Advisories

The version of rtmpdump contained in this package has multiple known vulnerabilities.

A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution. The mitmproxy and mitmdump tools are unaffected. …

A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates …

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context.

While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context.

Product: MobSF Version: < 4.3.1 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Description: Stored XSS in the iOS Dynamic Analyzer functionality. Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users. Vulnerable component: dynamic_analysis.html https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 Exploitation conditions: A malicious application was uploaded to the Correlium. Mitigation: Use escapeHtml() function on the bundle …

Partial Denial of Service (DoS)

Product: Mobile Security Framework (MobSF) Version: 4.3.0 CWE-ID: CWE-269: Improper Privilege Management CVSS vector v.4.0: 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N) CVSS vector v.3.1: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Description: MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges. Impact: Information Disclosure Vulnerable component: Code output component (/source_code) Exploitation conditions: authorized user Mitigation: Remove token output in the returned js-script Researcher: …

The env option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker. If network traffic is redirected from the legitimate coordinator to the attacker's coordinator, a workload owner is susceptible to impersonation if either they set a new manifest and don't compare the root CA cert …

Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.

Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability.

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. Note: This is a bypass of the fix for CVE-2024-21549.

The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.

CWA-2025-002 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.2.0, < 2.2.2 wasmvm >= 2.1.0, < 2.1.5 wasmvm >= 2.0.0, < 2.0.6 wasmvm < 1.5.8 Patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance …

CWA-2025-002 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.2.0, < 2.2.2 wasmvm >= 2.1.0, < 2.1.5 wasmvm >= 2.0.0, < 2.0.6 wasmvm < 1.5.8 Patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance …

CWA-2025-002 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.2.0, < 2.2.2 wasmvm >= 2.1.0, < 2.1.5 wasmvm >= 2.0.0, < 2.0.6 wasmvm < 1.5.8 Patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to slow down block production. The attack requires a malicious contract, so permissioned chains are unlikely to be affected. (We'll add more detail once chains had a chance …

CWA-2025-001 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.2.0, < 2.2.2 wasmvm >= 2.1.0, < 2.1.5 wasmvm >= 2.0.0, < 2.0.6 wasmvm < 1.5.8 Patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to crash the chain. The underlying bug that causes this is present on both permissioned and premissionless chains, but it can only be triggered reliably with a malicious …

CWA-2025-001 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.2.0, < 2.2.2 wasmvm >= 2.1.0, < 2.1.5 wasmvm >= 2.0.0, < 2.0.6 wasmvm < 1.5.8 Patched versions: wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to crash the chain. The underlying bug that causes this is present on both permissioned and premissionless chains, but it can only be triggered reliably with a malicious …

__screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get the content of arbitrary files.

Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks.

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state. If network traffic is redirected from the …

Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to …

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations. This is same vulnerability that CVE-2020-13946 was issued for, but the Java …

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions. This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer …

This vulnerability is an Environment Variable Injection issue in dotenv.stringify, affecting google/zx version 8.3.1. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through dotenv.stringify are particularly vulnerable.

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of sofurry.com. Please note that this user does not own this domain on the internet, just the discord handle. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number …

Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients.

Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients.

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially …

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially …

Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under CWE-915. The vulnerability arises from the core functionality set_property_value, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. With this finding, so far we've found at least five ways of …

Name: ASA-2025-002: Malicious peer can stall network by disseminating seemingly valid block parts Component: CometBFT Criticality: High (Catastrophic Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes, Users

Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync Component: CometBFT Criticality: Medium (Considerable Impact; Possible Likelihood per ACMv1.2) Affected versions: <= v0.38.16, v1.0.0 Affected users: Validators, Full nodes

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused …

While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central.

While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central.

While rebuilding PMD Designer for Reproducible Builds and digging into issues, I found out that passphrase for gpg.keyname=0xD0BF1D737C9A1C22 is included in jar published to Maven Central.

Grafana is an open-source platform for monitoring and observability. The Grafana Alerting VictorOps integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11 and 10.4.15

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused …

Lookup tables, whose length is not divisible by 26 = floor(num_routed_wires / 3) always include the 0 -> 0 input-output pair. Thus a malicious prover can always prove that f(0) = 0 for any lookup table f (unless its length happens to be divisible by 26). The cause of problem is that the LookupTableGate-s are padded with zeros. The fix is done by padding with an existing table pair, similarly …

By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. …

The policy group feature, added to by the 1.17.0 release, introduced two new types of CRD: ClusterAdmissionPolicyGroup and AdmissionPolicyGroup. The former is cluster wide, while the latter is namespaced. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes …

Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access.

A vulnerable node can be forced to shutdown/crash using a specially crafted message. During the peer-to-peer connection handshake, a shared secret key is computed. The implementation did not verify whether the EC public key provided by the remote party is a valid point on the secp256k1 curve. By simply sending an all-zero public key, a crash could be induced due to unexpected results from the handshake. The issue was fixed …

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

We recently underwent Penetration Testing of OpenMRS by a third-party company. Vulnerabilities were found, and fixes have been made and released. We've released security updates that include critical fixes, and so, we strongly recommend upgrading affected modules. This notice applies to all OpenMRS instances. The testers used the OpenMRS v3 Reference Application (O3 RefApp); however, their findings highlighted modules commonly used in older OpenMRS applications, including the O2 RefApp.

A command injection vulnerability in the video thumbnail rendering component of files.photo.gallery v0.3.0 through 0.11.0 allows remote attackers to execute arbitrary code via a crafted video file.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qr6x-62gq-4ccp. This link is maintained to preserve external references. Original Description A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor …

DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.

DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.

DevDojo Voyager through version 1.8.0 is vulnerable to bypassing the file type verification when an authenticated user uploads a file via /admin/media/upload. An authenticated user can upload a web shell causing arbitrary code execution on the server.

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can …

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can …

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can …

Withdrawn Advisory This advisory has been withdrawn because further research determined that github.com/hashicorp/yamux was not vulnerable to denial of service in the manner described. This link is maintained to preserve external references. Original Description The default values for Session.config.KeepAliveInterval and Session.config.ConnectionWriteTimeout of 30s and 10s create the possibility for timed out writes that most aren't handling in their readers. Calls to Stream.Read on one side of a connection will hang …

When using the ?? operator, output escaping was missing for the expression on the left side of the operator.

Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are temporarily placed in a world-readable local directory, making them accessible to unauthorized users on the same machine. This vulnerability affects versions 2.0.12 through 4.2.0 on Linux and macOS. Snowflake fixed the issue in version 4.3.0. Vulnerability Details When downloading files from stages, the Snowflake Connector for .NET uses the OS …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory. This vulnerability affects versions 1.12.0 through 2.0.1 on Linux. Snowflake fixed the issue in version 2.0.2. Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the snowflake.connector.pandas_tools module is vulnerable to SQL injection. This vulnerability affects versions 2.2.5 through 3.13.0. Snowflake fixed the issue in version 3.13.1. Vulnerability Details A function from the snowflake.connector.pandas_tools module is not sanitizing all of its arguments, and queries using them are not parametrized. An attacker controlling these arguments could achieve SQL injection by …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the serialization format, potentially leading to local privilege escalation. This vulnerability affects versions 2.7.12 through 3.13.0. Snowflake fixed the issue in version 3.13.1. Vulnerability Details The OCSP response cache is saved locally on the machine running the Connector using the pickle serialization format. This can potentially lead to local privilege …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when temporary credential caching is enabled, the Snowflake Connector for Python will cache temporary credentials locally in a world-readable file. This vulnerability affects versions 2.3.7 through 3.13.0. Snowflake fixed the issue in version 3.13.1. Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. On Linux systems, when temporary credential caching is enabled, the Snowflake JDBC Driver will cache temporary credentials locally in a world-readable file. This vulnerability affects versions 3.6.8 through 3.21.0. Snowflake fixed the issue in version 3.22.0. Vulnerability Details On Linux, when either EXTERNALBROWSER or USERNAME_PASSWORD_MFA authentication methods are used with temporary credential caching enabled, the Snowflake JDBC Driver …

Issue Snowflake discovered and remediated a vulnerability in the Snowflake JDBC Driver. When the EXTERNALBROWSER authentication method is used on Windows, an attacker with write access to a directory in the %PATH% can escalate their privileges to the user that runs the vulnerable JDBC Driver version. This vulnerability affects versions 3.2.3 through 3.21.0 on Windows. Snowflake fixed the issue in version 3.22.0. Vulnerability Details When the EXTERNALBROWSER authentication method is …

An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account.

Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles.

RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.

What kind of vulnerability is it? Who is impacted? If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages.

In this case, the "fast_float2::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input. This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is …

In this case, the "fast_float::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input. This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is …

Deep Java Library (DJL) is an open-source, high-level, engine-agnostic Java framework for deep learning. DJL is designed to be easy to get started with and simple to use for Java developers. DJL provides a native Java development experience and functions like any other regular Java library. DJL provides utilities for extracting tar and zip model archives that are used when loading models for use with DJL. These utilities were found …

Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are recommended to upgrade to version 4.0.1, which fixes this issue.

Problem Description A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met: An attacker can anticipate the email address of the user. An attacker can register a public frontend user account using that email address before the user's first OIDC login. The IDP returns the field email containing the email …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

The ContextLines integration uses readable streams to more efficiently use memory when reading files. The ContextLines integration is used to attach source context to outgoing events. The stream was not explicitly closed after use. This could lead to excessive amounts of file handles open on the system and potentially lead to a Denial of Service (DoS). The ContextLines integration is enabled by default in the Node SDK (@sentry/node) and SDKs …

An SQL injection vulnerability allows any authenticated user to execute arbitrary SQL commands on the server. This can lead to unauthorized access to sensitive data, data modification, or even complete control over the server. Details The vulnerability is found in the URL parameters of the following endpoint:

A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log …

A flaw was found in Infinispan, when using JGroups with JDBC_PING. This issue occurs when an application inadvertently exposes sensitive information, such as configuration details or credentials, through logging mechanisms. This exposure can lead to unauthorized access and exploitation by malicious actors.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q53r-9hh9-w277. This link is maintained to preserve external references. Original Description A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit …

A vulnerability was found in CRI-O. A path traversal issue in the log management functions (UnMountPodLogs and LinkContainerLogs) may allow an attacker with permissions to create and delete Pods to unmount arbitrary host paths, leading to node-level denial of service by unmounting critical system directories.

A flaw was found in ArgoCD. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.

Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrade to version 4.0.0, which fixes this issue. The problem occurs when an application doesn’t use a constant-time algorithm for validating a signature. The method Arrays.equals() …

The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.

uniapi version 1.0.7 introduces code that would execute on import of the module and download a script from a remote URL, and would then execute the downloaded script in a thread. The downloaded script would harvest system information and POST the information to another remote URL. This code was found in the PyPI release artifacts and was not present in the public GitHub repository.

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.

Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site.

Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings.

Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.

A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization are vulnerable to a sort of privilege escalation wherein individual "trusted" configset files can be ignored in favor of potentially-untrusted replacements available elsewhere on the filesystem. These replacement config files are treated as "trusted" and …

Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem. This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes …

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not …

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator used to generate these identifiers was seeded with the startup time, it may not have been sufficiently unpredictable, and an attacker could use this to guess continuation ids and look up continuations they should not …

XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing.

XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing.

Private maven repository credentials leaked in application logs in case of unsuccessful retrieval operation.

A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile.

In CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build …

In CI contexts, the IG Publisher CLI uses git commands to determine the URL of the originating repo. If the repo was cloned, or otherwise set to use a repo that uses a username and credential based URL, the entire URL will be included in the built Implementation Guide, exposing username and credential. This does not impact users that clone public repos without credentials, such as those using the auto-ig-build …

Cross Site Scripting vulnerability in nbubna store v.2.14.2 and before allows a remote attacker to execute arbitrary code via the store.deep.js component

If an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library.

The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request.

Via a type confusion bug in the CPython interpreter when using try/except* RestrictedPython could be bypassed. We believe this should be fixed upstream in Python itself until that we remove support for try/except* from RestrictedPython. (It has been fixed for some Python versions.)

If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or database name could be used for XSS.

A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration (possibly containing confidential data). For example, the following command, if run from within the Kubernetes cluster, can be used to get the configuration …

Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.

When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.

When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.

If an attacker can control the input to the asteval library, they can bypass its safety restrictions and execute arbitrary Python code within the application's context.

The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources. Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.

Withdrawn Advisory This advisory has been withdrawn because the issue is a documented security. This link is maintained to preserve external references. For more information, see https://github.com/github/advisory-database/pull/5270. Original Advisory A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For example, if your shop has a third party module vulnerable to SQL injections, then ps_contactinfo might execute a stored XSS in FO.

The Jenkins Azure Service Fabric Plugin 1.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

The Jenkins GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credential IDs …

The Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. OpenId Connect Authentication Plugin 4.453.v4d7765c854f4 introduces an advanced configuration option to manage username case sensitivity, with default to case-sensitive.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2p82-5wwr-43cw. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, …

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new …

Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to.

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.

Stored Cross-Site Scripting (XSS) Vulnerability in the Categorization Option of My Subscriptions Functionality in Silverpeas Core 6.3.1 <= 6.4.1 allows a remote attacker to execute arbitrary JavaScript code. This is achieved by injecting a malicious payload into the Name field of a subscription. The attack can lead to session hijacking, data theft, or unauthorized actions when an admin user views the affected subscription.

For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about the Kubernetes cluster which Hubble UI is monitoring, including node names, IP addresses, and other metadata about workloads and the cluster networking configuration. In …

The Jenkins Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key. This allows attackers able to create a credential with the same ID as a legitimate one in a different credentials store, to sign an event published to …

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication. In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL. Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site …

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue.

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.

Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components.

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. [!WARNING] This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if …

It is possible for any end-user to craft a DOM based XSS on all of YesWiki's pages which will be triggered when a user clicks on a malicious link. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation

Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists.

Content in filesystem is accessible for reading using sniff_csv, even with enable_external_access=false.

An issue in System.Linq.Dynamic.Core versions before v.1.6.0 allow remote access to properties on reflection types and static properties/fields.

Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application.

Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML, such as the \htmlData command, and the lack of escaping leads to XSS.

This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack.

HashiCorp’s go-slug library is vulnerable to a zip-slip style attack when a non-existing user-provided path is extracted from the tar entry. This vulnerability, identified as CVE-2025-0377, is fixed in go-slug 0.16.3.

gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This causes files in a repository to be world-writable in some situations.

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included

An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function.

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions.

This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret Anyone running an unpatched version of Craft with a compromised security key is affected.

With careful use of the –mount flag in RUN instructions in Containerfiles, and by using either multi-stage builds with use of concurrently-executing build stages (e.g., using the –jobs CLI flag) or multiple separate but concurrently-executing builds, a malicious Containerfile can be used to expose content from the build host to the command being run using the RUN instruction. This can be used to read or write contents using the privileges …

It is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation

It is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This Proof of Concept has been performed using the followings: YesWiki v4.4.5 (doryphore-dev branch, latest) Docker environnment (docker/docker-compose.yml) Docker v27.5.0 Default installation

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

WriteFreely through 0.15.1, when MySQL is used, allows local users to discover credentials by reading config.ini.

The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API.

Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.

Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.

KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML.

An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password even when the host key verification fails.

Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts#L34. However, the current tls.connect method will always set rejectUnauthorized: false which is a potential security concern. CDK should follow the best practice and set rejectUnauthorized: true. However, this could be a breaking change for existing CDK applications and we should fix this with a feature flag. Note that this …

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository.

MMR before version 1.3.5 is vulnerable to unbounded disk consumption, where an unauthenticated adversary can induce it to download and cache large amounts of remote media files. MMR's typical operating environment uses S3-like storage as a backend, with file-backed store as an alternative option. Instances using a file-backed store or those which self-host an S3 storage system are therefore vulnerable to a disk fill attack. Once the disk is full, …

MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and exhaust available memory.

If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file. If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the …

Matrix Media Repo (MMR) is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

StoredXSS-LibreNMS-Ports Description: Stored XSS on the parameter: /ajax_form.php -> param: descr Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new …

StoredXSS-LibreNMS-Ports Description: Stored XSS on the parameter: /ajax_form.php -> param: descr Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new …

StoredXSS-LibreNMS-MiscSection Description: Stored XSS on the parameter: ajax_form.php -> param: state Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: $attrib_val …

StoredXSS-LibreNMS-MiscSection Description: Stored XSS on the parameter: ajax_form.php -> param: state Request: POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> of Librenms version 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: $attrib_val …

XSS on the parameters:/addhost -> param: community of Librenms versions 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Navigate to the /addhost path. Fill in all required fields. In the Community field, enter the following payload: "><img src=a onerror="alert(1)">. Submit the …

XSS on the parameters:/addhost -> param: community of Librenms versions 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Navigate to the /addhost path. Fill in all required fields. In the Community field, enter the following payload: "><img src=a onerror="alert(1)">. Submit the …

Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.9.0, 24.10.0, and 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created …

Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.9.0, 24.10.0, and 24.10.1 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created …

StoredXSS-LibreNMS-Display Name 2 Description: XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):/device/$DEVICE_ID/edit -> param: display of Librenms versions 24.11.0 (https://github.com/librenms/librenms) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. Proof of Concept: Add a new device through the LibreNMS interface. Edit the newly created …

A Broken Object Level Authorization (BOLA) vulnerability in Indico v3.2.9 allows attackers to access sensitive information via sending a crafted POST request to the component /api/principals.

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

A snap with prior permissions to create a mount entry on the host, such as firefox, normally uses the permission from one of the per-snap hook programs. A unprivileged users cannot normally trigger that behaviour by using snap run –shell firefox followed by snapctl mount, since snapd validates the requesting user identity (root or non-root). The issue allows unprivileged users to bypass that check by crafting a malicious command line …

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

Remote code execution may be possible in web-accessible installations of Homarus in certain configurations.

Remote code execution may be possible in web-accessible installations of Homarus in certain configurations.

In SP1’s STARK verifier, the prover provided chip_ordering is used to fetch the index of the chips that have preprocessed columns. Prior to v4.0.0, the validation that this chip_ordering correctly provides these indexes was missing. In v4.0.0, this was fixed by adding a check that the indexed chip’s name is equal to the name stored in the verifying key’s chip information. In the recursive verifier, every verifier program is generated …

NOTE: The Realtime WYSIWYG Editor extension was experimental, and thus not recommended, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only edit right can join a realtime editing session where others, that where already there or that may join later, have script or programming access rights. This user can then insert script rendering macros that …

When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as …

Character limits configured by editors for short and long answer fields are validated only client-side, not server-side.

Character limits configured by editors for short and long answer fields are validated only client-side, not server-side.

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem Applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks. Solution Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described. Credits Thanks to Sam Mush and Christian Eßl …

Problem It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the password was incorrect. Solution Update to TYPO3 versions 13.4.3 LTS that fixes the problem described. Credits Thanks to TYPO3 core & security team member Oliver Hader who reported and fixed the issue. References TYPO3-CORE-SA-2025-001

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with …

When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website.

In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given message. Some form messages include content that the user can provide. There are scenarios in the CMS where that content doesn't get correctly sanitised prior to being included in the form message, resulting in an XSS vulnerability.

[!IMPORTANT] This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message.

Vulnerability A vulnerability has been identified in Rasa Pro and Rasa Open Source that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: The HTTP API must be enabled on the Rasa instance eg with –enable-api. This is not the default configuration. For unauthenticated RCE to be exploitable, the user must …

Vulnerability A vulnerability has been identified in Rasa Pro and Rasa Open Source that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: The HTTP API must be enabled on the Rasa instance eg with –enable-api. This is not the default configuration. For unauthenticated RCE to be exploitable, the user must …

A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field. Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable web server.

Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.

Lodestar client may fail to decode snappy framing compressed messages.

Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring hard fork) Lodestar does not verify checksum in snappy framing uncompressed chunks.

Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can …

Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can …

When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to …

When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to …

The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the use of the NUL (\0) character and newlines to form part of the keys[^1] or values.

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)

Swift ASN.1 can be caused to crash when parsing certain BER/DER constructions. This crash is caused by a confusion in the ASN.1 library itself which assumes that certain objects can only be provided in either constructed or primitive forms, and will trigger a preconditionFailure if that constraint isn't met. Importantly, these constraints are actually required to be true in DER, but that correctness wasn't enforced on the early node parser …

Affected versions: Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0 Description: In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be deny-listed. This attack requires the attacker to obtain an authorized account …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jhvj-f397-8w6q. This link is maintained to preserve external references. Original Description A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user …

The Heartcore headless client library depends on Refit to assist in making HTTP requests to Heartcore public APIs. Refit recently published an advisory regarding a CRLF injection vulnerability whereby it is possible for a malicious user to smuggle additional headers or potentially body content into a request. This shouldn't affect Heartcore client library usage as the vulnerable method - HttpHeaders.TryAddWithoutValidation - is not used. However, since Refit is a transient …

Overview OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? You are affected by this authorization bypass vulnerability if you are using OpenFGA v1.3.8 to v1.8.2, specifically under the following conditions: Calling Check API or ListObjects with a model that uses conditions, and OpenFGA is configured with caching enabled (OPENFGA_CHECK_QUERY_CACHE_ENABLED), …

During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified.

The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.

A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks) are subject to XSS.

Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks) are subject to XSS.

A potential Denial of Service (DoS) vulnerability has been identified in Keycloak, which could allow an administrative user with the rights to change realm settings to disrupt the service. This is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that is already terminated, leading to a failure of said request. Service disruption may happen, users will be …

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function

Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup

Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.

Vulnerability Summary A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. Affected Components Strawberry GraphQL relay integration Specifically impacts implementations using: Django integration SQLAlchemy integration Pydantic integration Technical Details The vulnerability manifests when: Multiple GraphQL types inherit from relay.Node These types …

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. Example attack scenario: An attacker has stolen the private key for a key …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7wj8-856p-qc9m. This link is maintained to preserve external references. Original Description A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. It is possible to launch …

The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not disclose any information to the attacker.

Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions.

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

SickChill is an automatic video library manager for TV shows. A user-controlled login endpoint's next_ parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to settings.DEFAULT_PAGE instead of to the next parameter.

composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.

composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.

composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.

Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify allow/deny lists for OpenJPA this leads to possible deserialisation of untrusted data.

Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not …

Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website.

The attacker can perform any operation in the application with user’s privileges or remotely control user’s browser with automated tools.

Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.

A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.

Once a user logins to one browser, all other browsers are logged in without entering password. Even incognito mode.

Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used.

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. This is a go-git implementation issue and does not affect the upstream git cli.

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. This is a go-git implementation issue and does not affect the upstream git cli.

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. This is a go-git implementation issue and does not affect the upstream git cli.

When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.

There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users. Edit: Only the first XSS can be reproduced in production.

The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.

A arbitrary file deletion vulnerability has been identified in the latest version of Siyuan Note. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server.

Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is formed without sanitizing the hyperlink base Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateHTMLHeader Exploitation conditions: a user viewing …

Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is formed without sanitizing the hyperlink base Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateHTMLHeader Exploitation conditions: a user viewing …

Cross-Site Scripting (XSS) vulnerability in custom properties Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is generated without clearing custom properties Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateMeta Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional …

Cross-Site Scripting (XSS) vulnerability in custom properties Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is generated without clearing custom properties Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateMeta Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional …

Unauthorized Reflected XSS in the constructor of the Downloader class Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack Impact: execution of arbitrary JavaScript code in the browser Vulnerable component: the constructor of the Downloader class Exploitation conditions: an unauthorized …

Unauthorized Reflected XSS in the constructor of the Downloader class Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack Impact: execution of arbitrary JavaScript code in the browser Vulnerable component: the constructor of the Downloader class Exploitation conditions: an unauthorized …

Unauthorized Reflected XSS in the Accounting.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable …

Unauthorized Reflected XSS in the Accounting.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable …

Unauthorized Reflected XSS in Currency.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script, an attacker can perform XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable Researcher: Aleksey …

Unauthorized Reflected XSS in Currency.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script, an attacker can perform XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable Researcher: Aleksey …

Unauthorized Reflected XSS in Convert-Online.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the quantity variable Researcher: …

Unauthorized Reflected XSS in Convert-Online.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the quantity variable Researcher: …

Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: …

Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: …

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time. Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a …

What kind of vulnerability is it? Who is impacted? Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths …

What kind of vulnerability is it? Who is impacted? The PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters.

The wp-enable-svg WordPress plugin through 0.2 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts

Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.

Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page.

This is a POC for a path-sanitizer npm package. The filters can be bypassed and can result in path traversal. Payload: ..=%5c can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well.

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.

We consider as_slice and as_slice_mut unsound because: the pointer with any bit patterns could be cast to the slice of arbitrary types. The pointer could be created by unsafe new and deprecated from_parts. We consider that from_parts should be removed in latest version because it will help trigger unsoundness in as_slice. With new declared as unsafe, as_slice should also declared as unsafe. This was patched in by marking two functions …

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.

A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability …

This crate uses a number of cryptographic algorithms that are no longer considered secure and it uses them in ways that do not guarantee the integrity of the encrypted data. MagicCrypt64 uses the insecure DES block cipher in CBC mode without authentication. This allows for practical brute force and padding oracle attacks and does not protect the integrity of the encrypted data. Key and IV are generated from user input …

A reflected XSS vulnerability exists in the Referer HTTP header of LGSL v6.2.1. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the Referer header, it is echoed back into an HTML attribute in the application’s response.

An Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request.

An open redirect vulnerability has been identified in the verify email endpoint of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library.

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.

Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled …

A new decloaking technique for nearly all VPN implementations has been found, which allows attackers to inject entries into the routing tables of unsuspecting victims using DHCP option 121. This allows attackers to redirect traffic, which is supposed to be sent encrypted over the VPN, through the physical interface handling DHCP for the network the victim's computer is connected to, effectively bypassing the VPN connection.

An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

A vulnerability was found in python-sql where unary operators do not escape non-Expression (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.

Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data.

Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur when user input is used to construct file paths without adequate sanitization or validation. For example, using file:../../../etc/passwd or file: ///etc/passwd can bypass weak validations and allow unauthorized access to sensitive files. Even though this has been addressed in previous patch, it is still insufficient.

Marp Core (@marp-team/marp-core) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.

Marp Core (@marp-team/marp-core) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization.

A stored cross-site scripting (XSS) vulnerability was identified in lgsl. The issue arises from improper sanitation of user input. Everyone who accesses this page will be affected by this attack.

A SQL injection in the Amazon Redshift Python Connector in version 2.1.4 allows a user to gain escalated privileges via schema injection in the get_schemas, get_tables, or get_columns Metadata APIs. Users should upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.

A SQL injection in the Amazon Redshift JDBC Driver in v2.1.0.31 allows a user to gain escalated privileges via schema injection in the getSchemas, getTables, or getColumns Metadata APIs. Users should upgrade to the driver version 2.1.0.32 or revert to driver version 2.1.0.30.

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also …

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code.

Authentication Bypass by Assumed-Immutable Data vulnerability in Apache HugeGraph-Server. This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue.

The VariantStrIter::impl_get function (called internally by implementations of the Iterator and DoubleEndedIterator traits for this type) was unsound, resulting in undefined behaviour. An immutable reference &p to a *mut libc::c_char pointer initialized to NULL was passed as an argument to a C function that that mutates the pointer behind &p in-place (i.e. as an out-argument), which was unsound. After changes in recent versions of the Rust compiler, these unsound writes …

The library provides a safe public API unpack to cast u8 array to arbitrary types, which can cause to undefined behaviors. The length check of array can only prevent out-of-bound access on the return type. However, it can't prevent misaligned pointer when casting u8 pointer to a type aligned to larger bytes. For example, if we assign u16 to T, misaligned raw pointer dereference could happen and cause to panic. …

An issue was identified in the VmFd::create_device function, leading to undefined behavior and miscompilations on rustc 1.82.0 and newer due to the function's violation of Rust's pointer safety rules. The function downcasted a mutable reference to its struct kvm_create_device argument to an immutable pointer, and then proceeded to pass this pointer to a mutating system call. Rustc 1.82.0 and newer elides subsequent reads of this structure's fields, meaning code will …

An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops.

The malicious user is able to commit and edit a crafted symlink file to a repository to gain SSH access to the server.

The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server.

Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If exposed, an attacker could: Forge valid tokens to impersonate users, including administrative accounts. Gain unauthorized access to sensitive data or perform privileged actions. This …

The library breaks the safety assumptions when using unsafe API slice::from_raw_parts_mut. The pointer passed to from_raw_parts_mut is misaligned by casting u8 to u16 raw pointer directly, which is unsound. The bug is patched by using align_offset, which could make sure the memory address is aligned to 2 bytes for u16.

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute …

An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to …

When the built-in SSH server is enabled ([server] START_SSH_SERVER = true), unprivileged user accounts with at least one SSH key can execute arbitrary commands on the Gogs instance with the privileges of the user specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. It allows attackers to access and alter any users' code hosted on the same instance.

Unprivileged user accounts with at least one SSH key can read arbitrary files on the system. For instance, they could leak the configuration files that could contain database credentials ([database] *) and [security] SECRET_KEY. Attackers could also exfiltrate TLS certificates, other users' repositories, and the Gogs database when the SQLite driver is enabled.

Unprivileged user accounts can write to arbitrary files on the filesystem. We could demonstrate its exploitation to force a re-installation of the instance, granting administrator rights. It allows accessing and altering any user's code hosted on the same instance.

When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code.

A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server.

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie …

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie …

Signing cookies is an application security feature that adds a digital signature to cookie data to verify its authenticity and integrity. The signature helps prevent malicious actors from modifying the cookie value, which can lead to security vulnerabilities and exploitation. Apache Hive’s service component accidentally exposes the signed cookie to the end user when there is a mismatch in signature between the current and expected cookie. Exposing the correct cookie …

An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server.

An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server.

The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the getWindowsIEEE8021x function. This means that malicious content in the SSID can be executed as OS commands.

When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.

When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.

A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading to a XSS vulnerability.

A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload.

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipulating the id parameter.

Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipulating the id parameter.

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.

An OS command injection vulnerability exists in the name parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a local file. Note: This is a bypass of the fix for CVE-2024-21544.

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of …

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of …

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of …

A Denial of Service (DoS) vulnerability in the authentication middleware allows any client to cause memory exhaustion by sending large request bodies. The server reads the entire request body into memory without size limits, creating multiple copies during processing, which can lead to Out of Memory conditions. Affects all versions up to the latest one (v0.43.0).

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files.

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the …

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected. An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c. Thanks to ⬡-49016 for reporting this …

pyrage uses the Rust age crate for its underlying operations, and age is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx5w are relevant to pyrage for the versions specified in this advisory. See GHSA-4fg7-vxc8-qx5w for full details. Versions of pyrage before 1.2.0 lack plugin support and are therefore not affected. An equivalent issue was fixed in the reference Go implementation of age, see advisory GHSA-32gq-x56h-299c. Thanks to ⬡-49016 for reporting this …

A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially crafted file and set the most privileged service account to run the job. This can allow a standard developer user to escalate their privileges to a cluster administrator and pivot to the AWS environment.

Insufficiently Protected Credentials in the Mail Server Configuration in GoPhish v0.12.1 allows an attacker to access cleartext passwords for the configured IMAP and SMTP servers.

A bug in the build process allows any unauthenticated user to read parts of the server source code.

Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code.

An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: The server has UUID login enabled An authenticated player disconnects A subsequent player connects with a modified client that does not send the ClientUUID#68 packet during connection The …

Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:. An attacker could read any file on the server by exploiting the normalization of \ into /.

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary.

jsii is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various programming languages. jsii is typically used as a command-line tool, but it can also be loaded as a library. When loaded as a library into a larger application, prototype pollution may happen if untrusted user input is passed to the library. When used as a command line-tool, this pollution cannot …

A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's …

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's Service Class text field.

Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's Service Class text field.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xrh7-2gfq-4rcq. This link is maintained to preserve external references. Original Description OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g6qq-c9f9-2772. This link is maintained to preserve external references. Original Description A vulnerability was found in Keycloak. The environment option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

You are affected if your php.ini configuration has register_argc_argv enabled.

Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects.

A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks.

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did …

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or plugin.NewRecipient APIs. On UNIX systems, a directory matching ${TMPDIR:-/tmp}/age-plugin-* needs to exist for the attack to succeed. The binary is executed with a single flag, either –age-plugin=recipient-v1 or –age-plugin=identity-v1. The …

Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1. hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It's based on slip10 method that searches for a valid child key in an infinite loop until it's found. Theoretically, this could be exploited by an attacker by finding a …

Impacted are the only ones who use hd_wallet::Slip10Like or slip_10 derivation method instantiated with curves other than secp256k1 and secp256r1. hd_wallet crate used to provide Slip10Like derivation method, which is also provided in slip-10 crate as a default derivation method. It's based on slip10 method that searches for a valid child key in an infinite loop until it's found. Theoretically, this could be exploited by an attacker by finding a …

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the CVE-2024-53259.

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the CVE-2024-53259.

A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing for unintended path traversal. Depending on the permissions/privileges assigned to pghoard, this could allow disclosure of sensitive information.

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

The welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

The welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

ASA-2024-0012 When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet. ASA-2024-0013 Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by …

The OVERWRITE clause of the DEFINE TABLE statement would fail to overwrite data for tables that were defined with TYPE RELATION. Since table definitions include the PERMISSIONS clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.

The OVERWRITE clause of the DEFINE TABLE statement would fail to overwrite data for tables that were defined with TYPE RELATION. Since table definitions include the PERMISSIONS clause, this failure would result in permissions not being overwritten as a result, which may potentially lead users to believe they have changed the table permissions when they have not.

Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f

Privilege escalation in IAM import API, all users are impacted since MinIO commit 580d9db85e04f1b63cc2909af50f0ed08afa965f

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

ASA-2024-0012: Transaction decoding may result in a stack overflow When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet. ASA-2024-0013: Transaction decoding may result in resource exhaustion Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. The …

XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML.

A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an element without user interaction or explicit consent.

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.

Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process. This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.

Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable.

In getdocument.vm ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. It's possible to employ database backend dependent techniques of breaking out of HQL query context, described, …

On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type ExtensionCode.ExtensionClass. Set the description to {{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}} and press Save and View. If the description displays as Hello from Description without any error, …

Any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type XWiki.WikiMacroClass. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" …

Any user with script rights can perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a user with script rights, edit your user profile and add an object of type XWiki.ConfigurableClass ("Custom configurable sections"). Set "Display in section" and "Display in category" to other, "Scope" to Wiki and …

Withdrawn Advisory This advisory has been withdrawn because it was determined to not be a valid vulnerability. This link is maintained to preserve external references. For more information, see https://nvd.nist.gov/vuln/detail/CVE-2024-4109. Original Description A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to …

python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.