Advisories

Dec 2020

Misinterpretation of Input

A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Jupyter Server open redirect vulnerability

What kind of vulnerability is it? Who is impacted? Open redirect vulnerability - a maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed …

Information exposure via query strings in URL

Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.

Information exposure via query strings in URL

Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.

Authenticated Server Side Request Forgery

Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.

Authenticated Server Side Request Forgery

Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.

Authenticated Privilege Escalation

Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020

Authenticated Privilege Escalation

Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020

OS Command Injection

XStream is a Java library to serialize objects to XML and back again. XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's Security …

Command Injection

A remote code execution vulnerability occurs in OpenTSDB via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient).

Path Traversal

common/InputStreamHelper.java in Packwood MPXJ allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

Integer Overflow or Wraparound

** DISPUTED ** GNOME GLib has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented.

Uncontrolled Resource Consumption

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

Uncontrolled Resource Consumption

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

Uncontrolled Resource Consumption

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

Prototype Pollution

The deepFillIn function can be used to fill missing properties recursively, while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

Prototype Pollution

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

Out-of-bounds Write

There's a Out-of-bounds write flaw in jasper's jpc encoder. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.

Write to immutable memory region in TensorFlow

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

Write to immutable memory region in TensorFlow

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

Write to immutable memory region in TensorFlow

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

Use of Uninitialized Resource

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen.

Use of Uninitialized Resource

In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by …

Uninitialized memory access in TensorFlow

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

Uninitialized memory access in TensorFlow

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

Uninitialized memory access in TensorFlow

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

Out-of-bounds Write

In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …

Lack of validation in data format attributes in TensorFlow

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

Lack of validation in data format attributes in TensorFlow

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

Lack of validation in data format attributes in TensorFlow

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

Incorrect Permission Assignment for Critical Resource

A temp directory creation vulnerability exist in Guava allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir().The permissions granted to the directory created default to the standard unix-like/tmp` ones, leaving the files open.

Improper Input Validation

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.

Heap out of bounds access in MakeEdge in TensorFlow

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Heap out of bounds access in MakeEdge in TensorFlow

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Heap out of bounds access in MakeEdge in TensorFlow

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Out-of-bounds Write

A head-based buffer overflow exists in OpenEXR in writeTileData in ImfTiledOutputFile.cpp can cause a denial of service via a crafted EXR file.

Out-of-bounds Write

A heap-based buffer overflow vulnerability exists in OpenEXR in chunkOffsetReconstruction of ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.

Information Disclosure in Apache Groovy

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, …

Information Disclosure in Apache Groovy

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, …

Improper Authentication

It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and …

Denial of service attack via incorrect parameters in Matrix Synapse

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.

Cross-site Scripting

This affects the package phpoffice/phpspreadsheet from The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.

Unrestricted Upload of File with Dangerous Type

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …

Unrestricted Upload of File with Dangerous Type

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …

Uncontrolled Resource Consumption

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node.If you do use this option it is recommended that you upgrade to the latest version v4.3.6 This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.

Uncontrolled Resource Consumption

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.

Improper Access Control

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.

Information Disclosure

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details.

ReDOS vulnerabities: multiple grammars

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …

ReDOS vulnerabities: multiple grammars

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …

Out-of-bounds Write

CImg suffers from integer overflows leading to heap buffer overflows in load_pnm() that can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.

Information Exposure

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Information Exposure

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Information Exposure

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Information Exposure

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

SQL Injection

A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Code Injection

Prototype pollution vulnerability in 'keyget' allows attacker to cause a denial of service and may lead to remote code execution.

Code Injection

Prototype pollution vulnerability in 'set-in' allows attacker to cause a denial of service and may lead to remote code execution.

Incorrect Resource Transfer Between Spheres

The containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be …

Incorrect Authorization

In oauthenticator, the deprecated (in jupyterhub ) configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowed_users with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set.

Improper Access Control

We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.

Nov 2020

Sensitive Information in Resource Not Removed Before Reuse

In Eclipse Jetty RC0 to v20201102 alpha0 to beta2 alpha0 to beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will …

Incorrect Conversion between Numeric Types

If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of …

Buffer not correctly recycled in Gzip Request inflation

In Eclipse Jetty if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into …

Use After Free

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use After Free

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use After Free

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Use After Free

Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Out-of-bounds Write

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

OS Command Injection

npm package systeminformation is vulnerable to Prototype Pollution leading to Command Injection.If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to si.inetChecksite().

Use After Free

Zetetic SQLCipher has a use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in sqlite3.c. A remote denial of service attack can be performed. For example, a SQL injection can be used to execute the crafted SQL command sequence. After that, some unexpected RAM data is read.

Injection Vulnerability

Cron-utils is a Java library to parse, validate, migrate crons as well as get human readable descriptions for them. In cron-utils, a template Injection vulnerability is present. This enables attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Only projects using the @Cron annotation to validate untrusted Cron expressions are affected. This issue was patched

Incorrect Calculation

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January ). This happened on the ETC chain on . This issue is relevant only for miners, non-mining nodes are unaffected.

Incorrect Calculation

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …

Incorrect Calculation

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth could cause miners to erroneously calculate PoW in an upcoming epoch. This happened on the ETC chain on . This issue is relevant only for miners, non-mining nodes are unaffected.

Incorrect Calculation

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …

Incorrect Calculation

Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00..0x04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..0x04 with R as an argument, …

Improper Input Validation

Nanopb is a small code-size Protocol Buffers implementation. The following workarounds are available: 1) Set the option no_unions for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to FT_POINTER. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena …

Open redirect in Jupyter Server

What kind of vulnerability is it? Who is impacted? Open redirect vulnerability - a maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet. …

Modification of Assumed-Immutable Data (MAID)

highlight.js is vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will result in prototype pollution of the base object's prototype during highlighting. If you allow users to insert custom HTML code blocks into your page/app via parsing Markdown code blocks (or similar) and do not filter the language names the user can provide you may be vulnerable. The pollution should just be harmless data but …

Injection Vulnerability

It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. In Apache Unomi scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the release to fix this problem.

Implementation trusts the "me" field returned by the authorization server without verifying it

Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches fixes this issue. Workarounds There is no workaround. Upgrade to immediately. References Security Considerations: Differing User Profile URLs in the IndieAuth specification. For …

datasette-graphql leaks details of the schema of private database files

Impact When running against a Datasette instance with private databases, datasette-graphql would expose the schema of those database tables - but not the table contents. Patches Patched Workarounds This issue is only present if a Datasette instance that includes private databases and has the datasette-graphql plugin installed is available on the public internet. Uninstalling the datasette-graphql plugin or preventing public access to the instance can workaround this issue. For more …

Server-Side Request Forgery (SSRF)

RegEx in private-ip insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

Missing Authorization

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig …

Missing Authorization

An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

Missing Authorization

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem …

Incorrect Authorization

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access.

Incorrect Authorization

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, an attacker can read local files on an October CMS server via a specially crafted request.

Improper Restriction of XML External Entity Reference

TYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. …

Improper Restriction of XML External Entity Reference

TYPO3 is an open source PHP based web content management system. In TYPO3 from, and, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability with current PHP versions of supported and maintained system distributions. At least with libxml2, the processing of XML external entities is disabled per default - and cannot be exploited. …

Improper Privilege Management

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path …

Cross-site Scripting

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. …

Cross-site Scripting

TYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers.

Cross-site Scripting

TYPO3 is an open source PHP based web content management system. In TYPO3 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 that fix the problem described.

Cleartext Storage of Sensitive Information

TYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system. Update to TYPO3 that fix the problem described.

Cleartext Storage of Sensitive Information

TYPO3 is an open source PHP based web content management system. In TYPO3 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.

Arbitrary Code Execution

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.

Incorrect Authorization

If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method.

Open redirect in Jupyter Notebook

What kind of vulnerability is it? Who is impacted? Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet.

Improper Encoding or Escaping of Output

In the npm package semantic-release, secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed

Cross-site Scripting

TYPO3 Fluid is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid - TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. Subclasses of AbstractConditionViewHelper would receive the then …

Prototype Pollution

This affects the package @firebase/util This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

OS Command Injection

XStream is vulnerable to Remote Code Execution. The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed

Vulnerability in RPKI manifest validation

A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID. To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform …

SQL Injection

In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the 'table' parameter passed is not filtered so a malicious parameter can be passed for SQL injection.

Injection Vulnerability

Dependabot is a set of packages for automated dependency management for Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, .NET, Elm and Go. In Dependabot-Core from beta1, there is a remote code execution vulnerability in dependabot-common and dependabot-go_modules when a source branch name contains malicious injectable bash code. For example, if Dependabot is configured to use the following source branch name: /$({curl,127.0.0.1}), Dependabot will make a HTTP request to the following …

Incorrect Authorization

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched depending on your used Spree version. Users of Spree are not affected.

Incorrect Authorization

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched depending on your used Spree version. Users of Spree are not affected.

Float cast overflow undefined behavior

When the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.

Float cast overflow undefined behavior

When the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.

Float cast overflow undefined behavior

When the boxes argument of tf.image.crop_and_resize has a very large value, the CPU kernel implementation receives it as a C++ nan floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault.

Buffer Overflow

In Eclipse Hono the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP protocol explicitly disallows a peer to send such messages, a hand crafted AMQP client could exploit this behavior in order to send a message of unlimited size …

Improper Input Validation

The apply function adds in the target object the property specified in the path, however it does not properly check the key being set, leading to a prototype pollution.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Cross-site Scripting

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEdit allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

Cross-site Scripting

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. Please note that this is a separate issue to CVE-2019-17573.

Path Traversal

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

Improper Input Validation

** DISPUTED ** An inaccurate frame deduplication process in ChirpStack Network Server allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: The vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network."

Improper Authentication

The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise, and Jet Enterprise, does not verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.

Server-Side Request Forgery (SSRF)

Axios NPM package contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Out-of-bounds Write

The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

Out-of-bounds Write

The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

Improper Authentication

In Alerta, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented that returns HTTP Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and …

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit …

Unintended Proxy or Intermediary

An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later versions, in particular go-ipfs, mitigate this.

Path Traversal

This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.

Path Traversal

This affects all versions of package browserless-chrome. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

Oct 2020

Path Traversal

There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivileged user can check for the existence of any files on the system as root.

SQL Injection

The package pimcore/pimcore is vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request; http://vulnerable.pimcore.example/admin/classificationstore/relations?relationIds =[{"keyId"%3a"''","groupId"%3a"'asd'))+or+1%3d1+union+(select+1,2,3,4,5,6, name,8,password,'',11,12,'',14+from+users)+–+"}].

Deserialization of Untrusted Data

In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

Cross-site Scripting

baserCMS is vulnerable to Cross-Site Scripting. The issue affects the following components; Edit feed settings, Edit widget area, Sub site new registration, and New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, sub-site setting list, widget area edit, and feed list on the management screen.

Improper Input Validation

The options parameter in chart.js is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to prototype pollution.

Cross-site Scripting

An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled.

CLI does not correctly implement strict mode

In the affected versions, the AWS Encryption CLI operated in "discovery mode" even when "strict mode" was specified. Although decryption only succeeded if the user had permission to decrypt with at least one of the CMKs, decryption could be successful using a CMK that was not included in the user-defined set when the CLI was operating in "strict mode." Affected users should upgrade to Encryption CLI v1.8.x or v2.1.x as …

Unauthorized privilege escalation in Mod module

An unauthorized privilege escalation exploit has been discovered in the Mod module: this exploit allows Discord users with a high privilege level within the guild to bypass hierarchy checks when the application is in a specific condition that is beyond that user's control. By abusing this exploit, it's possible to perform destructive actions within the guild the user has high privileges in.

Out-of-bounds Write

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

HMAC-SHA1 signatures can bypass validation via key confusion

Impact An attacker can inject an HMAC-SHA1 signature that is valid using only knowledge of the RSA public key. This allows bypassing signature validation. Patches has the fix. Workarounds The recommendation is to upgrade. In case that is not possible remove the 'http://www.w3.org/2000/09/xmldsig#hmac-sha1' entry from SignedXml.SignatureAlgorithms.

Command Injection

The systeminformation package is vulnerable to Command Injection. An attacker can concatenate the curl command's parameters to overwrite Javascript files and then execute any OS commands.

Cross-site Scripting

Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel - An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.

Creation of Temporary File in Directory with Insecure Permissions

In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …

Creation of Temporary File in Directory with Insecure Permissions

In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …

Creation of Temporary File in Directory with Insecure Permissions

In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …

Creation of Temporary File in Directory with Insecure Permissions

In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …

Creation of Temporary File in Directory with Insecure Permissions

In Eclipse Jetty on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including …

Improper Verification of Cryptographic Signature

omniauth-auth0 improperly validates the JWT token signature when using the jwt_validator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. Impact is limited to the cases where you are using omniauth-auth0 and using the JWTValidator.verify method directly, or you are not authenticating using the SDK’s default Authorization Code Flow.

Uncontrolled Resource Consumption

This affects the package @tsed/core This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Server-Side Request Forgery (SSRF)

A Server-Side Request Forgery (SSRF) issue exists in the osm-static-maps package. User input given to the package is passed directly to a template without escaping ({{{ … }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code depending on the context. The contents will be output as HTML on the page which gives opportunity for XSS, or possibly, rendered on the server (puppeteer) which may allow …

Improper Authentication

Expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched A workaround without upgrading is described in the linked advisory.

Denial of Service via Cache Flooding

Impact Denial of Service via Cache Flooding Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020

Denial of Service via Cache Flooding

Impact Denial of Service via Cache Flooding Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020

Cross-site Scripting

In Orchid Platform, inline attributes are not properly escaped. If the data that came from users was not escaped, then an XSS vulnerability is possible. The issue was introduced and fixed

Cross-site Scripting

In Sylius, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any existing account (guest or normal one). The issue has been patched in Sylius As a workaround, you may resolve …

Authenticated XML External Entity Processing

Impact Authenticated XML External Entity Processing Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020

Authenticated XML External Entity Processing

Impact Authenticated XML External Entity Processing Patches We recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612. Patches Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe. Workarounds Add …

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612. Patches Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe. Workarounds Add …

Insufficiently Protected Credentials

Containerd (an industry-standard container runtime) suffers from a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. The default containerd resolver will provide its authentication credentials if the server …

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.

Improper Access Control

An issue was discovered in OpenStack blazar-dashboard. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.

Ciphertext Malleability Issue in Tink Java

Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a deterministic AEAD with a single key, and relying on the fact that there is only a single valid ciphertext per plaintext. No …

Out-of-bounds Write

Heap-based buffer overflow in archive_string_append_from_wcs() allows remote attackers to cause a denial of service (out-of-bounds write in heap memory resulting into a crash) via a crafted archive file.

Path Traversal

Singularity (an open source container platform) from has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with allow setuid = no) run of Singularity when a user attempt to run an image which …

Files or Directories Accessible to External Parties

This vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information otherwise considered confidential in an enclave, which could be used in further compromises. The issue has been addressed and the current master branch. Users will need to to recompile their applications against the patched libraries to be protected from this vulnerability.

Missing Authorization

Apache Solr to to to prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that's uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

Missing Authorization

In the Channelmgnt plug-in for Sopel before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2 affected. Version 9.0.2 includes 1.0.3 of channelmgnt, and thus is safe from this vulnerability. See referenced GHSA-23pc-4339-95vg.

Information Exposure

In JUnit4 the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is …

HTTP Request Smuggling

If a HTTP/2 client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

HTTP Request Smuggling

If an HTTP/2 client connecting to Apache Tomcat to M1 to to exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

SQL Injection

An issue was discovered in SearchController in phpMyAdmin. An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

Missing Authentication for Critical Function

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite onwards, the hostname verification will be performed using the …

URL Redirection to Untrusted Site (Open Redirect)

TYPO3 Fluid Engine (package typo3fluid/fluid)is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like{showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluidv2.5.4) and TYPO3 v9.5.6 (usingtypo3fluid/fluid` v2.6.1).

URL Redirection to Untrusted Site (Open Redirect)

Next.js is vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.

URL Redirection to Untrusted Site (Open Redirect)

TYPO3 Fluid Engine (package typo3fluid/fluid)is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like{showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluidv2.5.4) and TYPO3 v9.5.6 (usingtypo3fluid/fluid` v2.6.1).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TYPO3 Fluid Engine (package typo3fluid/fluid) before versions 2.0.5, 2.1.4, 2.2.1, 2.3.5, 2.4.1, 2.5.5 or 2.6.1 is vulnerable to cross-site scripting when making use of the ternary conditional operator in templates like {showFullName ? fullName : defaultValue}. Updated versions of this package are bundled in following TYPO3 (typo3/cms-core) versions as well: TYPO3 v8.7.25 (using typo3fluid/fluid v2.5.4) and TYPO3 v9.5.6 (using typo3fluid/fluid v2.6.1).

Improper Authentication

Affected versions of Smartstore have a missing WebApi Authentication attribute. This vulnerability affects Smartstore shops which have installed and activated the Web API plugin. Users of Smartstore must merge their repository with or overwrite the file SmartStore.Web.Framework in the /bin directory of the deployed shop with this file. As a workaround without updating uninstall the Web API plugin to close this vulnerability.

Cross-site Scripting

Jenkins Active Choices Plug does not escape some return values of sandboxed scripts for Reactive Reference Parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Cross-site Scripting

Users of the HAPI FHIR Testpage Overlay can use a specially crafted URL to exploit an XSS vulnerability in this module, allowing arbitrary JavaScript to be executed in the user's browser. The impact of this vulnerability is believed to be low, as this module is intended for testing and not believed to be widely used for any production purposes.

Cross-site Scripting

Jenkins Active Choices Plug does not escape the name and description of build parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Improper Input Validation

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Improper Input Validation

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Cross-site Scripting

Cure53 DOMPurify allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Server-Side Request Forgery (SSRF)

This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.

Path Traversal

In xmpp-http-upload, when the GET method is attacked, attackers can read files which have a .data suffix and which are accompanied by a JSON file with the .meta suffix. This can lead to Information Disclosure and in some shared-hosting scenarios also to circumvention of authentication or other limitations on the outbound (GET) traffic. For example, in a scenario where a single server has multiple instances of the application running (with …

Improper Input Validation

The socket.io-file package for Node.js relies on client-side validation of file types, which allows remote attackers to execute arbitrary code by uploading an executable file via a modified JSON name field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Improper Input Validation

In Electron the will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

Exposure of Resource to Wrong Sphere

Electron is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Cross-site Scripting

This affects the package hellojs. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1).

Files or Directories Accessible to External Parties

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.

URL Redirection to Untrusted Site (Open Redirect)

ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite, the OAuth Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match. This allows an attacker to register a client with allowed redirect URL.

URL Redirection to Untrusted Site (Open Redirect)

ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide both custom URL query parameters to their loopback redirect URL and actually overriding the host of the registered redirect URL. These …

Potential access control security issue in apollo-adminservice

apollo-adminservice before version 1.7.1 does not implement access controls. If users expose apollo-adminservice to internet(which is not recommended), there are potential security issues since apollo-adminservice is designed to work in intranet and it doesn't have access control built-in. Malicious hackers may access apollo-adminservice apis directly to access/edit the application's configurations. To fix the potential issue without upgrading, simply follow the advice that do not expose apollo-adminservice to internet.

Code Injection

All versions of package shiba are vulnerable to Arbitrary Code Execution due to the default usage of the function load() of the package js-yaml instead of its secure replacement, safeLoad().

Missing Authentication for Critical Function

In Apache NiFi, the NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Malicious code in `loadyaml`

npm packages loadyaml and electorn were removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: IP and IP-based geolocation home directory name local username The malicious packages have been removed from the npm registry and the leaked content removed from GitHub.

Malicious code in `electorn`

npm packages loadyaml and electorn were removed from the npm registry for containing malicious code. Upon installation the package runs a preinstall script that writes a public comment on GitHub containing the following information: IP and IP-based geolocation home directory name local username The malicious packages have been removed from the npm registry and the leaked content removed from GitHub.

Injection Vulnerability

As mitigation for CVE-2020-1945 Apache Ant changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately, the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Information Exposure

Pritunl allows attackers to enumerate valid VPN usernames via a series of /auth/session login attempts. Initially, the server will return err However, if the username is valid, then login attempts, the server will start responding with err Invalid usernames will receive err indefinitely.

Inadequate Encryption Strength

In Apache NiFi, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However, intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Improper Input Validation

In the @actions/core npm module, addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the set-env and add-path workflow commands in the near …

Improper Authentication

In Istio, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g., *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

Sep 2020

Query Injection

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary …

Query Injection

In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary …

Missing Authorization

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Information Exposure

Nacos suffers from a flaw where users can access service details when unauthenticated. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in.