Path Traversal
util/binfmt_misc/check.go in Builder of Docker Engine calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
util/binfmt_misc/check.go in Builder of Docker Engine calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
Plone allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role).
Plone allows XXE attacks via a feature that is explicitly only available to the Manager role.
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
A stored XSS vulnerability exists in Umbraco CMS. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.
A stored XSS vulnerability exists in Umbraco CMS. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.
An authenticated path traversal vulnerability exists during package installation in Umbraco CMS, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server, user passwords involved in LDAP authentication are stored in cleartext. This is fixed by stripping the password after authentication to prevent cleartext password storage.
Prototype pollution vulnerability in 'deep-set' allows attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'predefine' allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'flattenizer' allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'set-object-value' allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in shvl allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'getobject' allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in libnested allows an attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in dset allows attacker to cause a denial of service and may lead to remote code execution.
Apache Accumulo does not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the canFlush and canPerformSystemActions security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide …
This advisory has been marked as a False Positive and has been removed.
This advisory has been marked as a False Positive and has been removed.
server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server), in some configurations, allows XSS via the /histograms endpoint.
OpenCart This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.
OpenCart An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.
date-and-time is an npm package for manipulating date and time. In date-and-time, there a regular expression involved in parsing which can be exploited to cause a denial of service. This is fixed
Dex is a federated OpenID Connect provider written in Go. In Dex there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed by using the xml-roundtrip-validator from Mattermost (see related references).
dhowden tag allows panic: runtime error: slice bounds out of range via readTextWithDescrFrame.
dhowden tag allows panic: runtime error: index out of range via readAPICFrame.
dhowden tag allows panic: runtime error: index out of range via readPICFrame.
dhowden tag allows panic: runtime error: slice bounds out of range via readAtomData.
Autobahn|Python allows redirect header injection.
The WooCommerce plugin for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl)
BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched
Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger.
Dolibarr is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.
It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.
It is possible to pollute an object's prototype by specifying the proto object as part of an array.
The Jupyter Server provides the backend (i.If upgrade is not available, a workaround can be to run your server on a url prefix: "jupyter server –ServerApp.base_url=/jupyter/".
A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.
Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.
tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext does not start with All TLS servers that enable RSA key exchange as well as …
Incorrect Session Validation in Apache Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for [webserver] secret_key config.
Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.
Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.
Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020
Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.
If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.
The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
In DolphinScheduler, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.
A nil pointer dereference in the golang.org/x/crypto/ssh component enables remote attackers to cause a DoS against SSH servers.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
jsonpickle allows remote code execution during deserialization of a malicious payload through the decode() function.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
XStream is a Java library to serialize objects to XML and back again. Users of XStream or below who still want to use XStream default block list can use a workaround described in more detailed in the referenced advisories.
systeminformation suffers from a command injection vulnerability.
XStream is a Java library to serialize objects to XML and back again. XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's Security …
datatables.net is vulnerable to Prototype Pollution due to an incomplete fix
A remote code execution vulnerability occurs in OpenTSDB via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient).
A command injection vulnerability affects connection-tester. The injection point is located on line of index.js.
ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
js-data is vulnerable to Prototype Pollution via the deepFillIn function.
jsonparser allows attackers to cause a denial of service (runtime panic error slice bounds out of range) via a GET call.
GJSON allows attackers to cause a denial of service via crafted JSON.
A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.
A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.
A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.
A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.
A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.
Due to use of a dangling pointer, libcurl can use the wrong connection when sending data.
In Apache Airflow, the Charts and Query View of the old (Flask-admin based) UI are vulnerable for SSRF attack.
common/InputStreamHelper.java in Packwood MPXJ allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.
curl is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
** DISPUTED ** GNOME GLib has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented.
curl is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
In Airflow, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. This also occurrs when creating a Connection with a password field.
Ignite Realtime Openfire suffers from a stored Cross-site Scripting vulnerability in plugins/dbaccess/db-access.jsp.
Ignite Realtime Openfire suffers from a Stored Cross-site Scripting vulnerability in create-bookmark.jsp.
Ignite Realtime Openfire suffers from a reflective Cross-site Scripting vulnerability in plugins/clientcontrol/spark-form.jsp.
A stored Cross-site Scripting vulnerability exists in Ignite Realtime Openfire's create-bookmark.jsp groupchatJID.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.
A Denial of Service affects the package i18n due to insufficient handling of erroneous language tags.
The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.
The deepFillIn function can be used to fill missing properties recursively, while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.
If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
There's a Out-of-bounds write flaw in jasper's jpc encoder. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.
node-notifier allows an attacker to run arbitrary commands on Linux machines due to the options parameters not being sanitised when being passed an array.
The lib/utils.js in mquery allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth from and a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth from and a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.
The origin parameter passed to some of the endpoints like /trigger is vulnerable to Cross-site Scripting. This issue is the same as CVE-2020-13944, but the implemented fix in Airflow did not fix the issue completely.
Ignite Realtime Openfire suffers from a Stored Cross-Site Scripting vulnerability in plugins/bookmarks/create-bookmark.jsp.
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS allows attacker to add cart items via Add to cart.
A command injection vulnerability exists located in line of index.js. This is due to a dependency on the vulnerable corenlp-js-interface package.
All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …
In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen.
In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen.
In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by …
In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node . This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is …
In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by …
In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node . This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values and comparing these for equality. However, there is …
Chakra Scripting Engine suffers from a memory corruption vulnerability.
In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …
In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …
In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes.
In TensorFlow, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out-of-bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths.
In TensorFlow, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out-of-bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths.
In TensorFlow, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out-of-bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel implementation of GetMatchingPaths.
In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes.
In affected versions of TensorFlow the tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. This can result in uninitialized memory accesses, read outside of bounds and even crashes.
A temp directory creation vulnerability exist in Guava allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir().The permissions granted to the directory created default to the standard unix-like/tmp` ones, leaving the files open.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav/grav.
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer. This is fixed in versions 1.15.5, 2.0.4, 2.1.3, 2.2.2, 2.3.2, and 2.4.0.
In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.
A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
Synapse is a reference homeserver implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.
A head-based buffer overflow exists in OpenEXR in writeTileData in ImfTiledOutputFile.cpp can cause a denial of service via a crafted EXR file.
A heap-based buffer overflow vulnerability exists in OpenEXR in chunkOffsetReconstruction of ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.
In JerryScript, there is an out-of-bounds read in main_print_unhandled_exception in the main-utils.c file.
A Null Pointer Deference issue exists in OpenEXR in generatePreview of makePreview.cpp that can cause a denial of service via a crafted EXR file.
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, …
It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and …
jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users.
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.
This affects the package phpoffice/phpspreadsheet from The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …
Prototype pollution vulnerability allows attacker to cause a denial of service and may lead to remote code execution.
Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node.If you do use this option it is recommended that you upgrade to the latest version v4.3.6 This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.
Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Opencast If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.
A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.
Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. There are no workarounds, bot owners must upgrade their relevant packages (Dashboard module and Dashboard webserver) in order to patch this issue.
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.
A Java Serialization vulnerability in Apache Tapestry Apache makes it possible to deserialize the sp parameter even before invoking the page validate method, leading to deserialization without authentication.
An XSS vulnerability was found in Moodle
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk.
omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple or later.
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details.
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files.
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.
Groovy extension methods were using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts.
In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar.
Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …
Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in html-purify.
Cross Site Scripting (XSS) vulnerability in Arachnys Cabot can be exploited via the Address column.
An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service.
An issue was discovered in Play Framework Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play that used the Play Java API to serialize classes with protected or private fields to JSON.
An issue was discovered in Play Framework Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play that used the Play Java API to serialize classes with protected or private fields to JSON.
CImg suffers from integer overflows leading to heap buffer overflows in load_pnm() that can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.
While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
Jenkins CVS Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Improper restriction of rendered UI layers or frames in EC-CUBE versions from to leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted.
Pimcore is an open source digital experience platform. In Pimcore it is possible to modify & create website settings without having the appropriate permissions.
HashiCorp go-slug did not fully protect against Zip Slip attacks while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks.
Improper input validation vulnerability in EC-CUBE allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
A XSS vulnerability was discovered in the python lxml clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.
A cross-site request forgery (CSRF) vulnerability in Jenkins Shelve Project Plugin allows attackers to shelve, unshelve, or delete a project.
Any install that has UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.
A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.
Editors/LogViewerController.cs in Umbraco allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
Python oic is a Python OpenID Connect implementation. In Python oic, there are several related cryptographic issues affecting client implementations that use the library.
Apache HttpClient versions can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Apache HttpClient versions can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit …
Prototype pollution vulnerability in 'keyget' allows attacker to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in 'set-in' allows attacker to cause a denial of service and may lead to remote code execution.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
The containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be …
In oauthenticator, the deprecated (in jupyterhub ) configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowed_users with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set.
We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.
ThinkAdmin version has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML.
In Eclipse Jetty RC0 to v20201102 alpha0 to beta2 alpha0 to beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will …
If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of …
In Eclipse Jetty if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into …
This advisory has been marked as a false positive.
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
npm package systeminformation is vulnerable to Prototype Pollution leading to Command Injection.If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().
Endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.
Endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.
Endpoints protected by randomTokenCsrfProtection could be bypassed with an empty X-XSRF-TOKEN header and an empty XSRF-TOKEN cookie.
petl, in some configurations, allows resolution of entities in an XML document.
Zetetic SQLCipher has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.
This affects the package systeminformation The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails
Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January ). This happened on the ETC chain on . This issue is relevant only for miners, non-mining nodes are unaffected.
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch.
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch. This happened on the ETC chain on . This issue is relevant only for miners, non-mining nodes are unaffected.
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …
Nanopb is a small code-size Protocol Buffers implementation. The following workarounds are available: 1) Set the option no_unions for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to FT_POINTER. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena …
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth, there is a Denial-of-service (crash) during block processing. This is fixed
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth, there is a Denial-of-service (crash) during block processing. This is fixed
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth, there is a Denial-of-service (crash) during block processing. This is fixed
Jupyter Server has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet.
highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but …
Gitea does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. In Apache Unomi scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the release to fix this problem.
Matrix Synapse requiring the event to be manually redacted instead. Since events are replicated to servers of other room members, the impact is not constrained to the server of the event sender.
An information-disclosure flaw was found in the way Heketi logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.
OpenCRX suffers from an unverified password change vulnerability.
Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches fixes this issue. Workarounds There is no workaround. Upgrade to immediately. References Security Considerations: Differing User Profile URLs in the IndieAuth specification. For …
Impact When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents. Patches Patched Workarounds This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue. For more …
RegEx in private-ip insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig …
An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem …
prive/formulaires/configurer_preferences.php in SPIP does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.
HashiCorp Consul and Consul Enterprise allowed operators with operator:read ACL permissions to read the Connect CA private key configuration
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access.
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, an attacker can read local files on an October CMS server via a specially crafted request.
TYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. …
TYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. …
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been …
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute …
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path …
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. …
TYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.
TYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 that fix the problem described.
TYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 that fix the problem described.
TYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.
This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.
The svm_predict_values in svm.cpp in Libsvm, as used in scikit-learn and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model SVM (introduced via pickle, json, or any other model permanence standard) with a large value in the _n_support array. Note, the scikit-learn vendor's position is that the behavior can only occur if the library's API is violated by an application that changes a …
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations
c-ares' ares_parse_{a,aaaa}_reply() suffers from a Denial Of Service due to insufficient naddrttls validation.
In moodle, some database module web services allowed students to add entries within groups they did not belong to.
archive_tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Archive_Tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
archive_tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
archive_tar has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden.
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method.
In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.
Privilege escalation via arbitrary file write in pritunl electron client through v1.2.2550.20. Successful exploitation of the issue may allow an attacker to execute code on the effected system with root privileges.
Users' enrollment capabilities were not being sufficiently checked in Moodle when they are restored into an existing course.
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: to This is fixed in moodle
Open redirect vulnerability in werkzeug via a double slash in the URL.
Jupyter Notebook has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched
In the npm package semantic-release, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed
When importing repos via URL, one-time-use git credentials were persisted beyond the expected time window in Gitaly
Cross domain policies in Taskcafe Project Management tool allows remote attackers to access sensitive data such as access token.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
This affects the package y18n
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
TYPO3 Fluid is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid - TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. Subclasses of AbstractConditionViewHelper would receive the then …
This affects the package @firebase/util This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed
In PrestaShop Product Comments before version 4.2.0, an attacker could inject malicious web code into the users' web browsers by creating a malicious link. The problem was introduced in version 4.0.0 and is fixed in 4.2.0
This affects the package markdown-it-highlightjs It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.
This affects the package doc-path
A prototype pollution vulnerability in controlled-merge may allow an attacker to cause a denial of service, or possibly lead to remote code execution.
A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID. To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform …
In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection.
Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from beta1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: /$({curl,127.0.0.1}), Dependabot will make a HTTP request to the following …
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched depending on your used Spree version. Users of Spree are not affected.
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched depending on your used Spree version. Users of Spree are not affected.
Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from beta1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.
Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from beta1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
In Eclipse Hono the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP protocol explicitly disallows a peer to send such messages, a hand crafted AMQP client could exploit this behavior in order to send a message of unlimited size …
It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.
Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending emails.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-logic-js.
The apply function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.
A prototype pollution vulnerability in object-hierarchy-access allows attacker to cause a denial of service and may lead to remote code execution.
A prototype pollution vulnerability in field allows attackers to cause a denial of service and may lead to remote code execution.
Prototype pollution vulnerability in deephas may allow an attacker to cause a denial of service, or possibly lead to remote code execution.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEdit allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.
The express-validators package is vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.
Chakra Scripting Engine Memory Corruption Vulnerability This CVE ID is unique from CVE-2020-17048.
Chakra Scripting Engine Memory Corruption Vulnerability. This CVE ID is unique from CVE-2020-17054.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pocketmine/pocketmine-mp.
MoinMoin is a wiki engine. In MoinMoin, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrade to a patched version. MoinMoin Wiki has the necessary fixes and also contains other important fixes.
The cache action in action/cache.py in MoinMo allows directory traversal through a crafted HTTP request. An attacker who can upload attachments to the wiki can use this to achieve remote code execution.
This affects all versions of package json-ptr. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/_src_pointer_.jsonpointer.html#set when the force flag is set to true. The function recursively sets the property in the target object, however it does not properly check the key being set, leading to a prototype pollution.
A prototype pollution vulnerability in @strikeentco/set may allow an attacker to cause a denial of service, or possibly lead to remote code execution.
Magento This vulnerability could be abused by authenticated users with administrative permissions to the System/Data and Transfer/Import components.
Magento This vulnerability could be exploited by an authenticated user with permissions to the product listing page to read data from the database.
A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw
When in maintenance mode, Magento This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.
Magento A user can still access resources provisioned under their old role after an administrator removes the role or disables the user's account.
** DISPUTED ** An inaccurate frame deduplication process in ChirpStack Network Server allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: The vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network."
Prototype pollution vulnerability in json8-merge-patch npm package may allow attackers to inject or modify methods and properties of the global object constructor.
Magento This vulnerability could be abused by users with permissions to the Pages resource to delete cms pages via the REST API without authorization.
Magento This vulnerability could be abused by authenticated users to modify inventory stock data without authorization.
Magento This vulnerability could be abused by authenticated users with Inventory and Source permissions to make unauthorized changes to inventory source data via the REST API.
Magento This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.
The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise, and Jet Enterprise, does not verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.
A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust, if the installation violates the usage expectations by exposing this UI to outside users.
This affects the package find-my-way, from It accepts the Accept-Version header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack.
In Play Framework, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.
In Play Framework, data amplification can occur when an application accepts multipart/form-data JSON input.
In Play Framework, data amplification can occur when an application accepts multipart/form-data JSON input.
In Play Framework, stack consumption can occur because of unbounded recursion during parsing of crafted JSON documents.
Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.
The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.
An issue was discovered in SaltStack Salt Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
The TLS module within SaltStack Salt creates certificates with weak file permissions.
In SaltStack Salt, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.
Synopsys hub-rest-api-python (aka blackduck on PyPI) - does not validate SSL certificates in certain cases.
In Alerta, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented that returns HTTP Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators …
Jopl for Desktop allows XSS via a LINK element in a note.
This affects the package @absolunet/kafe It allows cause a denial of service when validating crafted invalid emails.
Apache Shiro, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Apache Shiro, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
This affects the package jsreport-chrome-pdf
This affects the package phantom-html-to-pdf
A missing permission check in Jenkins Mercurial Plugin allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.
A missing/An incorrect permission check in Jenkins Kubernetes Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
Missing permission checks in Jenkins Ansible Plugin allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
A missing permission check in Jenkins Kubernetes Plugin allows attackers with Overall/Read permission to list global pod template names.
Jenkins Kubernetes Plugin allows low-privilege users to access possibly sensitive Jenkins controller environment variables.
Jenkins Subversion Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
Jenkins Mercurial Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and …
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit …
phpMyAdmin may allow CSV injection via Export Section. NOTE: the vendor disputes this because "the CSV file is accurately generated based on the database contents".
HashiCorp Consul Enterprise up to includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes.
DatabaseSchemaViewer is vulnerable to arbitrary code execution if a user is tricked into opening a specially crafted .dbschema file. As a workaround, ensure .dbschema files from untrusted sources are not opened.
Jenkins FindBugs Plugin does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.
An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later versions, in particular go-ipfs, mitigate this.
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
This affects all versions of package browserless-chrome. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.
ServiceStack mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.
baserCMS Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component was found to be vulnerable.
There is a ReDOS vulnerability in codemirror which is mainly due to the sub-pattern (s|/.?/)
The package pimcore/pimcore is vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request; http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds =[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6, name,8,password,'',11,12,'',14+from+users)+–+"}].
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.
baserCMS is vulnerable to Cross-Site Scripting. The issue affects the following components; Edit feed settings, Edit widget area, Sub site new registration, and New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, sub-site setting list, widget area edit, and feed list on the management screen.
baserCMS is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a specially crafted nickname in the blog comments. The issue affects the blog comment component.
An issue was discovered in FastReport. It lacks a ScriptSecurity feature and therefore may mishandle (for example) GetType, typeof, TypeOf, DllImport, LoadLibrary, and GetProcAddress.
In Strapi, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
Strapi has stored XSS in the wysiwyg editor's preview feature.
The options parameter in chart.js is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to prototype pollution.
Red Discord Bot has an unauthorized privilege escalation vulnerability in the Mod module. This vulnerability allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this vulnerability, it is possible to perform destructive actions within the guild the user has high privileges in.
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled.
In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode." Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as …
Impact Due to a sudden upstream breaking change by Bitly, versions of bitlyshortener can generate an invalid short URL when a vanity domain exists. Patches Upgrading bitlyshortener to or newer will prevent the generation of any such invalid short URLs. References Release notes
The dat.gui package is vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
Regular Expression Denial of Service (ReDoS) via trim().
This affects the package npm-user-validate The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Impact An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation. Patches has the fix. Workarounds The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
In lookatme, the package automatically loaded the built-in terminal and file_loader extensions. As a workaround, the lookatme/contrib/terminal.py and lookatme/contrib/file_loader.py files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.
The pathval package suffers from a Javascript Prototype Pollution vulnerability.
The systeminformation package is vulnerable to Command Injection. An attacker can concatenate the curl command's parameters to overwrite Javascript files and then execute any OS commands.
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel - An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.
In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …
In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …
In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …
In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …
In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …
The Parse Server npm package broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. However, it is not possible to create subscription objects with invalid session tokens.
In Strapi, there is no admin::hasPermissions restriction for CTB (aka content-type-builder) routes.
admin/src/containers/InputModalStepperProvider/index.js in Strapi has unwanted /proxy?url= functionality.
Strapi has stored XSS in the wysiwyg editor's preview feature.
In Tensorflow, an attacker can pass an invalid axis value to tf.quantization.quantize_and_dequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, DCHECK-like macros are no-ops, this results in segfault and access out-of-bounds of the array.
In Tensorflow, an attacker can pass an invalid axis value to tf.quantization.quantize_and_dequantize. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, DCHECK-like macros are no-ops, this results in segfault and access out-of-bounds of the array.
In Tensorflow, an attacker can pass an invalid axis value to tf.quantization.quantize_and_dequantize.This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However,dim_sizeonly does aDCHECKto validate the argument and then uses it to access the corresponding element of an array. Since in normal builds,DCHECK`-like macros are no-ops, this results in segfault and access out-of-bounds of the array.
omniauth-auth0 improperly validates the JWT token signature when using the jwt_validator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. Impact is limited to the cases where you are using omniauth-auth0 and using the JWTValidator.verify method directly, or you are not authenticating using the SDK’s default Authorization Code Flow.
In Tensorflow, when the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.
In Tensorflow, when the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.
In Tensorflow, when the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.
The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
This affects the package @tsed/core This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.
A Server-Side Request Forgery (SSRF) issue exists in the osm-static-maps package. User input given to the package is passed directly to a template without escaping ({{{ … }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code depending on the context. The contents will be output as HTML on the page which gives opportunity for XSS, or possibly, rendered on the server (puppeteer) which may allow …
Expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched A workaround without upgrading is described in the linked advisory.
This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller.
In webpack-subresource-integrity, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-level chunks are unaffected.
Apache Kylin has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confidential information entries will be disclosed to everyone.
A mis-handling of invalid unicode characters in the Java implementation of Tink allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.
A prototype pollution vulnerability has been found in object-path don't use the includeInheritedProps: true options or the withInheritedProps.
Impact Denial of Service via Cache Flooding Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020
Impact Denial of Service via Cache Flooding Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020
In Orchid Platform, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced and fixed
In Sylius, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius As a workaround, you may resolve …
AuthRestServlet in Matrix Synapse is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the victim user with a malicious URL to the /_matrix/client/r0/auth//fallback/web or /_matrix/client/unstable/auth//fallback/web Synapse endpoints.
Impact Authenticated XML External Entity Processing Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020
Impact Authenticated XML External Entity Processing Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020
libtaxii, as used in EclecticIQ OpenTAXII and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser.
TAXII libtaxii, as used in EclecticIQ OpenTAXII and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser.
The git hook feature in Gitea allows for authenticated remote code execution.
Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612. Patches Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe. Workarounds Add …
Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612. Patches Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe. Workarounds Add …
Containerd (an industry-standard container runtime) suffers from a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. The default containerd resolver will provide its authentication credentials if the server …
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.
Apereo CAS mishandles secret keys with Google Authenticator for multifactor authentication.
An issue was discovered in OpenStack blazar-dashboard. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.
This vulnerability could be abused by an unauthenticated attacker to execute XSS attacks against other Magento users. This vulnerability requires a victim to browse to the uploaded file.
Heap-based buffer overflow in archive_string_append_from_wcs() allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file.
Singularity (an open source container platform) from has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with allow setuid = no) run of Singularity when a user attempt to run an image which …
This vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information otherwise considered confidential in an enclave, which could be used in further compromises. The issue has been addressed and the current master branch. Users will need to to recompile their applications against the patched libraries to be protected from this vulnerability.
Apache Solr to to to prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
In the Channelmgnt plug-in for Sopel before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2 affected. Version 9.0.2 includes 1.0.3 of channelmgnt, and thus is safe from this vulnerability. See referenced GHSA-23pc-4339-95vg.
The mathjs package is vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates.
In JUnit4 the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is …
If a HTTP/2 client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
If an HTTP/2 client connecting to Apache Tomcat to M1 to to exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
An issue was discovered in SearchController in phpMyAdmin. An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
MyBatis mishandles deserialization of object streams.
phpMyAdmin allows XSS through the transformation feature via a crafted link.
HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite onwards, the hostname verification will be performed using the …
TYPO3 Fluid Engine (package typo3fluid/fluid)is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like{showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluidv2.5.4) and TYPO3 v9.5.6 (usingtypo3fluid/fluid` v2.6.1).
Next.js is vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.
TYPO3 Fluid Engine (package typo3fluid/fluid)is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like{showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluidv2.5.4) and TYPO3 v9.5.6 (usingtypo3fluid/fluid` v2.6.1).
Jenkins couchdb-statistics Plugin stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Jenkins SMS Notification Plugin stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Jenkins Maven Cascade Release Plugin does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.
NATS nats.js, nats.ws, and nats.deno allow credential disclosure from a client to a server.
In Jenkins Audit Trail Plug, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
Jenkins Role-based Authorization Strategy Plugin does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.
Jenkins Nerrvana Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
TYPO3 Fluid Engine (package typo3fluid/fluid) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like {showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluid v2.5.4) and TYPO3 v9.5.6 (using typo3fluid/fluid v2.6.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pterodactyl/panel.
Jenkins Audit Trail Plugin applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL.
Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops which have installed and activated the Web API plugin. Users of Smartstore must merge their repository with or overwrite the file SmartStore.Web.Framework in the /bin directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.
Jenkins Active Choices Plug does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes.
Jenkins Active Choices Plug does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
PyroCMS is vulnerable to cross-site request forgery (CSRF) via the admin/pages/delete/ URI: pages will be deleted.
A cross-site request forgery (CSRF) vulnerability in Jenkins Maven Cascade Release Plugin allows attackers to start cascade builds and layout builds, and reconfigure the plugin.
PyroCMS is vulnerable to cross-site request forgery (CSRF) via the admin/addons/uninstall/anomaly.module.blocks URI: an arbitrary plugin will be deleted.
A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin allows attackers to configure shared objects.
Contao suffers from an Improper Input Validation flaw. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.