The Advanced Reports module for SilverStripe is vulnerable to Cross-Site Scripting (XSS) because it is possible to inject and store malicious JavaScript code. This affects admin/advanced-reports/DataObjectReport/EditForm/field/DataObjectReport/item (report preview) when an SVG document is provided in the Description parameter.
Versions of helmet-csp before to are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting. Upgrade to or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.
All versions of expressfs are vulnerable to Command Injection. expressfs.cp, expressfs.create and expressfs.rmdir. No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of addax are vulnerable to Command Injection. The package does not validate user input on the presignPath function which receives input directly from the API endpoint. Exploiting the vulnerability requires authentication. This may allow attackers to run arbitrary commands in the system. Upgrade to or later.
Affected versions of node-weakauras-parser are vulnerable to a Buffer Overflow. The encode_weakaura function fails to properly validate the input size. A buffer of bytes causes an overflow on systems. Upgrade to or later.
Versions of graphql-shield are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.
Versions of saml2-js prior to 2.0.5 are vulnerable to an Authentication Bypass. The package fails to enforce the assertion conditions for encrypted assertions, which may allow an attacker to reuse encrypted assertion tokens indefinitely. Recommendation Upgrade to version 2.0.5 or later.
Versions of otpauth are vulnerable to Authentication Bypass. The package's totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.
Object lifetime issue in Blink in Google Chrome allowed a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.
Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, an .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
Versions of glance prior to 3.0.7 are vulnerable to Unauthorized File Access. The package provides a –nodot option meant to hide files and directories with names that begin with a ., such as .git but fails to hide files inside a folder that begins with .. Recommendation Upgrade to version 3.0.7 or later.
All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of loopback (3.x) (2.x) are vulnerable to Sensitive Data Exposure. Invalid API requests to the login endpoint may return information about the first user in the database. This can be used alongside other attacks for credential theft. If you're using loopback upgrade to or later. If you're using loopback upgrade to or later.
All versions of smart-extend are vulnerable to Prototype Pollution. The deep() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.
All versions of jajajejejiji typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of erquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requets typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of discord_debug_log contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
All versions of eact typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asinc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reqquest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
The package destroyer-of-worlds contained malicious code. The package contained a bash script that was run as a postinstall script. The script deleted system files and attempted to exhaust resources by creating a large file, a fork bomb and an endless loop. The script targeted UNIX systems. Remove the package from your environment and perform additional incident response on your system's files and processes.
All versions of rqeuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of rrgod are considered malicious. The package is malware designed to run arbitrary scripts. When installed, the package downloads an arbitrary file and executes its contents as a pre, post and install scripts. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response …
All versions of aasync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asycn typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of portionfatty12 are considered malicious. The package is malware designed to steal user's data. When installed it uploads the user's public SSH keys to a remote server. This package is not available on the npm Registry anymore. If you happen to find this package in your environment you should consider the system it was installed on compromised and assess if further response (such as rotating all credentials found …
All versions of asyync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reqest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asymc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of rrequest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
All versions of requesst typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of calk typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of commnader typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of momen typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requset typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of font-scrubber contains malicious code as a postinstall script. The package attempts to upload sensitive files from the system to a remote server. The files include configuration files, command history logs, SSH keys and /etc/passwd. ## Recommendation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should …
All versions of whiteproject contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
The package donotinstallthis contained malicious code. The package contained a script that was run as part of the install script. The script contacted a remote service tracking how many installations were done. There is no further compromise. Remove the package from your environment.
All versions of asnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of experss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of asnyc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of chak typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of exprss typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of aysnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requuest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requeest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of reques typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requestt typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. ## Recommendation Remove the package from your environment. Review your Discord account access and rotate tokens if possible. If a credit card was linked to a compromised account contact your credit card company.
of stream-combine has malicious code design to steal credentials and credit card information.This package is not available on the npm Registry anymore. If you used this module and your application processed credentials or credit card information, it is possible that information was stolen.
All versions of 4equest typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of saync typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of requet typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
All versions of wepack-cli typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
of rimrafall contains malicious code as a preinstall script. The package attempts to remove all files in the system's root folder. If you installed this package it is likely your machine was erased. If not, remove the package from your system and verify if any files were deleted.
All versions of asynnc typosquatted a popular package of similar name and tracked users who had installed the incorrect package. The package uploaded information to a remote server including: name of the downloaded package, name of the intended package, the Node version and whether the process was running as sudo. There is no further compromise. Remove the package from your dependencies and always ensure package names are typed correctly upon …
Versions of graphql-code-generator have an Insecure Default Configuration. The packages sets NODE_TLS_REJECT_UNAUTHORIZED to 0, disabling certificate verification for the entire project. This results in Insecure Communication for the process.
A Lucky timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.
The sf_event_mgt (aka Event management and registration) extension before 4.3.1 and 5.x before 5.1.1 for TYPO3 allows Information Disclosure (participant data, and event data via email) because of Broken Access Control.
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in static-eval.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in value-censorship.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in kraken-api.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in froever.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wangeditor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in yeoman-genrator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in sandbox.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colour-string.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in require-ports.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tomato.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in commander-js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in browserift.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in colro-name.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowee.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bestzip.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pomelo-monitor.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pi_video_recording.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in logsymbles.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tensorplow.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in office-converter.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jqeury.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in hulp.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in loopback-connector-mongodb.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cocos-utils.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in uglyfi-js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bowe.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jquerz.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in express-cart.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ag-grid-community.
Improper Neutralization in semantic-ui-search.
Improper Neutralization in mermaid.
Improper Neutralization in fomantic-ui.
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
In Symfony, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response …
Vulnerable versions of loopback may allow attackers to create Authentication Tokens on behalf of other users due to Improper Authorization. If the AccessToken model is publicly exposed, an attacker can create Authorization Tokens for any user as long as they know the target's userId. This will allow the attacker to access the user's data and their privileges. For loopback, upgrade to or later For loopback, upgrade to or later
Versions of googleapis are vulnerable to Improper Authorization. Setting credentials to one client may apply to all clients which may cause requests to be sent with the incorrect credentials.
Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .
Versions of serialize-to-js prior to 2.0.0 are vulnerable to Denial of Service. User input is not properly validated, allowing attackers to provide inputs that lead the execution to loop indefinitely. Recommendation Upgrade to version 2.0.0 or later.
Versions of ipfs-bitswap are vulnerable to Denial of Service (DoS). The package put unwanted blocks in the blockstore, which could be used to exhaust system resources in specific conditions. Upgrade to or later.
All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest (XHR) to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to include malicious payloads as part of query parameters that are reflected back to the user. A response such as {"q":"<iframe/src='javascript:alert(1)'></iframe>","results":[]} would be …
Versions of google-closure-library prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The safedomtreeprocessor.processToString() function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting. Recommendation Upgrade to version 20190301.0.0 or later.
All versions of buttle are vulnerable to Cross-Site Scripting. Due to misconfiguration of its rendering engine, buttle does not sanitize the HTML output allowing attackers to run arbitrary JavaScript when processing malicious markdown files. Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.
Versions of bootstrap-vue are vulnerable to Cross-Site Scripting. Due to insufficient input sanitization, components may be vulnerable to Cross-Site Scripting through the options variable. This may lead to the execution of malicious JavaScript on the user's browser.
Ignite Realtime Openfire has a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, searchDescription and searchDynamic in the Server Properties and Security Audit Viewer JSP page.
In Ignite Realtime Openfire, a stored cross-site scripting vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameters searchName and alias in the import certificate trusted page.
A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request searchName, searchValue, searchDescription, searchDefaultValue,searchPlugin, searchDescription and searchDynamic in server-properties.jsp and security-audit-viewer.jsp
Vulnerable versions of decompress-zip are affected by the Zip-Slip vulnerability, an arbitrary file write vulnerability. The vulnerability occurs because decompress-zip does not verify that extracted files do not resolve to targets outside of the extraction root directory. For decompress-zip upgrade to or later. For decompress-zip upgrade to or later.
Affected versions of rendr are vulnerable to cross-site scripting when client side rendering is done inside a _block. Server side rendering is not affected and is properly escaped. Recommendation Update to version 1.1.4 or later.
When server level, connection level or route level CORS configurations in hapi node module before 11.1.4 are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).
Affected versions of sequelize are vulnerable to SQL Injection in Models that have fields with the GEOMETRY DataType. This vulnerability occurs because single quotes in document values are not escaped for GeoJSON documents using ST_GeomFromGeoJSON, and MySQL GeoJSON documents using GeomFromText. Recommendation Update to version 3.23.6 or later.
Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials. Recommendation It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then. At this time, the best available …
Affected versions of hooka-tools were compromised and modified to silently run a cryptocoin miner in the background. All affected versions have been unpublished from the npm registry. Recommendation While this module has been unpublished, some versions may exist in mirrors or caches. Do not install this module, and remove it if found.
Versions of openwhisk before 3.3.1 are vulnerable to remote memory exposure. When a number is passed to api_key, affected versions of openwhisk allocate an uninitialized buffer and send that over network in Authorization header (base64-encoded). Proof of concept: var openwhisk = require('openwhisk'); var options = { apihost: '127.0.0.1:1433', api_key: USERSUPPLIEDINPUT // number }; var ow = openwhisk(options); ow.actions.invoke({actionName: 'sample'}).then(result => console.log(result)) Recommendation Update to version 3.3.1 or later.
Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 or later.
Relative Path Traversal in express-cart.
Affected versions of redis-commander contain a cross-site scripting vulnerability in the highlighterId paramter of the clipboard.swf component on hosts serving Redis Commander.
All versions of merge-objects are vulnerable to Prototype Pollution. ## Recommendation No fix is available for this vulnerability at this time. It is our recommendation to use an alternative package.
This affects all versions of package github.com/u-root/u-root/pkg/cpio. It is vulnerable to leading, non-leading relative path traversal attacks and symlink based (relative and absolute) path traversal attacks in cpio file extraction.
This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.
The package github.com/u-root/u-root/pkg/tarutil is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction.
Versions of njwt are vulnerable to out-of-bounds reads when a number is passed into the base64urlEncode function. On Node.js or lower this can expose sensitive information and on any other version of Node.js this creates a Denial of Service vulnerability.
Versions of base64url are vulnerable to to out-of-bounds reads as it allocates uninitialized Buffers when number is passed in input on Node.js. ## Recommendation Update to or later.
Versions of express-cart before 1.1.8 are vulnerable to NoSQL injection. The vulnerability is caused by the lack of user input sanitization in the login handlers. In both cases, the customer login and the admin login, parameters from the JSON body are sent directly into the MongoDB query which allows to insert operators. These operators can be used to extract the value of the field blindly in the same manner of …
Jenkins Team Foundation Server Plugin stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
Jenkins SoapUI Pro Functional Testing Plugin stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
The Jenkins Parameterized Remote Trigger Plugin stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
A missing permission check in the Jenkins database plugin allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.
nothing-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.
All versions of boogeyman are considered malicious. This particular package would download a payload from pastebin.com, eval it to read ssh keys and the users .npmrc and send them to a private pastebin account. This package was published to the npm Registry for a very short period of time. If you happen to find it in your environment you should revoke and rotate your ssh keys and your npm token.
of eslint-config-eslint was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens
of eslint-config-airbnb-standard was published with a bundled version of eslint-scope that was found to contain malicious code. This code would read the users .npmrc file and send it's contents to a remote server. The best course of action if you found this package installed in your environment is to revoke all your npm tokens and use a different version of the module. You can find instructions on how to do …
ladder-text-js contained a malicious script that attempted to delete all files when npm test was run. This module has been unpublished from the npm Registry. If you find this module in your environment remove it.
Affected versions of ezseed-transmission download and run a script over an HTTP connection. An attacker in a privileged network position could launch a Man-in-the-Middle attack and intercept the script, replacing it with malicious code, completely compromising the system running ezseed-transmission. Recommendation Update to version 0.0.15 or later.
The Jenkins Klocwork Analysis Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
The Jenkins Valgrind Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
Keys of objects in mysql node module v2.0.0-alpha7 and earlier are not escaped with mysql.escape() which could lead to SQL Injection.
apk-parser is a tool to extract Android Manifest info from an APK file. apk-parser versions below 0.1.6 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in s3asy.
node-air-sdk is an AIR SDK for nodejs. node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.io.
windows-latestchromedriver downloads the latest version of chromedriver.exe. windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dictum.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in getcookies.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_step.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in foever.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coffee-project.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ascii-art.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in xoc.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-bmap.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @impala/bmap.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in css_transform_support.
The npm-test-sqlite3-trunk module provides asynchronous, non-blocking SQLite3 bindings. npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in awesome_react_utility.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in json-serializer.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-server-native.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dynamo-schema.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in cordova-plugin-china-picker.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in oauth-validator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jasmin.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in angular-material-sidenav-rnd.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nginxbeautifier.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in freshdom.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in pidusage.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dossier.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-picker.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in modlibrary.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in rc-calendar-jhorst.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in impala.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flatmap-stream.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in simple-alipay.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in axois.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in blingjs.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in codify.
pm2-kafka is a PM2 module that installs and runs a kafka server pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenraotr.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-dates-sc.
apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.js.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenrator.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-range-picker.
Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mrk.js.
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react-marked-markdown.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in md-data-table.
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jingo.
Improper Neutralization in buefy.
The promisehelpers package is vulnerable to Prototype Pollution via the insert function.
The gammautils package is vulnerable to Prototype Pollution via the deepSet and deepMerge functions.
uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.
The confucious package is vulnerable to Prototype Pollution via the set function.
The deeps package is vulnerable to Prototype Pollution via the set function.
The safe-object2 package is vulnerable to Prototype Pollution via the setter function.
The gedi package is vulnerable to Prototype Pollution via the set function.
Improper Input Validation in personnummer.
The locutus package is vulnerable to Prototype Pollution via the php.strings.parse_str function.
The dot-notes package is vulnerable to Prototype Pollution via the create function.
The node-oojs package is vulnerable to Prototype Pollution via the setPath function.
The tiny-conf package is vulnerable to Prototype Pollution via the set function.
The arr-flatten-unflatten package is vulnerable to Prototype Pollution via the constructor.
ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
The package node-forge is vulnerable to Prototype Pollution via the util.setPath function. Note, it is a breaking change removing the vulnerable functions.
The nodee-utils package is vulnerable to Prototype Pollution via the deepSet function.
The worksmith package is vulnerable to Prototype Pollution via the setValue function.
The deep-get-set package is vulnerable to Prototype Pollution via the main function.
MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is This can be done by sending at least simultaneous requests to the Magento …
Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort. Recommendation Update to version 3.0.0 or later.
A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.
In Apache Cassandra, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables …
All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a byte value being returned, but one that is easily guessable. Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances …
adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.
Affected versions of yjmyjmyjm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of wenluhong1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of nodeload-nmickuli resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …
Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. The featurebook package is not intended to be run in production code nor to be exposed to an untrusted network. Proof of Concept GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo …
The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files. Mitigating Factors: If the node process is run as a user with very limited …
Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later.
Affected versions of mqtt will cause the node process to crash when receiving specially crafted MQTT packets, making the application vulnerable to a denial of service condition. Recommendation Update to v1.0.0 or later
All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+@[toc] causes the application to enter and infinite loop. No fix is currently available. Consider using an alternative module until a fix is made available.
Affected versions of swagger-ui are vulnerable to cross-site scripting in both the consumes and produces parameters of the swagger JSON document for a given API. Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link. Proof of Concept http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json Recommendation Update to version 2.2.1 …
Affected versions of swagger-ui are vulnerable to cross-site scripting via the url query string parameter. Recommendation Update to 2.2.1 or later.
Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. …
Affected versions of fuelux contain a cross-site scripting vulnerability in the Pillbox feature. By supplying a script as a value for a new pillbox, it is possible to cause arbitrary script execution. Recommendation Update to version 3.15.7 or later.
Affected versions of emojione are vulnerable to cross-site scripting when user input is passed into the toShort(), shortnameToImage(), unicodeToImage(), and toImage() functions. Recommendation Update to version 1.3.1 or later.
Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later.
All versions of bootstrap-tagsinput are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter. Recommendation This package is not actively maintained, and has not seen an update since 2015. Because of this, the simplest mitigation is to avoid using the itemTitle parameter. With over 200 open issues and over 100 open …
Affected versions of pivottable are vulnerable to cross-site scripting, due to a new mechanism used to render JSON elements. Recommendation Update to version 2.0.0 or later.
Jenkins JSGames Plugin evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability.
Jenkins Cadence vManager Plugin does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
The Jenkins Valgrind Plugin does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.
Jenkins Git Parameter Plug does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins Build Failure Analyzer Plugin does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.
MAGMI is vulnerable to CSRF due to the lack of anti-CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to execute arbitrary SQL scripts.
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to connect to an attacker-specified database server using attacker-specified credentials.
Versions of samsung-remote are vulnerable to command injection. This vulnerability is exploitable if user input is passed into the ip option of the package constructor. Update to or later.
Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
The Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.
Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require('serve') const server = serve(__dirname, { port: 1337, ignore: ['test.txt'] }) Using the URL encoded form of a letter (%65 instead of e) attacker can bypass the ignore control …
ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater.
Versions of validator prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the isURL method. Recommendation Update to version 3.22.1 or later.
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.
The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false.
Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.
paypal-ipn before 3.0.0 uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.
Dolibarr is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.
Cross-Site Request Forgery (CSRF) in jquery-ujs.
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with …
A buffer over-read vulnerability exists in bl which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
This affects the package json. It is possible to inject arbritary commands using the parseLookup function.
This advisory has been marked as a false positive.
MPXJ suffers from XXE vulnerabilities. This affects the GanttProjectReader and PhoenixReader components.
The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive data disclosure.
An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
baserCMS content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js.
baserCMS is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php.
baserCMS is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The affected components are ThemeFilesController.php and UploaderFilesController.php.
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ps bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine as well as …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flood.
An issue was discovered in MoscaJS Aedes lib/write.js does not properly consider exceptions during the writing of an invalid packet to a stream.
In the nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.
In nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.
In Netwide Assembler (NASM) rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.
GNU Bison has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated …
In Netwide Assembler (NASM), SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in highcharts.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
A Cross Site Scripting vulnerability was found in Codiad. The vulnerability occurs because of improper sanitization of the folder name $path variable in components/filemanager/class.filemanager.php.
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."
wolfSSL mishandles TLS server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.
** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by …
A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.
A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.
Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid. The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.
The Management Console in WSO2 API Manager allows XML External Entity injection (XXE) attacks.
The Management Console in WSO2 API Manager allows XML Entity Expansion attacks.
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.
Dolibarr CRM allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which disabled is changed to enabled in the HTML source code.
This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.
wolfSSL mishandles the change_cipher_spec (CCS) message processing logic for TLS If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.
An issue was discovered in the DTLS handshake implementation in wolfSSL. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.
An issue was discovered in wolfSSL when single precision is not employed. signing with a private key).
An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if …
Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C
Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .
In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
Magento allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks.
This advisory has been marked as a false positive.
HashiCorp vault-ssh-helper up to and including version incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address assigned to that interface.
In auth0-lock dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.
The path package is vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
The package property-expr is vulnerable to Prototype Pollution via the setter function.
connie-lang is vulnerable to Prototype Pollution in the configuration language library used by connie.
The path package is vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.
nis-utils is vulnerable to Prototype Pollution via the setValue function.
ftp-srv is vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration.
A vulnerability in phpBB's remote image dimensions check can be abused to execute SSRF attacks.
lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.
ldebug.c attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.
ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'.
The Replication handler allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e., you could read/write to any location the solr user can access.
A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.
The package linux-cmdline is vulnerable to Prototype Pollution via the constructor.
In Apache Shiro a specially crafted HTTP request may cause an authentication bypass.
Apache Shiro, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
In Play Framework, the CSRF filter can be bypassed by making CORS requests with content types that contain parameters that can't be parsed.
madlib-object-utils is vulnerable to Prototype Pollution via setValue.
phpjs is vulnerable to Prototype Pollution via parse_str.
The resolveRepositoryPath function does not properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.
A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.
A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.
A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.
The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
JerryScript allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse("[]",a).
JerryScript is vulnerable to a buffer over-read.
Lua through allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.
Jenkins does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins Yet Another Build Visualizer does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.
Jenkins does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
Jenkins does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler allows attackers to rebuild a project at a previous git revision.
Concourse, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside an HTML template that is usually removed during rendering.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.
An improperly initialized migrationAuth' value in Google's go-tpm library can lead an eavesdropping attacker to discover the authvalue for a key created with CreateWrapKey. An attacker listening in on the channel can collect bothencUsageAuthandencMigrationAuth, and then can calculate usageAuth ^ encMigrationAuthas themigrationAuthcan be guessed for all keys created withCreateWrapKey`.
Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.
Cross-Site Request Forgery in datasette.
jpv (aka Json Pattern Validator) does not properly validate input, as demonstrated by a corrupted array.
TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
** DISPUTED ** Prometheus Blackbox Exporter allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
Prism is vulnerable to Cross-Site Scripting. The easing preview of the previewer plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.
etcd does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
In etcd, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the –endpoints flag. This has been fixed with improved documentation and deprecation of the functionality.
When using H₂/MySQL/TiDB as Apache SkyWalking storage, there is an SQL injection vulnerability in the wildcard query cases.
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned …
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 …
In Contour (Ingress controller for Kubernetes), a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint …
The Chartkick gem for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in angular.
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a 400 error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the …
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be …
Cross-Site Request Forgery (CSRF) in polaris-website.
The Field Test gem for Ruby allows CSRF.
The PgHero gem allows CSRF.
This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …
This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …
In solidus, there is an ability to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes …
This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …
save-server is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. …
In OctoberCMS, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as …
In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …
In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …
A denial of service vulnerability exists in Fastify that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
The DAO/DTO implementation in SpringBlade through allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters.
This affects the package express-fileupload. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
In SLPJS (npm package slpjs), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
In SLP Validate (npm package slp-validate), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code …
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
Magento has a path traversal vulnerability. Successful exploitation could lead to arbitrary code execution.
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any …
A malicious user could inject commands through the _data variable
Magento has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
In auth0 (npm package), a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. and you are using a Machine to Machine application authorized to use Auth0's management API.
Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.
Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in git-tags-remote.
The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution.
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes …
In TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, …
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
In auth0 (npm package) and you are using a Machine to Machine application authorized to use Auth0's management API
The Kubernetes ingress-nginx component allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type.
In TYPO3 installations with the mediace extension, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation.
In TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid …
The dlf (aka Kitodo.Presentation) for TYPO3 allows XSS.
Magento has a DOM-based cross-site scripting vulnerability. Successful exploitation could lead to arbitrary code execution.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
LibEtPan has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a begin TLS response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka response injection.
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
kube-proxy was found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to localhost running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running …
The Kubelet and kube-proxy components were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or …
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.
An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit …
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
This affects all versions of package rollup-plugin-server. There is no path sanitization in the readFile operation performed inside the readFileFromContentBase function.
This affects all versions of the marked-tree package. There is no path sanitization for the path provided in fs.readFile of index.js.
This affects all versions of the marscode package. There is no path sanitization for the path provided in fs.readFile of index.js.
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in the readFile operation inside the readFileFromContentBase function.
Uncontrolled resource consumption in jpeg-js allows attacker to launch denial of service attacks using specially a crafted JPEG image.
Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
Lua has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
The Kubernetes kubelet component do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the …
The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." Example Code: async () => …
An SQL injection vulnerability in softwareupdate_controller.php in the Software Update module for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.
An SQL injection vulnerability in reportdata_controller.php in the reportdata module for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.
The UI in DevSpace allows web-sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.
A Cross-Site Scripting (XSS) vulnerability in the comment module for MunkiReport allows remote attackers to inject arbitrary web script or HTML by posting a new comment.
A Cross-Site Scripting (XSS) vulnerability in the munki_facts (aka Munki Conditions) module for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the key name.
A Cross-Site Scripting (XSS) vulnerability in the managedinstalls module for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the last two URL parameters (through which installed packages names and versions are reported).
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
What kind of vulnerability is it? Who is impacted? JupyterHub deployments using: KubeSpawner <= 0.11.1 (e.g. zero-to-jupyterhub 0.9.0) and enabled named_servers (not default), and an Authenticator that allows: usernames with hyphens or other characters that require escape (e.g. user-hyphen or user@email), and usernames which may match other usernames up to but not including the escaped character (e.g. user in the above cases) In this circumstance, certain usernames will be able …
A buffer overflow in the patching routine of bsdiff4 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.
In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
Magento has a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.
In LibreNMS, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
Lua's getobjname suffers from a heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
Sails.js allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
An issue was discovered in LibreNMS. It has insufficient access control for normal users in routes/web.php.
Lua mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
A path traversal vulnerability in servey allows an attacker to read content of any arbitrary file.
In codecov (npm package), the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in …
In Fiber, the filename that is given in c.Attachment() is not escaped, and therefore vulnerable for a CRLF injection attack. An attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy …
docsify is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary JavaScript/HTML inside docsify page.
A buffer overflow is present in canvas version which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image.
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.
The kramdown gem processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution.
This affects all versions of package react-native-fast-image. When an image is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
Graylog lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections.
MIT Lifelong Kindergarten Scratch scratch-vm loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.
Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
A Path Traversal issue was discovered in the socket.io-file package for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.
Insufficient input validation in npm package may lead to OS command injection attacks.
Prototype pollution attack when using _.zipObjectDeep in lodash.
In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks …
The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., …
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Jenkins Gitlab Authentication Plugin does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator). A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code)
Jenkins does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
Jenkins does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
Jenkins does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
Jenkins Deployer Framework Plugin does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.
In SilverStripe, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
Jenkins Matrix Project Plugin does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.