02-09

GHSA-966m-m549-2878, CVE-2010-1616

Moodle is vulnerable to unauthorized new accounts creation in packagist/moodle/moodle

Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.

Added on 2024-02-09

GHSA-mqf8-4cqm-p83x, CVE-2024-25146

Observable Response Discrepancy in maven/com.liferay.portal/release.portal.bom

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

Added on 2024-02-09

GHSA-59qj-jcjv-662j, CVE-2024-24825

Exposure of Sensitive Information to an Unauthorized Actor in pypi/DIRAC

DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Added on 2024-02-09

GHSA-3gm8-32vv-q8mp, CVE-2010-2230

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input.

Added on 2024-02-09

GHSA-45ch-hxgr-vx8j, CVE-2010-1618

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/moodle/moodle

Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.

Added on 2024-02-09

GHSA-87m3-6qj3-p3xh, CVE-2024-25143

Uncontrolled Resource Consumption in maven/com.liferay.portal/release.portal.bom

The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which allows remote authenticated users to cause a denial of service (memory consumption) via crafted PNG images.

Added on 2024-02-09

GHSA-w275-m8cr-hf2v, CVE-2024-25144

Excessive Iteration in maven/com.liferay.portal/release.portal.bom

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Added on 2024-02-09

GHSA-j6c3-3c4w-qv8p, CVE-2013-7341

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms

Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.

Added on 2024-02-09

GHSA-w736-qv86-vq94, CVE-2010-3714

TYPO3 Remote File Disclosure vulnerability in the jumpUrl mechanism in packagist/typo3/cms

The jumpUrl (aka access tracking) implementation in tslib/class.tslib_fe.php in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 does not properly compare certain hash values during access-control decisions, which allows remote attackers to read arbitrary files via unspecified vectors.

Added on 2024-02-09

GHSA-cgr9-h9qq-x9fx, CVE-2010-1022

Improper Authentication in packagist/typo3/cms-saltedpasswords

The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors.

Added on 2024-02-09

GHSA-3276-p9f2-8q89, CVE-2010-3670

Inadequate Encryption Strength in packagist/typo3/cms-frontend

TYPO3 before 4.3.4 and 4.4.x before 4.4.1 contains insecure randomness during generation of a hash with the "forgot password" function.

Added on 2024-02-09

GHSA-3mqf-fwc6-vwqw, CVE-2010-5098

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-frontend

Cross-site scripting (XSS) vulnerability in the FORM content object in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Added on 2024-02-09

GHSA-9hw3-4gvp-8mv5, CVE-2010-5097

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-frontend

Cross-site scripting (XSS) vulnerability in the click enlarge functionality in TYPO3 4.3.x before 4.3.9 and 4.4.x before 4.4.5 when the caching framework is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Added on 2024-02-09

GHSA-qwj8-qgpr-8crm, CVE-2024-25148

Exposure of Sensitive Information to an Unauthorized Actor in maven/com.liferay.portal/release.portal.bom

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Added on 2024-02-09

GHSA-9vgq-w5pv-v77q, CVE-2024-25145

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/com.liferay.portal/release.dxp.bom

Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML into the Search Result app's search result if highlighting is disabled by adding any searchable content (e.g., blog, message board message, web content article) to the application.

Added on 2024-02-09

GHSA-mqf8-4cqm-p83x, CVE-2024-25146

Observable Response Discrepancy in maven/com.liferay.portal/release.dxp.bom

Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.

Added on 2024-02-09

GHSA-xgc2-q928-27wv, CVE-2010-5104

Exposure of Sensitive Information to an Unauthorized Actor in packagist/typo3/cms-core

The escapeStrForLike method in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly escape input when the MySQL database is set to sql_mode NO_BACKSLASH_ESCAPES, which allows remote attackers to obtain sensitive information via wildcard characters in a LIKE query.

Added on 2024-02-09

CVE-2023-52389

Integer Overflow or Wraparound in conan/poco

UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.

Added on 2024-02-09

GHSA-gxh5-r8gp-pjc3, CVE-2010-2970

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/moin

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487.

Added on 2024-02-09

GHSA-m7rg-85g8-28m9, CVE-2009-3633

Cross-Site Request Forgery (CSRF) in packagist/typo3/cms-core

Cross-site scripting (XSS) vulnerability in the t3lib_div::quoteJSvalue API function in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the sanitizing algorithm.

Added on 2024-02-09

GHSA-w275-m8cr-hf2v, CVE-2024-25144

Excessive Iteration in maven/com.liferay.portal/release.dxp.bom

The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated users to cause a denial-of-service (DoS) via a self referencing IFrame.

Added on 2024-02-09

GHSA-g857-p997-wx7w, CVE-2009-3629

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-backend

Multiple cross-site scripting (XSS) vulnerabilities in the Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Added on 2024-02-09

GHSA-4rvc-5hrh-qmwf, CVE-2010-3662

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in packagist/typo3/cms-backend

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows SQL Injection on the backend.

Added on 2024-02-09

GHSA-3cqw-pxgr-jhrm, CVE-2009-3631

Improper Control of Generation of Code ('Code Injection') in packagist/typo3/cms-backend

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2, when the DAM extension or ftp upload is enabled, allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.

Added on 2024-02-09

GHSA-mg66-3x8x-r8g2, CVE-2009-3630

TYPO3 Backend vulnerable to Frame Hijacking in packagist/typo3/cms-backend

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to place arbitrary web sites in TYPO3 backend framesets via crafted parameters, related to a "frame hijacking" issue.

Added on 2024-02-09

GHSA-2wgg-c8xc-7gg3, CVE-2009-3628

Exposure of Sensitive Information to an Unauthorized Actor in packagist/typo3/cms-backend

The Backend subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote authenticated users to determine an encryption key via crafted input to a tt_content form element.

Added on 2024-02-09

GHSA-mwqv-jff6-5v62, CVE-2010-3715

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-backend

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 4.2.x before 4.2.15, 4.3.x before 4.3.7, and 4.4.x before 4.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the RemoveXSS function, and allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (2) the backend.

Added on 2024-02-09

GHSA-jr79-65xr-q7cx, CVE-2010-3659

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-backend

Multiple cross-site scripting (XSS) vulnerabilities in TYPO3 CMS 4.1.x before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4, and 4.4.x before 4.4.1 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified parameters to the extension manager, or unspecified parameters to unknown backend forms.

Added on 2024-02-09

GHSA-qwj8-qgpr-8crm, CVE-2024-25148

Exposure of Sensitive Information to an Unauthorized Actor in maven/com.liferay.portal/release.dxp.bom

In Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions the `doAsUserId` URL parameter may get leaked when creating linked content using the WYSIWYG editor and while impersonating a user. This may allow remote authenticated users to impersonate a user after accessing the linked content.

Added on 2024-02-09

GHSA-gqmh-5xmq-3fhg, CVE-2010-3671

Session Fixation in packagist/typo3/cms-install

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 is open to a session fixation attack which allows remote attackers to hijack a victim's session.

Added on 2024-02-09

GHSA-9hh2-8cw6-hfv7, CVE-2010-5100

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-install

Multiple cross-site scripting (XSS) vulnerabilities in the Install Tool in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Added on 2024-02-09

GHSA-c73w-4rcj-2622, CVE-2009-3636

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/typo3/cms-install

Cross-site scripting (XSS) vulnerability in the Install Tool subcomponent in TYPO3 4.0.13 and earlier, 4.1.x before 4.1.13, 4.2.x before 4.2.10, and 4.3.x before 4.3beta2 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Added on 2024-02-09

GHSA-mmjh-45vj-hfvf, CVE-2010-2274

Dojo Open Redirect vulnerability in maven/org.dojotoolkit/dojo

Multiple open redirect vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, util/buildscripts/jslib/buildUtil.js, and util/doh/runner.html.

Added on 2024-02-09

GHSA-2j76-26qq-7rvv, CVE-2010-2969

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pypi/moin

Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487.

Added on 2024-02-09

GHSA-ggx9-4728-588r, CVE-2009-2693

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.tomcat/tomcat

Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.

Added on 2024-02-09

GHSA-39vm-rvwh-q86j, CVE-2010-4616

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/impresscms/impresscms

Cross-site scripting (XSS) vulnerability in modules/content/admin/content.php in ImpressCMS 1.2.3 Final, and possibly other versions before 1.2.4, allows remote attackers to inject arbitrary web script or HTML via the quicksearch_ContentContent parameter.

Added on 2024-02-09

GHSA-c429-5p7v-vgjp, CVE-2020-36604

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in npm/hoek

hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function.

Added on 2024-02-09

GHSA-f68m-q26r-64f6, CVE-2010-5142

Chef Improper Access Control vulnerability in gem/chef

chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI.

Added on 2024-02-09

GHSA-p6m5-h7pp-v2x5, CVE-2009-3695

Django's Insufficient Algorithmic Complexity Causes Denial of Service in pypi/Django

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service (CPU consumption) via a crafted (1) EmailField (email address) or (2) URLField (URL) that triggers a large amount of backtracking in a regular expression.

Added on 2024-02-09

GHSA-9xg7-gg9m-rmq9, CVE-2009-2659

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/Django

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.

Added on 2024-02-09

GHSA-6726-2rx3-cgwh, CVE-2023-39196

Improper Authentication in maven/org.apache.ozone/ozone-main

Improper Authentication vulnerability in Apache Ozone. The vulnerability allows an attacker to download metadata internal to the Storage Container Manager service without proper authentication. The attacker is not allowed to do any modification within the Ozone Storage Container Manager service using this vulnerability. The accessible metadata does not contain sensitive information that can be used to exploit the system later on, and the accessible data does not make it possible to gain access to actual user data within Ozone. This issue affects Apache Ozone: 1.2.0 and subsequent releases up until 1.3.0. Users are recommended to upgrade to version 1.4.0, which fixes the issue.

Added on 2024-02-09

GHSA-3vcx-w94h-68vg, CVE-2018-1000055

Server-Side Request Forgery (SSRF) in maven/org.jvnet.hudson.plugins/android-lint

Jenkins Android Lint Plugin 2.5 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Added on 2024-02-09

GHSA-92cv-wv2c-8899, CVE-2010-2086

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.apache.myfaces.core/myfaces-core-module

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

Added on 2024-02-09

GHSA-7gqc-q9mc-6348, CVE-2023-30532

Missing Authorization in maven/org.jenkinsci.plugins.spoonscript/spoonscript

A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

Added on 2024-02-09

GHSA-7wh2-wxc7-9ph5, CVE-2024-24810

Untrusted Search Path in nuget/WiX

WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. The .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. This impacts any installer built with the WiX installer framework. This issue has been patched in version 4.0.4.

Added on 2024-02-09

GHSA-v2c9-9m8v-8jjm, CVE-2010-1587

Improper Input Validation in maven/org.apache.activemq/activemq-web-console

The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.

Added on 2024-02-09

GHSA-c352-x843-ggpq, CVE-2024-24113

XXL-JOB vulnerable to Server-Side Request Forgery in maven/com.xuxueli/xxl-job

xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE.

Added on 2024-02-09

GHSA-7mvg-cx9c-r6jm, CVE-2019-10312

Missing Authorization in maven/org.jenkins-ci.plugins/ansible-tower

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doFillTowerCredentialsIdItems method allowed attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

Added on 2024-02-09

GHSA-833m-37f7-jq55, CVE-2023-32192

Improper Neutralization in go/github.com/rancher/apiserver

Improper Neutralization in github.com/rancher/apiserver.

Added on 2024-02-09

GHSA-r8f4-hv23-6qp6, CVE-2023-32193

Improper Neutralization in go/github.com/rancher/norman

Improper Neutralization in github.com/rancher/norman.

Added on 2024-02-09

GHSA-xfj7-qf8w-2gcr, CVE-2023-22649

Rancher 'Audit Log' leaks sensitive information in go/github.com/rancher/rancher

### Impact A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. The leaks might be caught in the audit logs upon these actions: - Creating cloud credentials or new authentication providers. It is crucial to note that **all** [authentication providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/authentication-config#external-vs-local-authentication) (such as AzureAD) and [cloud providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/set-up-cloud-providers) (such as Google) are impacted. - Downloading a kubeconfig file from a downstream or a local cluster. - Logging in/out from Rancher. The affected data may include the following: - HTTP headers Field | Location -- | -- X-Api-Auth-Header | Request header X-Api-Set-Cookie-Header | Response header X-Amz-Security-Token | Request header credentials | Request body applicationSecret | Request Body oauthCredential | Request Body serviceAccountCredential | Request Body spKey | Request Body spCert | Request body spCert | Response body certificate | Request body privateKey | Request body - API Server calls returning `Secret` objects (including sub-types, such as `kubernetes.io/dockerconfigjson`). - Raw command lines used by agents to connect to the Rancher server which expose sensitive information (e.g. `register ... --token abc`). - `Kubeconfig` contents when the 'Download KubeConfig' feature is used in the Rancher UI. The patched versions will redact the sensitive data, replacing it with `[redacted]`, making it safer for consumption. It is recommended that static secrets are rotated after the system is patched, to limit the potential impact of sensitive data being misused due to this vulnerability. **Note:** 1. The severity of the vulnerability is intricately tied to the logging strategy employed. If logs are kept locally (default configuration), the impact is contained within the system, limiting the exposure. However, when logs are shipped to an external endpoint, the vulnerability's severity might increase, as resistance against leaks is contingent on the security measures implemented at the external log collector level. 2. The final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services. ### Patches Patched versions include releases `2.6.14`, `2.7.10` and `2.8.2`. ### Workarounds If `AUDIT_LEVEL` `1 or above` is required and you cannot update to a patched Rancher version, ensure that the log is handled appropriately and it is not shared with other users or shipped into a log ingestion solution without the appropriate RBAC enforcement. Otherwise, disabling the Audit feature or decreasing it to the audit level `0`, mitigates the issue. ### For more information If you have any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries. - Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository. - Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

Added on 2024-02-09

GHSA-c85r-fwc7-45vc, CVE-2023-32194

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in go/github.com/rancher/rancher

### Impact A vulnerability has been identified when granting a `create` or `*` **global role** for a resource type of "namespaces"; no matter the API group, the subject will receive `*` permissions for core namespaces. This can lead to someone being capable of accessing, creating, updating, or deleting a namespace in the project. This includes reading or updating a namespace in the project so that it is available in other projects in which the user has the "manage-namespaces" permission or updating another namespace in which the user has normal "update" permissions to be moved into the project. The expected behavior is to not be able to create, update, or delete a namespace in the project or move another namespace into the project since the user does not have any permissions on namespaces in the core API group. Moving a namespace to another project could lead to leakage of secrets, in case the targeted project has secrets. And also can lead to the namespace being able to abuse the resource quotas of the targeted project. ### Patches Patched versions include releases `2.6.14`, `2.7.10` and `2.8.2`. ### Workarounds There is no direct mitigation besides updating Rancher to a patched version. ### References If you have any questions or comments about this advisory: - Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security-related inquiries. - Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository. - Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).

Added on 2024-02-09

GHSA-w327-wq28-3vmf, CVE-2009-4665

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nuget/CuteEditor

Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.ashx in CuteSoft Components Cute Editor for ASP.NET allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Added on 2024-02-09

GHSA-pvjh-7h8q-q56r, CVE-2010-4312

Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header in maven/org.apache.tomcat/tomcat

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

Added on 2024-02-09