Advisories

Jenkins Matrix Project Plugin does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix Authorization Strategy Plugin does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

Jenkins does not escape correctly the href attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.

In openenclave, enclaves that use x87 FPU operations are vulnerable to tampering by a malicious host application. By violating the Linux System V Application Binary Interface (ABI) for such operations, a host app can compromise the execution integrity of some x87 FPU operations in an enclave. Depending on the FPU control configuration of the enclave app and whether the operations are used in secret-dependent execution paths, this vulnerability may also …

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

In freewvs, a directory structure of more than nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). This can be problematic in a case where an administrator scans the dirs of potentially untrusted users.

In freewvs, a user could create a large file that freewvs will try to read, which will terminate the scan process.

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible.

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely.

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat to M1 to to to Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

An h2c direct connection to Apache Tomcat to M5 to to did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.

h2c does not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

In OctoberCMS, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in standard-version.

django-two-factor-auth versions 1.11 and before store the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user …

A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function.

PKCE support is not implemented in accordance with the RFC for OAuth for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain …

Incorrect handling of Upgrade header with the value of websocket leads in crashing of containers hosting sockjs apps.

In TimelineJS, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file.

Server-Side Template Injection and arbitrary file disclosure are possible in Camel templating components.

In Electron, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.

In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.

In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected.

Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Impact Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish(), messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch() does not succeed. The dispatch() method can be considered to not succeed if (depending on the version of the bundle) the callback defined on a topic route is misconfigured, a Gos\Bundle\WebSocketBundle\Topic\TopicInterface implementation is not found for the callback, a topic which also implements Gos\Bundle\WebSocketBundle\Topic\SecuredTopicInterface rejects the connection, or an Exception is unhandled. This can result in an …

npm is vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

npm CLI is vulnerable to an information exposure vulnerability through log files. The password value is not redacted and is printed to stdout and also to any generated log files.

This advisory has been marked as a false positive.

Improper Neutralization in com.upokecenter:cbor.

In Electron, an arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

In jspdf, it is possible to inject JavaScript code via the html method.

In jspdf, it is possible to use <script> in order to bypass improper filtering protections based off of regular expressions.

A denial of service vulnerability allows an untrusted user to run any pending migrations on an app running in production.

A denial of service vulnerability exists in Rails that allowed an untrusted user to run any pending migrations on a Rails app running in production.

A directory traversal vulnerability exists in rack that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

A missing permission check in Jenkins Fortify on Demand Plugin allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Jenkins White Source Plugin stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system.

Jenkins GitHub Coverage Reporter Plugin stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.

Jenkins TestComplete support Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Apache Guacamole does not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

Jenkins Slack Upload Plugin stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

A missing permission check in Jenkins Fortify on Demand Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Apache Guacamole mishandles pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.

LibRaw lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.length.

The is a code injection vulnerability in versions of Rails that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Jenkins Compatibility Action Storage Plugin does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

Jenkins Sonargraph Integration Plugin does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability.

Jenkins VncRecorder Plugin does not escape a tool path in the checkVncServ form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.

Jenkins VncViewer Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack

Jenkins Link Column Plugin does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability.

Jenkins VncRecorder Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

A CSRF vulnerability exists in rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

A CSRF forgery vulnerability exists in rails, rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

There is a code injection vulnerability in versions of Rails that would allow an attacker who controlled the locals argument of a render call to perform a RCE.

Jenkins Stash Branch Parameter transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

This issue occurs because tagName user input is formatted inside the exec function is executed without any checks.

php/exec/escapeshellarg in Locutus PHP allows an attacker to execute code.

Data is truncated wrong when its length is greater than bytes.

There is an SQL injection vulnerability, which allows accessing unexpected data.

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

In express-jwt (NPM package) up and including, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. …

This advisory has been marked as a False Positive and has been removed.

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Impact ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign. Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.13 or later, execution time of EC point and scalar multiplication is almost constant and fixed for the issue. …

CakePHP mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.

jp2/opj_decompress.c in OpenJPEG through has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.

wifiscanner.js in thingsSDK Wi-Fi Scanner allows Code Injection because it can be used with options to overwrite the default executable/binary path and its arguments. An attacker can abuse this functionality to execute arbitrary code.

LibRaw before has an out-of-bounds write in parse_exif() in metadata\exif_gps.cpp via an unrecognized AtomName and a zero value of tiff_nifds.

Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

Magento has a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a command injection vulnerability. Successful exploitation could lead to arbitrary code execution.

An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference.

Magento has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Magento has a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.

Magento has an authorization bypass vulnerability. Successful exploitation could lead to potentially unauthorized product discounts.

Magento has a business logic error vulnerability. Successful exploitation could lead to privilege escalation.

Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

Magento (see note) have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

The private-key operations in ecc.c in wolfSSL does not use a constant-time modular inverse when mapping to affine coordinates.

In generator-jhipster-kotlin, log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries.

An issue was discovered in the acf-to-rest-api plugin for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and password values.

django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author). This will be fixed which is to be released the same day as this advisory is made public. When upgrading, you …

A potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently, the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid …

In Apache Spark, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

The modules\users\admin\edit.php in NukeViet suffers from CSRF which may allow attackers to change a user's password via the admin/index.php?nv=users&op=edit&userid= URI. This is due to the old password not being required during the change password function.

clearsystem.php in NukeViet allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.

The modules\users\admin\add_user.php in NukeViet suffers from CSRF which may allow attackers to trick victim administrators into adding a user account via the admin/index.php?nv=users&op=user_add URI.

In Limdu, the trainBatch function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

An issue was discovered in the jsrsasign package for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and 0 characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

An issue was discovered in the jsrsasign package for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending \0 bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

An issue was discovered in the jsrsasign package for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending \0 bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

A vulnerability was found in Keycloak where every Authorization URL that points to an IDP server lacks proper input validation. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.

Apache Shiro, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

A client side enforcement of server side security vulnerability exists in rails and rails ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

A client side enforcement of server side security vulnerability exists in rails and rails ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

A directory traversal vulnerability in EC-CUBE allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors.

Apache Archiva login service is vulnerable to LDAP injection. An attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

Apache Archiva login service is vulnerable to LDAP injection. An attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.

In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.

A reliance on cookies without validation/integrity check security vulnerability exists in rack that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

Strapi could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

A deserialization of untrusted data vulnerability exists in rails which can allow an attacker to supply information can be inadvertently leaked.

A deserialization of untrusted data vulnerability exists in rails, rails which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

A deserialization of untrusted data vulnernerability exists in rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

A deserialization of untrusted data vulnernerability exists in rails, rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

A reflected cross-site scripting (XSS) vulnerability in Dolibarr allows remote attackers to inject arbitrary web script or HTML into public/notice.php.

A CSRF vulnerability exists in Rails' rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

A CSRF vulnerability exists in rails rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

WooCommerce when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

An SQL injection vulnerability in accountancy/customer/card.php in Dolibarr allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

In mversion, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

MJML contains a path traversal vulnerability when processing the mj-include directive within an MJML document.

The x/text package for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory.

In Sanitize (RubyGem sanitize) there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's relaxed config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist.

In IJG JPEG (aka libjpeg) jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

GNU Bison allows attackers to cause a denial of service (application crash).

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

A TOCTOU issue in the chownr package for Node.js could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

In IJG JPEG (aka libjpeg), jdhuff.c has an out-of-bounds array read for certain table pointers.

libpcre in PCRE allows an integer overflow via a large number.

An issue was discovered in ecma/operations/ecma-container-object.c in JerryScript. Operations with key/value pairs did not consider the case where garbage collection is triggered after the key operation but before the value operation, as demonstrated by improper read access to memory in ecma_gc_set_object_visited in ecma/base/ecma-gc.c.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector …

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port, which does not include authentication.

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for …

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

In Dijit there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin.

KumbiaPHP in Development mode, allows XSS via the public/pages/kumbia PATH_INFO.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool.

This advisory has been marked as False Positive as it affects org.apache.karaf.management.server.

Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.

SSB-DB has an information disclosure vulnerability. The get() method is supposed to only decrypt messages when you explicitly ask it to, but there is a bug where it's decrypting any message that it can.

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers.

HashiCorp Consul and Consul Enterprise include an HTTP API caching feature that was vulnerable to denial of service.

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry.

HashiCorp Consul and Consul Enterprise do not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled.

agoo allows request smuggling attacks where agoo is used as a backend with a frontend proxy that is also vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer-Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

goliath allows request smuggling attacks where goliath is used as a used as a backend with a frontend proxy that is also vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer-Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

A flaw was discovered in Undertow where certain requests to the Expect: header may cause an out of memory error. This flaw may potentially lead to a denial of service.

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may …

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may …

access-policy is vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution.

node-extend is vulnerable to Arbitrary Code Execution. User input provided to the argument A of extend function(A, B, as, isAargs) located within lib/extend.js is executed by the eval function, resulting in code execution.

mosc is vulnerable to Arbitrary Code Execution. User input provided to properties argument is executed by the eval function, resulting in code execution.

cd-messenger is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution.

In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the sanitize() and the validate() function used within schema-inspector.

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

phpMussel has an deserialization vulnerability in the phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution.

Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

OWASP json-sanitizer allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.

opencart allows remote authenticated users to conduct XSS attacks via a crafted filename in the image upload section because due to missing entity encoding.

In Couchbase Server and Couchbase Sync Gateway, the Cluster management, views, query, and full-text search endpoints are vulnerable to the Slowloris denial-of-service attack because they don't more aggressively terminate slow connections.

PHPMailer contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or any mail relay processing the message.

In Bolt CMS, the filename of uploaded files was vulnerable to stored XSS. It is not possible to inject javascript code in the file name when creating/uploading the file. But, once created/uploaded, it can be renamed to inject the payload in it. Additionally, the measures to prevent renaming the file to disallowed filename extensions could be circumvented.

Angular suffers from a cross site scripting flaw. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping <option> in <select> tags changes parsing behavior, leading to possibly unsanitizing code.

GraphQL Playground (graphql-playground-html NPM package) has a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability.

Bolt CMS lacks CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.

The Ignition page for Laravel mishandles globals, _get, _post, _cookie, and _env.

The Management Console allows XXE during addition or update of a Lifecycle.

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

The Kubernetes kube-controller-manager is vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

The Kubernetes kube-controller-manager is vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not expecting validation rules to be enforced on the WebSocket subscriptions transport and are unconcerned about introspection being enabled on the WebSocket subscriptions transport (or were not expecting that), then this advisory is not applicable. If introspection: true is passed to the ApolloServer constructor options, the impact is limited to user-provided validation rules …

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in october/october.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in october/system.

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process.

django-nopassword before 5.0.0 stores cleartext secrets in the database.

An issue was discovered in drf-jwt It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the block list protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained.

An issue was discovered in Django version 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

An issue was discovered in the Comments plug for Craft CMS. There is stored XSS via an asset volume name.

An issue was discovered in the Comments plugin for Craft CMS. It suffers from a persistent Cross-site Scripting flaw by allowing malicious users to inject javascript into the guest name.

A Cross-Site Request Forgery issue was discovered in the Comments plugin for Craft CMS. The CSRF issue can affect the integrity of comments.

url-regex is vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

The October CMS debugbar plugin contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as the potential exists for them to use this feature to view all requests being made to the application and obtain sensitive information …

In OctoberCMS, an attacker can read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build.

mozjpeg has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

libjpeg-turbo has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Jenkins Play Framework Plug lets users specify the path to the play command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.

Apache Ignite uses a database to build SQL distributed execution engine that provides SQL functions which could be used by attacker to access to a filesystem.

In WatermelonDB (NPM package "@nozbe/watermelondb"), a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don't validate IDs (valid IDs are /^[a-zA-Z0-9_-.]+$/) and use Watermelon Sync or low-level database.adapter.destroyDeletedRecords method. The integrity risk is low due to the fact …

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability …

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack.

Sabberworm PHP CSS Parser calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS, an attacker can delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission.

In OctoberCMS, an attacker can upload files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission.

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

Jenkins ECharts API Plugin does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability.

Jenkins Script Security Plugin does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

Jenkins ECharts API Plugin does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability.

Jenkins Subversion Partial Release Manager Plugin does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.

Jenkins Compact Columns Plugin displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Jenkins Selenium Plugin has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.

In OctoberCMS, any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: Have found a vulnerability in the victim's spreadsheet software of choice. Control data that …

websocket-extensions ruby module allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

websocket-extensions npm module allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Spring Cloud Config allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service.

common.php in the Gravity Forms plugin for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.

serialize-javascript allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js.

reel allows Request Smuggling attacks due to incorrect Content-Length and Transfer-Encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.

snyk-broker is vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.

snyk-broker is vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match certain paths.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a path e.g., #package.json.

snyk-broker allows arbitrary file reads to users with access to Snyk's internal network for any files ending with the following extensions: .yaml, .yml or json.

An unauthenticated privilege-escalation issue exists in the bbPress plug for WordPress when New User Registration is enabled.

parser/js/js-scanner.c in JerryScript mishandles errors during certain out-of-memory conditions, as demonstrated by a scanner_reverse_info_list NULL pointer dereference and a scanner_scan_all assertion failure.

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

An access bypass vulnerability exists when the experimental Workspaces module. This can be mitigated by disabling the Workspaces module.

An access bypass vulnerability exists when the experimental Workspaces module. This can be mitigated by disabling the Workspaces module.

In Kaminari, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links.

JerryScript allows attackers to cause a denial of service (stack consumption) via a proxy operation.

JerryScript allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.

Centreon exposes Session IDs in server responses.

aegir may leak secrets from environment variables in the browser bundle published to npm.

A flaw was found in Undertow, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

The bbPress plug for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?post_type=forum (aka the Forum listing page) for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI.

The knock-knock plugin for Craft CMS suffers from an open redirect flaw.

The knock-knock plugin for Craft CMS may allow a user who injects a specially crafted X-Forwarded-For HTTP header to bypass IP restrictions.

EM-HTTP-Request uses the library eventmachine insecurely, allowing an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

An issue was discovered in the Image Resizer plug for Craft CMS. There is stored XSS in the Bulk Resize action.

An issue was discovered in the Image Resizer plug for Craft CMS. There are CSRF issues with the log-clear controller action.

An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.

Apache Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it …

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it …

In GitLab Puma (RubyGem), a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that …

In GitLab Puma (RubyGem), an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header.

In Puma (RubyGem), an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header.

In Puma (RubyGem), a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the …

A denial of service vulnerability exists when dotnet Core or dotnet Framework improperly handles web requests.

Centreon allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (found in main.get.php) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

It is possible to create an SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.

Jodd before performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

The DMS/ECM module in Dolibarr allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

In Gitea, an attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.

When using Apache Tomcat to M1 to to to if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and …

When using Apache Tomcat, an attacker is able to control the contents and name of a file on the server.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

The DMS/ECM module in Dolibarr renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. Rendering these files directly, may lead to XSS.

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

A flaw was found in resteasy where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

em-imap uses the library eventmachine insecurely, allowing an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

jQuery, which is used by the rdoc gem, allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e., </script >, which results in the enclosed script logic to be executed.

An issue was discovered in GWTUpload's server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's threads to sleep, leading to denial of service.

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Dolibarr is vulnerable to XSS.

The kerberos package for Node.js allows arbitrary code execution and privilege escalation. The flaw may be exploited by injecting malicious DLLs, due to incorrect handling of DLL search paths in the kerberos_sspi LoadLibrary() method.

Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

A flaw was found in Keycloak where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

A flaw was found in Keycloak where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

MISP MISP-maltego incorrectly shares a MISP connection across users in a remote-transform use case.

pandas can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call.

An XSS issue was identified on the Subrion CMS /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.

Lack of output sanitization can lead to the execution arbitrary shell commands via the logkitty npm package.

Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like ../../../../topic2020 is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like ../../../../topic2020 is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

When running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name > .port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

Apache Ant uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

Calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

Calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac parameter, v-router will process the command.

Apache Camel's JMX is vulnerable to a Rebind Flaw.

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

Apache Camel Netty enables Java deserialization by default.

Apache Camel RabbitMQ enables Java deserialization by default.

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

In Apache ActiveMQ, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

In TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be …

In TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be …

H2, as used in Datomic and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code.

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

All versions before 1.6.7 of org.jooby:jooby are vulnerable to Directory Traversal via two separate vectors.

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Invalid markup it still is evaluated in browsers and may lead to cross-site scripting.

It has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.

It has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.

There is a vulnerability in actionpack_page-caching that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

There is a possible information disclosure issue in Active Resource that could allow an attacker to create specially crafted requests to access data and possibly leak information.

SLPJS has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton.

In SLP Validate, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton.

A flaw was found in the reset credential flow which allows an attacker to gain unauthorized access to the application.

A flaw in the reset credential flow in keycloak allows an attacker to gain unauthorized access to the application.

Jooby is vulnerable to a Directory Traversal via two separate vectors.

A flaw was found in Keycloak which allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section.

A flaw in Keycloak allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section.

A flaw was found in Keycloak. This flaw allows a malicious user that is currently logged-in, to see the personal information of a previously logged-out user in the account manager section.

In the SEOmatic plugin for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.

A flaw was found in keycloak. A logged exception in the HttpMethod class may leak the password given as parameter.

A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

A flaw was found in keycloak A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

Apache log4net do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

A flaw was found in Ansible when using modules which decrypts vault files. The temporary directory is created in /tmp and left unecrypted.

json-c has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

Possible XXE during an EventPublisher update.

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running the application.

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.

This advisory has been marked as False-Positive and removed.

In Shopizer, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend.

A potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on …

curlrequest allows reading any file by populating the file parameter with user input.

In Sorcery, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout.

In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts …

In Java-WebSocket there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation.

Jenkins Copy Artifact Plugin performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

A missing permission check in Jenkins Amazon EC2 Plugin form-related methods allows users with Overall/Read access to enumerate credential IDs of the credentials stored in Jenkins.

core/get_menudiv.php in Dolibarr allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertions that have been signed.

A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Jenkins Amazon EC2 Plugin unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.

A cross-site request forgery vulnerability in Jenkins CVS Plugin allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin allows attackers to provision instances.

Jenkins Amazon EC2 Plugin does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.

macaron before has an open redirect in the static handler.

TensorFlow has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

Attackers could inject arbitrary JEXL expressions, leading to Remote Code Execution.

Doorkeeper contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized application controller is enabled.

A flaw was found in Keycloak where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

An attacker could use the 'remove devices form' to post different credential IDs and possibly remove MFA devices for other users.

An issue was discovered in service-api. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.

Lack of authorization controls in REST API functions in TeamPass allows any TeamPass user with a valid API token to become a TeamPass administrator and read or modify all passwords via authenticated api/index.php REST API calls.

It was found that the Apache Syncope EndUser UI login page reflects the successMessage parameters. By this means, a user accessing the Enduser UI could execute javascript code from URL query string.

A Server-Side Template Injection in Apache Syncope enables attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able …

All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.

An archive traversal flaw was found in all ansible-engine, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

Subrion CMS allows session fixation via an alphanumeric value in a session cookie.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

TeamPass allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request.

TeamPass allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.

The REST API functions in TeamPass allow any user with a valid API token to bypass IP address allowlist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

Actions Http-Client can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: make an http request with an authorization header that request leads to a redirect (302) the redirect url redirects to another domain or hostname. Consequently, the authorization header will get passed to the other domain.

In Rundeck, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really …

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods may execute untrusted code. This problem is patched in jQuery

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Subrion CMS allows CSV injection via a phrase value within a language.

Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.

Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.

admin/blocks.php in Subrion CMS through allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.`

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this …

fun-map is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a proto payload.

If the NiFi Registry uses an authentication mechanism other than PKI, the NiFi Registry would invalidate the authentication token on the client side but not on the server side during user logout. This permits the user's client-side token to be used after logging out to make API requests to NiFi Registry potentially hours after the user clicked logout.

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of in Undertow. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

The JSON gem has an Unsafe Object Creation Vulnerability. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

pixl-class allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops.

node-rules including allows injection of arbitrary commands. The argument rules of function fromJSON() can be controlled by users without any sanitization.

An issue was discovered in libgit2, which is used by pygit2 package: checkout.c mishandles equivalent filenames that exist because of NTFS short names.

An issue was discovered in libgit2. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams.

An issue was discovered in libgit2 checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by pygit2 package: path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by rugged gem: path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by rugged gem: checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository.

When starting IoTDB, the JMX port is exposed with no certification. Then, clients could execute code remotely.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

OpenDMARC, when used with pypolicyd-spf, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

decompress for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Croogo allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.

MinIO has an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations, i.e., creating new service accounts for existing access keys without knowing the admin secret key.

Anch allows admins to cause XSS via crafted post content.

The PayPal function in paypal-adaptive could be tricked into adding or modifying properties of Object.prototype using a proto payload.

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application.

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.

lazysizes allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams

jQuery allows XSS via a crafted onerror attribute of an IMG element.

re2c has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

SimpleSAMLphp contain an information disclosure vulnerability. The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists, it presents the file to the browser. The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path …

A flaw was found in undertow, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

In Saml2 Authentication Services for ASP.NET, and between, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a …

Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)

svg2png allows XSS with resultant SSRF via JavaScript inside an SVG document.

lix allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.

Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials. Recommendation Upgrade to version 3.0.0 or 2.2.3.

Jenkins Parasoft Findings Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

In Shopizer, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart.

Jenkins Yaml Axis Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

In Dolibarr, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools audit page. This may lead to stealing of the admin account.

In Dolibarr, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

Jenkins Copr Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

In SilverStripe, files uploaded via Forms to folders migrated from Silverstripe may be put to the default /Uploads folder instead.

Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DoS) of MySQL Connectors.

Istio has a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access …

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a …

The WindowsHello has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.

A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

An issue was discovered in OpenEXR. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.

There is a std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.