Advisories

admin/limits.php in Dolibarr allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.

CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby.

Date includes a ReDoS vulnerability.

HarfBuzz has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

OpenEXR has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.

libbpf has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Open Asset Import Library (aka assimp) has a heap-based buffer overflow in _m3d_safestr (called from m3d_load and Assimp::M3DWrapper::M3DWrapper).

GDAL has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).

uWebSockets has an out-of-bounds write in std::__1::pair<unsigned int, void*> uWS::HttpParser::fenceAndConsumePostPadded<0 (called from uWS::HttpParser::consumePostPadded and std::__1::__function::__func<LLVMFuzzerTestOneInput::$_0, std::__1::allocator<LL).

libbpf has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications.As a workaround, the user can use formatting that wrap whole user input and its no op. The code for this workaround is available in the GitHub Security Advisory. The fix will only work when user of the library is not using different formatters (e.g. to highlight code in different way).

Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.

This affects the package celery It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

Apache Log4j2

MinIO is a Kubernetes native application for cloud storage. Prior to version RELEASE.2021-12-27T07-23-18Z, a malicious client can hand-craft an HTTP API call that allows for updating policy for a user and gaining higher privileges. The patch in version RELEASE.2021-12-27T07-23-18Z changes the accepted request body type and removes the ability to apply policy changes through this API. There is a workaround for this vulnerability: Changing passwords can be disabled by adding …

Netgen Tags Bundle allows XSS in the Tags Admin interface.

basic/BasicAuthProvider.java in AuthGuard allows authentication via an inactive identifier.

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

The package parse-link-header is vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.

All versions of package js-data is vulnerable to Prototype Pollution via the deepFillIn and the set functions.

elgg is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This affects all versions of package github.com/kataras/iris; all versions of package github.com/kataras/iris/v12. The unsafe handling of file names during upload using UploadFormFiles method may enable attackers to write to arbitrary locations outside the designated target folder.

cordova-plugin-fingerprint-aio is a plugin provides a single and simple interface for accessing fingerprint APIs on both Android 6+ and iOS. The exported activity de.niklasmerz.cordova.biometric.BiometricActivity can cause the app to crash. This vulnerability occurred because the activity didn't handle the case where it is requested with invalid or empty data which results in a crash. Any third party app can constantly call this activity with no permission. A 3rd party app/attacker …

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * …

A flaw was found in podman. The podman machine function (used to create and manage Podman virtual machine containing a Podman process) spawns a gvproxy process on the host system. The gvproxy API is accessible on port on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the gvproxy API to forward ports on the host to ports in …

A Null Pointer Dereference vulnerability existfs in nasm rc0 via asm/preproc.c.

An infinite loop vulnerability exists in nasm rc0 via the gpaste_tokens function.

lib/cmd.js in the node-windows package for Node.js allows command injection via the PID parameter.

Ajax.Releases are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details.

A Denial of Service vulnerability exits in Binaryen due to an assertion abort in wasm::handle_unreachable.

A Denial of Service vulnerability exists in Binaryen due to an Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet.

The Contact Form, Drag and Drop Form Builder for WordPress plugin does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.

In OAuth2 Proxy from version 5.1.1 and less than version 6.0.0, users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially …

In OAuth2 Proxy before 5.1.1, there is an open redirect vulnerability. Users can provide a redirect address for the proxy to send the authenticated user to at the end of the authentication flow. This is expected to be the original URL that the user was trying to access. This redirect URL is checked within the proxy and validated before redirecting the user to prevent malicious actors providing redirects to potentially …

The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.

OAuth2 Proxy before 5.0 has an open redirect vulnerability. Authentication tokens could be silently harvested by an attacker. This has been patched in version 5.0.

Sourcegraph before 3.15.1 has a vulnerable authentication workflow because of improper validation in the SafeRedirectURL method in cmd/frontend/auth/redirect.go, such as for the //foo//example.com substring.

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into <blockquote> tag with including multibyte characters, an internal regular expression for escaping characters may consume an excessive amount of computing resources. …

The root cause of this security vulnerability is in the Tendermint specification, and this advisory is a duplicate of https://github.com/tendermint/spec/security/advisories/GHSA-jqfc-687g-59pw. Impact Tendermint light clients running versions 0.34.0 to 0.34.8 are unable to detect and punish a new kind of attack. We’re calling this a “forward lunatic attack,” or FLA. The severity of this vulnerability is moderate. Note that an FLA cannot be successfully executed unless there are already ⅓+ Byzantine …

libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references).

TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (without changing chainID). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the …

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm-groovy-lint.

The API server in OpenShift Origin 1.0.5 allows remote attackers to cause a denial of service (master process crash) via crafted JSON data.

Authelia is a a single sign-on multi-factor portal for web apps. This affects uses who are using nginx ngx_http_auth_request_module with Authelia, it allows a malicious individual who crafts a malformed HTTP request to bypass the authentication mechanism. It additionally could theoretically affect other proxy servers, but all of the ones we officially support except nginx do not allow malformed URI paths. The problem is rectified entirely in v4.29.3. As this …

Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.

Abusively constructed YAML payload can significantly reduce parsing performance potentially leading to DoS.

Contrary to the OCI runtime specification runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup.

CSRF in Bitly oauth2_proxy 2.1 during authentication flow

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other …

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.

Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.

Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.

Apache PLC4X - PLC4C (Only the C language implementation was effected) was vulnerable to an unsigned integer underflow flaw inside the tcp transport. Users should update to, which addresses this issue. However, in order to exploit this vulnerability, a user would have to actively connect to a mallicious device which could send a response with invalid content. Currently we consider the probability of this being exploited as quite minimal, however …

This advisory has been marked as a false positive.

Buffer overflow in ajaxsoundstudio.com Pyo <= 1.03 in the Server_jack_init function which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong client_name.

Apache Log4j2 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.

This affects the package unisharp/laravel-filemanager from The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on …

A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.

jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. users is vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into <blockquote> tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters.

Null Pointer Dereference vulnerability exists in numpy.sort in NumPy &lt in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attacks by repetitively creating sort arrays.

Incomplete string comparison in the numpy.core allows attackers to fail the APIs via constructing specific string objects.

There is a way to bypass allowFunctions that will affect the security of the application. When the template is set to allow/disallow the use of certain functions, adding control characters (x00-x08) after the function will bypass these restrictions.

All versions of package dojo is vulnerable to Prototype Pollution via the setObject function.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ru.yandex.clickhouse:clickhouse-jdbc-bridge.

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

All versions of package http-server-node is vulnerable to Directory Traversal via use of –path-as-is.

message_bus is a messaging bus for Ruby processes and web clients. users who deployed message bus with diagnostics features enabled (default off) is vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of …

In the TransformXML processor of Apache NiFi an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.

In logback version 1.2.9 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.

Buffer Overflow Vulnerability exists in the Server_debug function, which allows remote attackers to conduct DoS attacks by deliberately passing on an overlong audio file name.

Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values.

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.

An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.

An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.

yetiforcecrm is vulnerable to Business Logic Errors

yetiforcecrm is vulnerable to Business Logic Errors

Impact The impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable httpclient dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact within the connector we understand to be any URI used to configure connectivity to S3. Note therefore that if you do not …

What kind of vulnerability is it? Who is impacted?

The Auth0 Next.js does not filter out certain returnTo parameter values from the login url, which expose the application to an open redirect vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

Impact Originally reported in iTXTech/Genisys#1188 PotterHarry98 potterharry98 deop PotterHarry98 will remove potterharry98 from the ops.txt but not PotterHarry98. Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449 This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters. Patches 4d37b79ff7f9d9452e988387f97919a9a1c4954e Workarounds This can be easily addressed by removing the offending lines from ops.txt …

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

The package md-to-pdf are vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

iTextPDF in iText 7 and up to allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these …

bookstack is vulnerable to Improper Access Control

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.

yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)

In GNU Mailman, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.

Impact UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228. Patches The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects. Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml. References …

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value …

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege. Over the API it was possible for them to give themselves permissions to areas which they did not already had. This issue was introduced in 2.0.0-RC1 with the new ProfileController putAction. The versions have been patched …

ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability

SQL Injection vulnerability exists in ThinkPHP5 via the parseOrder function in Builder.php.

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service sulu_route.generator.expression_token_provider and wrap the translator before passing it to the expression language.

This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does …

Microsoft PowerShell Spoofing Vulnerability

A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

The issue was mostly mitigated before, drastically reducing the risk. See references below for more information. Impact Opencast before version 10.6 will try to authenticate against any external services listed in a media package when it is trying to access the files, sending the global system user's credentials, regardless of the target being part of the Opencast cluster or not. Previous mitigations already prevented clear text authentications for such requests …

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

Initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be re-executed.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.opencastproject:opencast-common.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in com.splunk.logging:splunk-library-javalogging.

It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in …

It was found that the fix to address CVE-2021-44228 in Apache Log4j was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in …

Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.

This advisory has been marked as a False Positive and has been removed.

A security vulnerability that causes buffer overflow when you pass a very large string ( MB) to CGI.escape_html on a platform where long type takes 4 bytes, typically, Windows. Please update the cgi gem to,1,1 or later. You can use gem update cgi to update it. If you are using bundler, please add gem "cgi", " " to your Gemfile. Alternatively, please update Ruby to This issue has been introduced …

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

This CVE has been marked as a False Positive and has been removed. Programs using log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

JMSAppender in Log4j is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j when specifically configured to use JMSAppender, which is not the default. Apache Log4j reached end of life in …

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end …

The olm_session_describe function in Matrix libolm is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. …

Opencast is an Open Source Lecture Capture & Video Management for Education.You can mitigate the problem by setting the SameSite=Strict attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would …

The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5.

Jackalope Doctrine-DBAL is an implementation of the PHP Content Repository API (PHPCR) using a relational database to persist data. In affected versions users can provoke SQL injections if they can specify a node name or query. Upgrade to resolve this issue. If that is not possible, you can escape all places where $property is used to filter sv:name in the class Jackalope\Transport\DoctrineDBAL\Query\QOMWalker: XPath::escape($property). Node names and xpaths can contain " …

Mercurius is a GraphQL adapter for Fastify. It is vulnerable to a denial of service attack by sending a malformed JSON to /graphql unless they are using a custom error handler. As a workaround users may use a custom error handler.

The CLI for Amazon AWS OpenSearch has weak permissions for the configuration file.

HashiCorp Consul Enterprise has an Incorrect Access Control vulnerability. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4 has Incorrect Access Control. An ACL token (with the default operator:write permissions) in one namespace can be used for unintended privilege escalation in a different namespace.

phpservermon is vulnerable to Improper Neutralization of CRLF Sequences

A denial of service exists in strapi v3.0.0-beta.18.3 and earlier that can be abused in the admin console using admin rights can lead to arbitrary restart of the application.

snipe-it is vulnerable to Improper Access Control

comb is vulnerable to Prototype Pollution via the deepMerge() function.

sey is vulnerable to Prototype Pollution via the deepmerge() function.

merge-deep2 is vulnerable to Prototype Pollution via the mergeDeep() function.

Prototype pollution in Stampit supermixer allows an attacker to modify the prototype of a base object which can vary in severity depending on the implementation.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.ops4j.pax.logging:pax-logging-log4j2.

JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to …

JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to …

This advisory has been marked as a false positive.

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

Next handling invalid or malformed URLs could lead to a server crash. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js.

The package md-to-pdf is vulnerable to Remote Code Execution (RCE) due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine.

HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version …

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version …

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version …

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

pimcore is vulnerable to Cross-Site Request Forgery (CSRF)

An issue was discovered in xdLocalStorage The buildMessage() function in xdLocalStorage.js specifies the wildcard (*) as the targetOrigin when calling the postMessage() function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages that the client sends.

Express OpenID Connect is express JS middleware implementing sign on for Express web apps using OpenID Connect. It does not regenerate the session id and session cookie when user logs in. This behavior opens up the application to various session fixation vulnerabilities.

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" …

This CVE has been marked as a False Positive and has been removed.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to sanitize header names before it …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in swagger-ui-dist.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in swagger-ui-react.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Swashbuckle.AspNetCore.SwaggerUI.

An issue was discovered in xdLocalStorage The receiveMessage() function in xdLocalStorage.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

An issue was discovered in xdLocalStorage The receiveMessage() function in xdLocalStoragePostMessageApi.js does not implement any validation of the origin of web messages. Remote attackers who can entice a user to load a malicious site can exploit this issue to impact the confidentiality and integrity of data in the local storage of the vulnerable site via malicious web messages.

Improper authentication on the REST API. Allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. Only affects non database authentication types, and new REST API endpoints.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally.

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent …

utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher …

Git-it through 4.4.0 allows OS command injection at the Branches Aren't Just For Birds challenge step. During the verification process, it attempts to run the reflog command followed by the current branch name (which is not sanitized for execution).

Laravel is a web application framework. Laravel contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an …

Bundler is a package for managing application dependencies in Ruby. In bundler when working with untrusted and apparently harmless Gemfile's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the Gemfile itself. However, if the Gemfile includes gem entries that use the git option with invalid, but seemingly harmless, values with a leading dash, this can be false. To …

Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack., inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at /-/config and metrics instance configs defined for the scraping service are exposed at /agent/api/v1/configs/:key. Inline secrets will be exposed to anyone being able to …

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit …

Solidus is a free, open-source ecommerce platform built on Rails.If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file config/application.rb manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.

PrestaShop is an Open Source e-commerce web application. Versions of PrestaShop prior to 1.7.8.2 are vulnerable to blind SQL injection using search filters with orderBy and sortOrder parameters. The problem is fixed in version 1.7.8.2.

naholyr github-todos is vulnerable to command injection. The range argument for the _hook subcommand is concatenated without any validation, and is directly used by the exec function.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in AjaxNetProfessional.

Apereo CAS allows XSS via POST requests sent to the REST API endpoints.

The devise_masquerade gem allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an …

An issue was discovered in Couchbase Sync Gateway The bucket credentials used to read and write data in Couchbase Server were insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. (This issue does not affect clusters where Sync Gateway is authenticated with X.509 client certificates. This issue also does not affect clusters where shared …

snipe-it is vulnerable to Server-Side Request Forgery (SSRF)

Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change …

Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change …

Invenio-Drafts-Resources does not properly check permissions when a record is published. The vulnerability is exploitable in a default installation of InvenioRDM. An authenticated user is able via REST API calls to publish draft records of other users if they know the record identifier and the draft validates (e.g. all require fields filled out). An attacker is not able to modify the data in the record, and thus e.g. cannot change …

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of the code (responsible for the based namespace setup of containers). In all versions of runc, the encoder does not handle the possibility of an integer overflow in the length field for the …

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.

ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.

Python-cjson 1.0.5 does not properly handle a ['/'] argument to cjson.encode, which makes it easier for remote attackers to conduct certain cross-site scripting (XSS) attacks involving Firefox and the end tag of a SCRIPT element.

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to …

A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to …

matyhtf framework v3.0.5 is affected by a path manipulation vulnerability in Smarty.class.php.

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to URL Redirection to Untrusted Site

This affects the package plupload A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.

kimai2 is vulnerable to Improper Access Control

kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Librenms is affected by a path manipulation vulnerability in includes/html/pages/device/showconfig.inc.php.

elgg is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

bookstack is vulnerable to Cross-Site Request Forgery (CSRF)

A flaw was discovered in Puppet Agent and Puppet Server that may result in a leak of HTTP credentials when following HTTP redirects to a different host. This is similar to CVE-2018-1000007

A flaw was discovered in Puppet Agent where the agent may silently ignore Augeas settings or may be vulnerable to a Denial of Service condition prior to the first 'pluginsync'.

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.

Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains %2F (encoded /), such as /files/..%2Fsecrets.txt, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles %2F properly. This vulnerability can be worked around by inserting a decorator that performs an …

In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.

showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

showdoc is vulnerable to URL Redirection to Untrusted Site

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @backstage/plugin-scaffolder-backend.

Librenms is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ezsystems/ezplatform-admin-ui.

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ezsystems/ezplatform-richtext.

Librenms is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php.

Backstage is an open platform for building developer portals.This attack can potentially allow the attacker to exfiltrate access tokens or other secrets from the user's browser. The default CSP does prevent this attack, but it is expected that some deployments have these policies disabled due to incompatibilities. This is vulnerability is patched in version 0.4.9 of @backstage/plugin-auth-backend.

@backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates.This attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates.

bookstack is vulnerable to Improper Access Control

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

elgg is vulnerable to Authorization Bypass Through User-Controlled Key

Lucet uses a "pool" allocator for new WebAssembly instances that are created. This pool allocator manages everything from the linear memory of the wasm instance, the runtime stack for async switching, as well as the memory behind the Instance itself. Instances are referred to via an InstanceHandle type which will, on drop, release the memory backing the Instance back to the pool. When an Instance is dropped, the fields of …

S3Scanner before 2.0.2 allows Directory Traversal via a crafted bucket, as demonstrated by a <Key>../ substring in a ListBucketResult element.

Hexo is vulnerable to stored XSS. The post body and tags don’t sanitize malicious javascript during web page generation. Local unprivileged attacker can inject arbitrary code.

This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via CSV files.

The Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message.

https://github.com/python-ldap/python-ldap/issues/424 Impact The LDAP schema parser of python-ldap are vulnerable to a regular expression denial-of-service attack. The issue affects clients that use ldap.schema package to parse LDAP schema definitions from an untrusted source. Patches The upcoming release of python-ldap will contain a workaround to prevent ReDoS attacks. The schema parser refuses schema definitions with an excessive amount of backslashes. Workarounds As a workaround, users can check input for excessive amount …

Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors.

A prototype pollution vulnerability in the uploader module allowed a malicious user to inject arbitrary data (i.e. javascript) into the DOM, theoretically allowing for an account takeover when used in conjunction with a path traversal vulnerability disclosed at the same time as this report.

PhpWhois is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message contains the result of the $_GET['query'] leading to an XSS vulnerability.

Nodebb is an open source Node.js based forum software. A path traversal vulnerability was present that allowed users to access JSON files outside of the expected languages/ directory.

A malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the …

Incorrect logic present in the token verification step unintentionally allowed master token access to the API.

There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version …

@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. There are two vectors for XSS attacks, a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a script tag into the page and execute malicious code.

BaserCMS is an open source content management system with a focus on Japanese language support. Users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.

Webcache Poisoning via X-Forwarded-Prefix and sub-request Patches.

Webcache Poisoning via X-Forwarded-Prefix and sub-request Patches.

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a …

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a …

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a …

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a …

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance.

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance.

Improper access control in Management screen of EC-CUBE 2 series allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the trusted_headers allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the trusted_headers allowed list. An …

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the trusted_headers allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the trusted_headers allowed list. An …

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the trusted_headers allowed list are ignored and protect users from Cache poisoning attacks. In Symfony, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the trusted_headers allowed list. An …

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and retrieve sensitive information about the victim.

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and retrieve sensitive information about the victim.

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in csv_escape_formulas option in the CsvEncoder, to prefix all cells starting with =, +, - or @ with a tab \t. Since then, OWASP added 2 chars in that list, …

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in csv_escape_formulas option in the CsvEncoder, to prefix all cells starting with =, +, - or @ with a tab \t. Since then, OWASP added 2 chars in that list: …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT …

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT …

A Cross-site request forgery (CSRF) vulnerability in EC-CUBE 2 series to allows a remote attacker to hijack the authentication of Administrators and delete Administrators via a specially crafted web page.

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of …

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete …

Synapse is a package for Matrix homeservers written in Python 3/Twisted. The last 2 directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact. Homeservers with the media repository disabled are unaffected. Homeservers with a federation allowlist are also unaffected, since Synapse will check the remote hostname, including the trailing ../s, against the allowlist. Server administrators using …

In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

In Apache Ozone versions prior to 1.2.0, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.

In Apache Ozone versions prior to 1.2.0, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from …

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be …

Django-wiki is vulnerable to Stored Cross-Site Scripting (XSS) in the Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.

A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.

Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;[user-provided data], the path elements following hystrix/monitor are being evaluated as SpringEL expressions, which can lead to code execution.

In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the …

Connections initialized by the AWS IoT Device SDK v2 for Java, Python , C++ and Node.js does not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for …

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been “overridden”. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s …

Connections initialized by the AWS IoT Device SDK v2 for Java, Python , C++ and Node.js does not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python …

This advisory has been marked as False Positive and moved to org.apache.hadoop:hadoop-ozone-ozone-manager.

In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H

Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise …

A path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

The client in tusdotnet relies on SHA-1 to prevent spoofing of file content.

The package ssrf-agent is vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. It fails to properly validate if the IP requested is private.

Croatia Control Asterix has a heap-based buffer over-read, with additional details to be disclosed at a later date.

If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.

A URL parameter in the filetype site administrator tool requires extra sanitizing to prevent a reflected XSS risk.

This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed.

A flaw was found in Moodle to to to unsupported versions. A remote code execution risk when restoring backup files was identified.

Insufficient capability checks made it possible to fetch other users' calendar action events.

The delete related badge functionality does not include the necessary token check to prevent a CSRF risk.

An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may …

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may …

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. The app-functions-sdk exports an “aes” transform that user scripts can optionally call to encrypt data in the processing pipeline. No decrypt function is provided. Encryption is not enabled by default, but if used, the level of protection may be less than the user may …

OnionShare allows remote unauthenticated attackers to upload files on a non-public node when using the –receive functionality.

An information disclosure vulnerability in OnionShare allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the –chat feature.

In Apache Ozone, Ozone Datanode does not check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.

In Apache Ozone, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.

In Apache Ozone, Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client.

In Apache Ozone, certain admin related SCM commands can be executed by any authenticated users, not just by admins.

The package algoliasearch-helper is vulnerable to Prototype Pollution due to use of the merge function.

Impact When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation. For more information If you have any questions or comments about …

Impact When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation. For more information If you have any questions or comments about …

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In Apache Ozone, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack 1.4.363.107 could allow a rogue application to establish a secure connection.

In Apache Ozone, Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user.

This advisory has been marked as False Positive and moved to org.apache.hadoop:hadoop-ozone-ozone-manager.

In Apache Ozone, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

In Apache Ozone, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.

In Apache Ozone, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.

OroCRM is an open source Client Relationship Management (CRM) application. There are no workarounds that address this vulnerability and all users are advised to update their package.

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

kimai2 is vulnerable to Cross-Site Request Forgery (CSRF)

Impact Versions of validator prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the rtrim and trim sanitizers. Patches The problem has been patched in validator 13.7.0

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered.

A vulnerability has been detected in HyperLedger Fabric. If leveraged, any leader node will crash.

Go-Ethereum nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

A vulnerability has been detected in HyperLedger Fabric. It can easily break down as many orderers as the attacker wants. This bug can be leveraged by constructing a message whose header is invalid to the interface Order. This bug has been admitted and fixed by the developers of Fabric.

This advisory has been marked as False Positive and moved to go/github.com/opencontainers/distribution-spec/specs-go

Cross-Site Request Forgery (CSRF) in spree_auth_devise.

Cross-Site Request Forgery (CSRF) in spree_auth_devise.

Cross-Site Request Forgery (CSRF) in spree_auth_devise.

Impact In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index. Patches The Image Specification will be updated to recommend that both manifest and index documents contain a mediaType field to identify the type of document.

Impact The actual vulnerability has been discovered on solidus_auth_devise. See GHSA-xm34-v85h-9pg2 for details. The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update solidus_auth_devise. For this reason, it has been marked as low impact on this end. Patches For extra security, update solidus_core to versions 3.1.3, 3.0.3 or 2.11.12. Workarounds Look at the workarounds described at …

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header.

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If …

CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at The problem has been recognized and patched.

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix …

CKEditor4 is an open source WYSIWYG HTML editor. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code.

Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.

The Ignition component for Laravel has a fix variable names feature that can lead to incorrect access control.

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework.* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails –new generated skeleton use :exception).

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate …

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem.Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails –new generated skeleton use :exception).

In ArangoDB, suffers from an Insufficient Session Expiration vulnerability. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.

Doctrine DBAL 3.x before 3.1.4 allows SQL Injection. The escaping of offset and length inputs to the generation of a LIMIT clause was not probably cast to an integer, allowing SQL injection to take place if application developers passed unescaped user input to the DBAL QueryBuilder or any other API that ultimately uses the AbstractPlatform::modifyLimitQuery API.

Kirby is an open source file structured CMS ### Impact Kirby's writer field stores its formatted content as HTML code. Unlike with other field types, it is not possible to escape HTML special characters against cross-site scripting (XSS) attacks, otherwise the formatting would be lost. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the …

Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against cross-site scripting (XSS) attacks. The default snippet for the image block unfortunately did not use our escaping helper. This made it …

Methods of NSString for conversion to a string may return a partial result. Since they call CStr::from_ptr on a pointer to the string buffer, the string is terminated at the first null byte, which might not be the end of the string. In addition to the vulnerable functions listed for this issue, the implementations of Display, PartialEq, PartialOrd, and ToString for NSString are also affected, since they call those functions. …

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.

PiranhaCMS is vulnerable to cross-site request forgery (CSRF) when performing various actions supported by the management system, such as deleting a user, deleting a role, editing a post, deleting a media folder etc., when an ID is known.

bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type

Minio console is a graphical user interface for the for MinIO operator.Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.

The llhttp parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS).

In versions of the @theia/plugin-ext component of Eclipse Theia, Webview contents can be hijacked via postMessage().

An XSS issue was discovered in the google_for_jobs (aka Google for Jobs) extension before 1.5.1 and 2.x before 2.1.1 for TYPO3. The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to are susceptible to this vulnerability.

rails_multisite provides multi-db support for Rails applications.Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the rails_multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

An issue was discovered in the jobfair (aka Job Fair) extension before 1.0.13 and 2.x before 2.0.2 for TYPO3. The extension fails to protect or obfuscate filenames of uploaded files. This allows unauthenticated users to download files with sensitive data by simply guessing the filename of uploaded files (e.g., uploads/tx_jobfair/cv.pdf).

When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation. Impact If a system relies on accurately reported supply, an attacker may be able to mint tokens and …

When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total supply is lower than the real number of tokens in circulation. Impact If a system relies on accurately reported supply, an attacker may be able to mint tokens and …

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Laravel Framework does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. Note, this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

This CVE has been marked as a False Positive as it only concerns the npm cli tool.

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)

twill is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

showdoc is vulnerable to Cross-Site Request Forgery (CSRF)

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

Apache Superset allows for database connections to leak passwords for authenticated users. This information could be accessed in a non-trivial way.

Jenkins Performance Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

Jenkins pom2config Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Jenkins OWASP Dependency-Check Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

kustomize-controller is a Kubernetes operator, specialized in running continuous delivery pipelines for infrastructure and workloads defined with Kubernetes manifests and assembled with Kustomize. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes …

Jenkins Scriptler Plugin does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

Jenkins Active Choices Plugin does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

OpenZeppelin Contracts is a library for smart contract development. OpenZepplin Contracts is vulnerable to an attack affecting uninitialized implementation contracts.

OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).

OctoRPKI does not limit the length of a connection, allowing for a slowloris DoS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.

If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge …

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL \0 character).

The async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free: import tensorflow as tf tf.raw_ops.CollectiveReduceV2( input=[], group_size=[-10, -10, -10], group_key=[-10, -10], instance_key=[-10], ordering_token=[], merge_op='Mul', final_op='Div') This occurs due to the asynchronous computation and the fact that objects that have been std::move()d from are still accessed: auto done_with_cleanup = col_params, done = std::move(done) { done(); col_params->Unref(); }; OP_REQUIRES_OK_ASYNC(c, FillCollectiveParams(col_params, REDUCTION_COLLECTIVE, /group_size/ c->input(1), /group_key/ c->input(2), /instance_key/ c->input(3)), …

The async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free: import tensorflow as tf tf.raw_ops.CollectiveReduceV2( input=[], group_size=[-10, -10, -10], group_key=[-10, -10], instance_key=[-10], ordering_token=[], merge_op='Mul', final_op='Div') This occurs due to the asynchronous computation and the fact that objects that have been std::move()d from are still accessed: auto done_with_cleanup = col_params, done = std::move(done) { done(); col_params->Unref(); }; OP_REQUIRES_OK_ASYNC(c, FillCollectiveParams(col_params, REDUCTION_COLLECTIVE, /group_size/ c->input(1), /group_key/ c->input(2), /instance_key/ c->input(3)), …

The async implementation of CollectiveReduceV2 suffers from a memory leak and a use after free: import tensorflow as tf tf.raw_ops.CollectiveReduceV2( input=[], group_size=[-10, -10, -10], group_key=[-10, -10], instance_key=[-10], ordering_token=[], merge_op='Mul', final_op='Div') This occurs due to the asynchronous computation and the fact that objects that have been std::move()d from are still accessed: auto done_with_cleanup = col_params, done = std::move(done) { done(); col_params->Unref(); }; OP_REQUIRES_OK_ASYNC(c, FillCollectiveParams(col_params, REDUCTION_COLLECTIVE, /group_size/ c->input(1), /group_key/ c->input(2), /instance_key/ c->input(3)), …

During execution, EinsumHelper::ParseEquation() is supposed to set the flags in input_has_ellipsis vector and *output_has_ellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However, the code only changes these flags to true and never assigns false. for (int i = 0; i < num_inputs; ++i) { input_label_counts->at(i).resize(num_labels); for (const int label : input_labels->at(i)) { if (label != kEllipsisLabel) input_label_counts->at(i)[label] += 1; else input_has_ellipsis->at(i) = true; } …

During execution, EinsumHelper::ParseEquation() is supposed to set the flags in input_has_ellipsis vector and *output_has_ellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However, the code only changes these flags to true and never assigns false. for (int i = 0; i < num_inputs; ++i) { input_label_counts->at(i).resize(num_labels); for (const int label : input_labels->at(i)) { if (label != kEllipsisLabel) input_label_counts->at(i)[label] += 1; else input_has_ellipsis->at(i) = true; } …

During execution, EinsumHelper::ParseEquation() is supposed to set the flags in input_has_ellipsis vector and *output_has_ellipsis boolean to indicate whether there is ellipsis in the corresponding inputs and output. However, the code only changes these flags to true and never assigns false. for (int i = 0; i < num_inputs; ++i) { input_label_counts->at(i).resize(num_labels); for (const int label : input_labels->at(i)) { if (label != kEllipsisLabel) input_label_counts->at(i)[label] += 1; else input_has_ellipsis->at(i) = true; } …

The code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to nullptr: import tensorflow as tf tf.raw_ops.SparseMatMul( a=[[1.0,1.0,1.0]], b=[[],[],[]], transpose_a=False, transpose_b=False, a_is_sparse=False, b_is_sparse=True) This occurs whenever the dimensions of a or b are 0 or less. In the case on one of these is 0, an empty output tensor should be allocated (to conserve the invariant that output tensors are always allocated when the operation …

The code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to nullptr: import tensorflow as tf tf.raw_ops.SparseMatMul( a=[[1.0,1.0,1.0]], b=[[],[],[]], transpose_a=False, transpose_b=False, a_is_sparse=False, b_is_sparse=True) This occurs whenever the dimensions of a or b are 0 or less. In the case on one of these is 0, an empty output tensor should be allocated (to conserve the invariant that output tensors are always allocated when the operation …

The code for sparse matrix multiplication is vulnerable to undefined behavior via binding a reference to nullptr: import tensorflow as tf tf.raw_ops.SparseMatMul( a=[[1.0,1.0,1.0]], b=[[],[],[]], transpose_a=False, transpose_b=False, a_is_sparse=False, b_is_sparse=True) This occurs whenever the dimensions of a or b are 0 or less. In the case on one of these is 0, an empty output tensor should be allocated (to conserve the invariant that output tensors are always allocated when the operation …

OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.

OctoRPKI does not limit the length of a connection, allowing for a slowloris DOS attack to take place which makes OctoRPKI wait forever. Specifically, the repository that OctoRPKI sends HTTP requests to will keep the connection open for a day before a response is returned, but does keep drip feeding new bytes to keep the connection alive.

If the ROA that a repository returns contains too many bits for the IP address then OctoRPKI will crash.

During TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change.

During TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change.

During TensorFlow's Grappler optimizer phase, constant folding might attempt to deep copy a resource tensor. This results in a segfault, as these tensors are supposed to not change.

The implementation of SplitV can trigger a segfault is an attacker supplies negative arguments: import tensorflow as tf tf.raw_ops.SplitV( value=tf.constant([]), size_splits=[-1, -2] ,axis=0, num_split=2) This occurs whenever size_splits contains more than one value and at least one value is negative.

The implementation of SplitV can trigger a segfault is an attacker supplies negative arguments: import tensorflow as tf tf.raw_ops.SplitV( value=tf.constant([]), size_splits=[-1, -2] ,axis=0, num_split=2) This occurs whenever size_splits contains more than one value and at least one value is negative.

The implementation of SplitV can trigger a segfault is an attacker supplies negative arguments: import tensorflow as tf tf.raw_ops.SplitV( value=tf.constant([]), size_splits=[-1, -2] ,axis=0, num_split=2) This occurs whenever size_splits contains more than one value and at least one value is negative.

The shape inference code for tf.ragged.cross has an undefined behavior due to binding a reference to nullptr. In the following scenario, this results in a crash: import tensorflow as tf @tf.function def test(): y = tf.ragged.cross([tf.ragged.constant([['1']]),'2']) return y test()

The shape inference code for tf.ragged.cross has an undefined behavior due to binding a reference to nullptr. In the following scenario, this results in a crash: import tensorflow as tf @tf.function def test(): y = tf.ragged.cross([tf.ragged.constant([['1']]),'2']) return y test()

The shape inference code for tf.ragged.cross has an undefined behavior due to binding a reference to nullptr. In the following scenario, this results in a crash: import tensorflow as tf @tf.function def test(): y = tf.ragged.cross([tf.ragged.constant([['1']]),'2']) return y test()

If tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.backend.tile(x=np.ones((1,1,1)), n=[100000000,100000000, 100000000]) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

If tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.backend.tile(x=np.ones((1,1,1)), n=[100000000,100000000, 100000000]) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

If tf.tile is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.backend.tile(x=np.ones((1,1,1)), n=[100000000,100000000, 100000000]) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

While calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows: import tensorflow as tf tf.sparse.eye(num_rows=9223372036854775807, num_columns=None) Similarly, tf.range would result in crashes due to overflows if …

While calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows: import tensorflow as tf tf.sparse.eye(num_rows=9223372036854775807, num_columns=None) Similarly, tf.range would result in crashes due to overflows if …

While calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows: import tensorflow as tf tf.sparse.eye(num_rows=9223372036854775807, num_columns=None) Similarly, tf.range would result in crashes due to overflows if …

If tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.layers.UpSampling2D( size=1610637938, data_format='channels_first', interpolation='bilinear')(np.ones((5,1,1,1))) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

If tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.layers.UpSampling2D( size=1610637938, data_format='channels_first', interpolation='bilinear')(np.ones((5,1,1,1))) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

If tf.image.resize is called with a large input argument then the TensorFlow process will crash due to a CHECK-failure caused by an overflow. import tensorflow as tf import numpy as np tf.keras.layers.UpSampling2D( size=1610637938, data_format='channels_first', interpolation='bilinear')(np.ones((5,1,1,1))) The number of elements in the output tensor is too much for the int64_t type and the overflow is detected via a CHECK statement. This aborts the process.

The process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not: import tensorflow as tf @tf.function def func(): return tf.raw_ops.Exit(data=[False,False]) func() This occurs because the code assumes that the first node in the pairing (e.g., an Enter node) always exists when encountering the second node (e.g., an Exit node): … } else if (IsExit(curr_node)) …

The process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not: import tensorflow as tf @tf.function def func(): return tf.raw_ops.Exit(data=[False,False]) func() This occurs because the code assumes that the first node in the pairing (e.g., an Enter node) always exists when encountering the second node (e.g., an Exit node): … } else if (IsExit(curr_node)) …

The process of building the control flow graph for a TensorFlow model is vulnerable to a null pointer exception when nodes that should be paired are not: import tensorflow as tf @tf.function def func(): return tf.raw_ops.Exit(data=[False,False]) func() This occurs because the code assumes that the first node in the pairing (e.g., an Enter node) always exists when encountering the second node (e.g., an Exit node): … } else if (IsExit(curr_node)) …

The shape inference code for DeserializeSparse can trigger a null pointer dereference: import tensorflow as tf dataset = tf.data.Dataset.range(3) @tf.function def test(): y = tf.raw_ops.DeserializeSparse( serialized_sparse=tf.data.experimental.to_variant(dataset), dtype=tf.int32) test() This is because the shape inference function assumes that the serialize_sparse tensor is a tensor with positive rank (and having 3 as the last dimension). However, in the example above, the argument is a scalar (i.e., rank 0).

The shape inference code for DeserializeSparse can trigger a null pointer dereference: import tensorflow as tf dataset = tf.data.Dataset.range(3) @tf.function def test(): y = tf.raw_ops.DeserializeSparse( serialized_sparse=tf.data.experimental.to_variant(dataset), dtype=tf.int32) test() This is because the shape inference function assumes that the serialize_sparse tensor is a tensor with positive rank (and having 3 as the last dimension). However, in the example above, the argument is a scalar (i.e., rank 0).

The shape inference code for DeserializeSparse can trigger a null pointer dereference: import tensorflow as tf dataset = tf.data.Dataset.range(3) @tf.function def test(): y = tf.raw_ops.DeserializeSparse( serialized_sparse=tf.data.experimental.to_variant(dataset), dtype=tf.int32) test() This is because the shape inference function assumes that the serialize_sparse tensor is a tensor with positive rank (and having 3 as the last dimension). However, in the example above, the argument is a scalar (i.e., rank 0).

An attacker can trigger undefined behavior, integer overflows, segfaults and CHECK-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats.

An attacker can trigger undefined behavior, integer overflows, segfaults and CHECK-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats.

An attacker can trigger undefined behavior, integer overflows, segfaults and CHECK-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints loading infrastructure is missing validation for invalid file formats.

The shape inference code for AllToAll can be made to execute a division by 0: import tensorflow as tf @tf.function def func(): return tf.raw_ops.AllToAll( input=[0.0, 0.1652, 0.6543], group_assignment=[1, -1], concat_dimension=0, split_dimension=0, split_count=0) func() This occurs whenever the split_count argument is 0: TF_RETURN_IF_ERROR(c->GetAttr("split_count", &split_count)); … for (int32_t i = 0; i < rank; ++i) { … dims[i] = c->MakeDim(c->Value(dims[i]) / split_count); … }

The shape inference code for AllToAll can be made to execute a division by 0: import tensorflow as tf @tf.function def func(): return tf.raw_ops.AllToAll( input=[0.0, 0.1652, 0.6543], group_assignment=[1, -1], concat_dimension=0, split_dimension=0, split_count=0) func() This occurs whenever the split_count argument is 0: TF_RETURN_IF_ERROR(c->GetAttr("split_count", &split_count)); … for (int32_t i = 0; i < rank; ++i) { … dims[i] = c->MakeDim(c->Value(dims[i]) / split_count); … }

The shape inference code for AllToAll can be made to execute a division by 0: import tensorflow as tf @tf.function def func(): return tf.raw_ops.AllToAll( input=[0.0, 0.1652, 0.6543], group_assignment=[1, -1], concat_dimension=0, split_dimension=0, split_count=0) func() This occurs whenever the split_count argument is 0: TF_RETURN_IF_ERROR(c->GetAttr("split_count", &split_count)); … for (int32_t i = 0; i < rank; ++i) { … dims[i] = c->MakeDim(c->Value(dims[i]) / split_count); … }

The @theia/plugin-ext component of Eclipse Theia, Webview contents can be hijacked via postMessage().

The @theia/plugin-ext component of Eclipse Theia, Webview contents can be hijacked via postMessage().

Impact A bug introduced made Tokenize generate faulty tokens with NaN as a generation date. As a result, tokens would not properly expire and remain valid regardless of the lastTokenReset field. Patches contains a patch that'll invalidate these faulty tokens and make new ones behave as expected. Workarounds None. Tokens do not hold the necessary information to perform invalidation anymore. References PR #1 For more information If you have any …

An attacker could prematurely expire a verification code, making it unusable by the patient, making the patient unable to upload their TEKs to generate exposure notifications. We recommend upgrading the Exposure Notification server to V1.1.2 or greater.

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.

Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on databroker service by clearing redis …

Several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there …

Several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there …

Several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or CHECK-fail related crashes but in some scenarios writes and reads from heap populated arrays are also possible. We have discovered these issues internally via tooling while working on improving/testing GPU op determinism. As such, we don't have reproducers and there …

The code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing nullptrs or via CHECK-failures) as well as abuse undefined behavior (binding references to nullptrs). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Note: Given that the boosted trees implementation in …

The code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing nullptrs or via CHECK-failures) as well as abuse undefined behavior (binding references to nullptrs). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Note: Given that the boosted trees implementation in …

The code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing nullptrs or via CHECK-failures) as well as abuse undefined behavior (binding references to nullptrs). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Note: Given that the boosted trees implementation in …

If tf.summary.create_file_writer is called with non-scalar arguments code crashes due to a CHECK-fail. import tensorflow as tf import numpy as np tf.summary.create_file_writer(logdir='', flush_millis=np.ones((1,2)))

If tf.summary.create_file_writer is called with non-scalar arguments code crashes due to a CHECK-fail. import tensorflow as tf import numpy as np tf.summary.create_file_writer(logdir='', flush_millis=np.ones((1,2)))

If tf.summary.create_file_writer is called with non-scalar arguments code crashes due to a CHECK-fail. import tensorflow as tf import numpy as np tf.summary.create_file_writer(logdir='', flush_millis=np.ones((1,2)))

The verify function in the Stark Bank Python ECDSA library (starkbank-ecdsa) 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

Dolibarr ERP and CRM allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY element to the user-management feature.

Publify is vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

Publify is vulnerable to stored XSS as a result of an unrestricted file upload. This issue allows a user with “publisher” role to inject malicious JavaScript via the uploaded html file.

grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).

The vulnerability is we used MD5 hashing Algorithm In our hashing file. If anyone who is a beginner(and doesn't know about hashes) can face problems as MD5 is considered a Insecure Hashing Algorithm.

The website builder module in Dolibarr allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shell_exec are blocked but backticks are not blocked.

The shape inference functions for the QuantizeAndDequantizeV* operations can trigger a read outside of bounds of heap allocated array

The shape inference functions for the QuantizeAndDequantizeV* operations can trigger a read outside of bounds of heap allocated array

The shape inference functions for the QuantizeAndDequantizeV* operations can trigger a read outside of bounds of heap allocated array

The shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array: import tensorflow as tf @tf.function def func(): return tf.raw_ops.SparseCountSparseOutput( indices=[1], values=[[1]], dense_shape=[10], weights=[], binary_output= True) func() The function fails to check that the first input (i.e., indices) has rank 2: auto rank = c->Dim(c->input(0), 1);

The shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array: import tensorflow as tf @tf.function def func(): return tf.raw_ops.SparseCountSparseOutput( indices=[1], values=[[1]], dense_shape=[10], weights=[], binary_output= True) func() The function fails to check that the first input (i.e., indices) has rank 2: auto rank = c->Dim(c->input(0), 1);

The shape inference functions for SparseCountSparseOutput can trigger a read outside of bounds of heap allocated array: import tensorflow as tf @tf.function def func(): return tf.raw_ops.SparseCountSparseOutput( indices=[1], values=[[1]], dense_shape=[10], weights=[], binary_output= True) func() The function fails to check that the first input (i.e., indices) has rank 2: auto rank = c->Dim(c->input(0), 1);

The shape inference code for tf.ragged.cross can trigger a read outside of bounds of heap allocated array.