Advisories

Synapse allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.

In Apache Karaf, if the sshd service in Karaf is left on, an administrator can manage the running instance, any user with rights to the Karaf console can pivot and read/write any file on the file system to which the Karaf process user has access.

node-bsdiff-android downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

When Pax Web Extender Whiteboard is installed, the Karaf console becomes available at another (insecure) URL giving access to the Karaf console to unauthenticated users.

Apache Camel Mail is vulnerable to path traversal.

Moodle is vulnerable to a boost theme; the blog search GET parameter is insufficiently filtered. The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.

Moodle is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy drag and drop into text (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

An issue was discovered in QuickAppsCMS (aka QACMS). A CSRF vulnerability can change the administrator password via the user/me URI.

Buffer overflow in OPC UA applications allows remote attackers to trigger a stack overflow with carefully structured requests.

An XXE vulnerability in the OPC UA Java and .NET Legacy Stack can allow remote attackers to trigger a denial of service.

An issue was discovered in TCPDF. Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.

A denial of service vulnerability exists when OData Library improperly handles web requests, aka "OData Denial of Service Vulnerability." This affects Microsoft.Data.OData.

A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core, System.IO.Pipelines, ASP.NET Core

aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie).

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8367, CVE-2018-8466, CVE-2018-8467.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8354, CVE-2018-8391, CVE-2018-8456, CVE-2018-8457.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8354, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8367, CVE-2018-8465, CVE-2018-8466.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8465, CVE-2018-8466, CVE-2018-8467.

Netwide Assembler (NASM) rc15 has an invalid memory write (segmentation fault) in expand_smacro in preproc.c, which allows attackers to cause a denial of service via a crafted input file.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8367, CVE-2018-8465, CVE-2018-8467.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8391, CVE-2018-8456, CVE-2018-8457, CVE-2018-8459.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8354, CVE-2018-8391, CVE-2018-8457, CVE-2018-8459.

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

When parsing a malformed JSON payload, libprocess in Apache Mesos crashes due to an uncaught exception. Parsing chunked HTTP requests with trailers can lead to a libprocess crash because of the mistakenly planted assertion.

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers, aka "Scripting Engine Information Disclosure Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge.

An information disclosure vulnerability exists when the browser scripting engine improperly handle object types, aka "Microsoft Scripting Engine Information Disclosure Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge, Internet Explorer

An issue was discovered in Elefant CMS There is a PHP Code Execution Vulnerability in apps/filemanager/upload/drop.php by using /filemanager/api/rm/.htaccess to remove the .htaccess file, and then using a filename that ends in .php followed by space characters.

An issue was discovered in Elefant CMS There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php.

It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.

Smarty allows attackers to bypass the trusted_dir protection mechanism via a /../ substring in an include statement.

Rubedo contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside the service root path.

An issue was discovered in GNU Mailman A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.

Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the …

A Security Feature Bypass vulnerability exists in MSR JavaScript Cryptography Library that is caused by incorrect arithmetic computations, aka "MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability." This affects Microsoft Research JavaScript Cryptography Library.

When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside the allowed allocation pool.

TLS hostname verification when using the Apache ActiveMQ Client is missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server.

A command Injection in ps allowed arbitrary commands to be executed when attacker controls the PID.

An issue was discovered in Gleez CMS. Because of an Insecure Direct Object Reference vulnerability, it is possible for attackers (logged-in users) to view profile page of other users.

An Input validation issue in EC-CUBE Payment Module allows an attacker with administrative rights to execute arbitrary PHP code on the server via unspecified vectors.

A Cross-site scripting vulnerability in EC-CUBE Payment Module allow an attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.

This issue was discovered in the context of an out-of-bound write that occurred when patching an Openshift object using the 'oc patch' functionality.

asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.

NASM nasm-2.13.03 nasm- rc15 rc15 contains a memory corruption (crashed) of nasm when handling a crafted file due to function assemble_file(inname, depend_ptr) at asm/nasm.c:482. vulnerability in function assemble_file(inname, depend_ptr) at asm/nasm.c:482. that can result in aborting/crash nasm program. This attack appear to be exploitable via a specially crafted asm file..

An issue was discovered in Mayan EDMS The Appearance app sets window.location directly, leading to XSS.

An issue was discovered in Mayan EDMS The Tags app has XSS because tag label values are mishandled.

An issue was discovered in Mayan EDMS The Cabinets app has XSS via a crafted cabinet label.

Dojo Objective Harness (DOH) contains a Cross Site Scripting (XSS) vulnerability that can result in a victim being attacked through their browser, deliver malware, steal HTTP cookies, or bypass CORS trust. This attack appear to be exploitable when victims are lured to a website under the attacker's control; the XSS vulnerability on the target domain is silently exploited without the victim's knowledge.

An unescaped payload in exceljs allows a possible XSS via cell value when worksheet is displayed in browser.

LavaLite has XSS via a /edit URI, as demonstrated by client/job/job/Zy8PWBekrJ/edit.

Django-CRM allows CSRF for /users/create/, /users/##/edit/, and /accounts/##/delete/ URIs.

ThinkPHP allows SQL Injection via the public/index/index/test/index query string.

Netwide Assembler (NASM) rc15 has a buffer over-read in x86/regflags.c.

An issue was discovered in Elefant CMS There is a CSRF vulnerability that can add an account via user/add.

Pandao Editor.md allows XSS via crafted attributes of an invalid IMG element.

An issue was discovered in Gleez CMS. There is XSS via media/imagecache/resize.

ShowDoc is vulnerable to XSS.

There is Stored XSS in Subrion via the admin panel URL configuration.

Path traversal in simplehttpserver allows listing any file on the server.

This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker can leverage this vulnerability to deny access to the target system.

Use after free in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

The libxml2 binary, which is included in nokogiri, incorrectly handles certain files. An attacker can use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service.

Umbraco has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files.

There is a CSRF vulnerability that can add an administrator account in Gleez CMS via admin/users/add.

A command injection vulnerability in egg-scripts allows arbitrary shell command execution through a maliciously crafted command line argument.

Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions.

An issue was discovered in phpMyAdm. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature.

A denial of service vulnerability exists in Jenkins in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials.

An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry protected table.

A denial of service vulnerability exists in Jenkins in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.

GitHub Electron is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

A vulnerability in Jenkins in Computer.java allows attackers With Overall/Read permission to access the connection log for any agent.

An improper authorization vulnerability exists in Jenkins in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center.

A vulnerability exists in Jenkins in SecurityRealm.java, TokenBasedRememberMeServices.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled.

A vulnerability exists in Jenkins that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL.

Apache Struts suffers from RCE when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin).

If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker.

A flaw was found in Foreman's katello plugin. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

pyro unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks.

apps/filemanager/handlers/upload/drop.php in Elefant CMS performs an urldecode step too late in the Cannot upload executable files protection mechanism.

PyCryptodome has an integer overflow in the data_len variable in AESNI.c, related to the AESNI_encrypt and AESNI_decrypt functions.

Eclipse RDF4j contains an XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.

Improper Input Validation vulnerability in Flask that can result in large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding.

An issue was discovered in the Paymorrow module for OXID eShop. An attacker can bypass delivery-address change detection if the payment module does not use eShop`s checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module.

OpenCart-Overclocked contains a Cross Site Scripting (XSS) vulnerability. This attack appear to be exploitable via Malicious input passed in GET parameter.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

In the library libgit2, which is used by pygit2, a remote attacker can send a crafted smart-protocol ng packet that lacks a \0 byte to trigger an out-of-bounds read leading to a DoS.

There is a vulnerability in ng_pkt (transports/smart_pkt.c) in libgit2 which is wrapped by the rugged gem. A remote attacker can send a crafted smart-protocol ng packet that lacks a \0 byte to trigger an out-of-bounds read that leads to DoS.

In Dojo Toolkit, there is unescaped string injection in dojox/Grid/DataGrid.

A privilege escalation detected in flintcms allows account takeover due to blind MongoDB injection in password reset.

Pimcore allows SQL Injection via the REST web service API.

A command injection in git-dummy-commit allows os level commands to be executed due to an unescaped parameter.

Haxe 3 : The Cross-Platform Toolkit (a fork from David Mouton's damoebius/haxe-npm) haxe3 downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

A code injection in cryo allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.

Pimcore allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token.

libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.

libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vulnerability exists because of a missing fix for CVE-2016-4483.

When reading a specially crafted ZIP archive, the read method of Apache Commons ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. This can lead to an infinite stream, which can be used to mount a denial of service attack against services that use compressed zip package.

libxml2, if –with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge. This CVE ID is unique from CVE-2018-8353, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8380, CVE-2018-8381, CVE-2018-8384.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects Internet Explorer 9, ChakraCore, Internet Explorer, Microsoft Edge, Internet Explorer This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8389, CVE-2018-8390.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8381, CVE-2018-8384.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8384.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8372, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge. This CVE ID is unique from CVE-2018-8353, CVE-2018-8355, CVE-2018-8359, CVE-2018-8371, CVE-2018-8373, CVE-2018-8385, CVE-2018-8389, CVE-2018-8390.

jstestdriver is a wrapper for Google's jstestdriver. jstestdriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

resourcehacker is a Node wrapper of Resource Hacker (windows executable resource editor). resourcehacker downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8266, CVE-2018-8380, CVE-2018-8381.

active-support ruby gem could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

Apache Spark standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property spark.authenticate.secret establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to run a driver program …

Incorrect parsing in url-parse returns the wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

The cloudtoken daemon on Linux allows attackers on the same subnet to gain temporary AWS credentials.

active-support could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

An SSRF vulnerability in webhooks in Gitea and Gogs allows remote attackers to access intranet services.

Improper authorization in aedes will publish a LWT in a channel when a client is not authorized.

Cookie serialization vulnerability.

Cookie serialization vulnerability in laravel framework.

PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This can lead to remote code execution.

PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This can lead to remote code execution.

A Server Side Template Injection (SSTI) was discovered in the SEOmatic plug for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.

The implementation of CSRF protection did not use different tokens for HTTP and HTTPS, therefore the token was subject to MITM attacks on HTTP and could then be used in HTTPS context to do CSRF attacks.

It was noticed an XSS in certain pages that could be exploited to perform an XSS attack.

The current implementation of CSRF protection in Symfony does not use different tokens for HTTP and HTTPS.

The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the $_POST array in plain PHP) and uploaded files data (known as the $_FILES array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. …

When a form is submitted by the user, the request handler classes of the Form component merge POST data (known as the $_POST array in plain PHP) and uploaded files data (known as the $_FILES array in plain PHP) into one array. This big array forms the data that are then bound to the form. At this stage there is no difference anymore between submitted POST data and uploaded files. …

This package includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.

This package includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack.

An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL …

django.middleware.common.CommonMiddleware has an Open Redirect.

An issue was discovered in Http Foundation in Symfony. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This …

An issue was discovered in HttpKernel in Symfony When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

Insufficient URI encoding in restforce allows attacker to inject arbitrary parameters into Salesforce API requests.

An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection.

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

paypal/permissions-sdk-php is vulnerable to reflected XSS in the samples/GetAccessToken.php verification_code parameter, resulting in code execution.

Apache Axis is vulnerable to a cross-site scripting (XSS) attack.

paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permissions.php via the permToken parameter, resulting in code execution.

uploads/.htaccess in Subrion CMS allows XSS because it does not block .html file uploads.

Tomcat contains a race condition that could result in a user seeing a response intended for a different user.

A confused deputy vulnerability exists in Jenkins Publisher Over CIFS Plugin in CifsPublisherPluginDescriptor.java that allows attackers to have Jenkins connect to an attacker specified CIFS server with attacker specified credentials.

This package are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.

It is possible to read and extract any data from any table in the pycsw database that the database user has access to. On PostgreSQL (at least) it is possible to perform updates/inserts/deletes, and database modifications to any table the database user has access to.

A server-side request forgery vulnerability exists in Jenkins Confluence Publisher Plugin that allows attackers to have Jenkins submit login requests to an attacker-specified Confluence server URL with attacker specified credentials.

An exposure of sensitive information vulnerability exists in the Jenkins Kubernetes Plugin in KubernetesCloud.java. The vulnerability allows attackers to capture credentials with a known credentials ID stored in Jenkins.

An exposure of sensitive information vulnerability exists in the Jenkins Tinfoil Security Plugin in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret.

An exposure of sensitive information vulnerability exists in Jenkins that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

An exposure of sensitive information vulnerability exists in Jenkins Anchore Container Image Scanner Plugin in AnchoreBuilder.java that allows attackers with Item/ExtendedRead permission or file system access to the Jenkins master to obtain the password stored in the plugin configuration.

An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

An exposure of sensitive information vulnerability exists in Jenkins that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin configuration.

An exposure of sensitive information vulnerability exists in the Jenkins SSH Agent Plugin in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log.

A data modification vulnerability exists in Jenkins Resource Disposer Plugin in AsyncResourceDisposer.java that allows attackers to stop tracking a resource.

The host name verification when using TLS with the WebSocket client was missing.

It was found that SAML authentication in Keycloak incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.

A cross-site scripting vulnerability exists in the Jenkins Shelve Project Plugin that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

An exposure of sensitive information vulnerability exists in Jenkins that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.

Apache Camel is vulnerable to XXE in XSD validation processor.

react-native-baidu-voice-synthesizer is a baidu voice speech synthesizer for react native. react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

haxeshim haxe shim to deal with coexisting versions. haxeshim downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

alto-saxophone is a module to install and launch Chromedriver for Mac, Linux or Windows. alto-saxophone versions below 2.25.1 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, which allows remote HTTP servers to obtain sensitive information by reading Authorization headers.

It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.

Concatenating unsanitized user input in the whereis npm module allows an attacker to execute arbitrary commands. The whereis module is deprecated and it is recommended to use the which npm module instead.

The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag, an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

There is a stored Cross-Site Scripting vulnerability in the metascrape npm module.

Relative Path Traversal in superstatic.

When Keycloak receives a Logout request in the middle of the request, the SAMLSloRequestParser.parse() method ends in an infinite loop. An attacker could use this flaw to conduct denial of service attacks.

With non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.

It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling.

It was discovered in Undertow that the code that parses the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.

mystem-fix is a node.js wrapper for MyStem morphology text analyzer by Yandex.ru mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

The Distributed Fork plugin for Jenkins that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.

In Apache Kafka authenticated users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the InResponseTo field in the response.

It was discovered that the XmlUtils class in jbpmmigration performs expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.

base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.

connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

connect node module suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.

An input validation vulnerability was found in Ansible's mysql_user module, which may fail to correctly change a password in certain circumstances. Thus, the previous password would still be active when it should have been changed.

defaults-deep node module suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

Authenticated Kafka clients may use impersonation via a manually crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication when using the built-in PLAIN or SCRAM server implementations in Apache Kafka.

It was discovered that the hawtio servlet uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

A race-condition flaw was discovered in openstack-neutron: following a minor overcloud update, neutron security groups were disabled.

zt-zip is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as Zip-Slip.

mholt/archiver golang package before is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

unzipper npm library is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as Zip-Slip.

The adm-zip npm library is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ in a Zip archive entry that is mishandled during extraction.

SharpCompress is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

DotNetZip.Semvered is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

zip4j is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as Zip-Slip.

Universal Feed Parser (aka feedparser or python-feedparser) allows remote attackers to cause a denial of service (memory consumption) via a crafted XML ENTITY declaration in a non-ASCII encoded document.

Wizkunde SAMLBase may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

An issue was discovered in aubio. A buffer over-read can occur in new_aubio_pitchyinfft in pitch/pitchyinfft.c, as demonstrated by aubionotes.

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Zope, as used in Plone before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

ZPublisher.HTTPRequest._scrubHeader in Zope 2, as used in Plone beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

The App.Undo.UndoSupport.get_request_var_or_attr function in Zope, as used in Plone before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator , which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types .

ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed character.

plone.app.users in Plone allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors.

feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration.

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service a slow response, a large amount of application data, a related issue to CVE-2011-1521.

Sensitive information is leaked through Plugin.java that allows attackers to determine the date and time when a plugin HPI/JPI file was last extracted, which typically is the date of the most recent installation/upgrade.

An Improper authorization vulnerability exists in Jenkins in SlaveComputer.java that allows attackers with Overall/Read permission to initiate agent launches, and abort in-progress agent launches.

An Improper authorization vulnerability exists in Jenkins in Queue.java that allows attackers with Overall/Read permission to cancel queued builds.

An issue was discovered in aubio. A SEGV signal can occur in aubio_pitch_set_unit in pitch/pitch.c, as demonstrated by aubionotes.

An issue was discovered in aubio. A SEGV signal can occur in aubio_source_avcodec_readframe in io/source_avcodec.c, as demonstrated by aubiomfcc.

Cross-site scripting (XSS) vulnerability in Plone allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI.

Cross-site scripting (XSS) vulnerability in Zope allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) allows remote attackers to inject arbitrary web script or HTML via malformed XML comments.

Cross-site scripting vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken cookie.

Cross-site scripting vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.

Cross-site scripting vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.

Cross-site scripting vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / character in a key in a session cookie, related to session replays.

An unauthorized modification of configuration vulnerability exists in Jenkins, in User.java that allows attackers to provide crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory.

Plone 4.1.3 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service by sending many crafted parameters.

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service via a URL that specifies a large base36 integer.

An arbitrary file read vulnerability exists in Jenkins, Stapler allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master has access to.

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

The PlonePAS product, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors.

Unspecified vulnerability in (1) Zope, as used in Plone and other products, and (2) PloneHotfix20110720 for Plone allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.

Unspecified vulnerability in Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-0720.

A cross-site scripting vulnerability exists in Jenkins, in BuildTimelineWidget.java, that allows attackers with Job/Configure permission to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.

Gleezcms Gleez CMS contains a Cross Site Scripting (XSS) vulnerability in Profile page that can result in Inject arbitrary web script or HTML via the profile page editor. This attack appear to be exploitable via The victim must navigate to the attacker's profile page.

A cross-site scripting vulnerability exists in Jenkins that allows attackers with the ability to control the existence of some URLs in Jenkins to define JavaScript that would be executed in another user's browser when that other user views HTTPerror pages while Stapler debug mode is enabled.

MathJax contains a Cross Site Scripting (XSS) vulnerability in the unicode{} macro that can result in potentially untrusted Javascript running within a web browser. The victim must view a page where untrusted content is processed using Mathjax.

The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation.

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

AccessControl/AuthEncoding.py in Zope, as used in Plone before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation.

mitmproxy is vulnerable to DNS Rebinding attacks.

A path traversal exists in markdown-pdf that allows a user to insert a malicious html code that can result in reading the local files.

Apache Ignite does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3rd party vulnerable classes are present in Ignite classpath.

An XSS in statics-server can be used via injected iframe in the filename when statics-server displays directory index in the browser.

The debug handler in Symfony has an XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get` URI.

A remote code execution vulnerability allows attackers to exploit multiple attack vectors on a Drupal site, which can result in the site being compromised.

A remote code execution vulnerability allows attackers to exploit multiple attack vectors on a Drupal site, which can result in the site being compromised.

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Ansible fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.

Pagekit has an open redirect vulnerability.

The getLocalePrefix function in ResourceManager contains a Path Traversal vulnerability.

Passwords for Hadoop credential stores are exposed in Ambari Agent informational log messages when the credential store feature is enabled for eligible services.

Graylog has an XSS in typeahead components.

A directory traversal vulnerability has been found in the Assets controller in the Play Framework. When running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.

XML External Entity vulnerability in PySAML2 4.4.0 and earlier allows remote attackers to read arbitrary files via a crafted SAML XML request or response.

XMLReader.php in PHPOffice Common allows XXE.

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive.

In Mercurial, "hg serve –stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using –debugger as a repository name.

Doorkeeper contains a vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry.

An exploitable vulnerability exists in the Databook loading functionality of Tablib A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vulnerability.

In Bootstrap, XSS is possible in the data-target property of scrollspy.

In Bootstrap, XSS is possible in the data-container property of tooltip.

In Bootstrap, XSS is possible in the collapse data-parent attribute.

An issue was discovered in cloudflare-scrape A malicious website owner could craft a page that executes arbitrary Python code against any cfscrape user who scrapes that website. This is fixed

An issue has been found in libpng It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.

YamlDotNet includes a deserialization vulnerability that can lead to code execution.

In Bootstrap, XSS is possible in the collapse data-parent attribute.

In Bootstrap, XSS is possible in the data-target property of scrollspy.

In Bootstrap, XSS is possible in the data-container property of tooltip.

In Bootstrap, XSS is possible in the data-container property of tooltip.

In Bootstrap before, XSS is possible in the data-target property of scrollspy.

In Bootstrap, XSS is possible in the collapse data-parent attribute.

Privilege Escalation & SQL Injection in TYPO3 CMS.

Privilege Escalation & SQL Injection in TYPO3 CMS.

of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

of eslint-scope was published without authorization and was found to contain malicious code. This code would read the users .npmrc file and send any found authentication tokens to 2 remote servers. The best course of action if you found this package installed in your environment is to revoke all your npm tokens. You can find instructions on how to do that here. https://docs.npmjs.com/getting-started/working_with_tokens#how-to-revoke-tokens

Insecure Deserialization in TYPO3 CMS.

Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS.

Insecure Deserialization in TYPO3 CMS.

Insecure Deserialization & Arbitrary Code Execution in TYPO3 CMS.

In Apache Spark it is possible for a malicious user to construct a URL pointing to a Spark cluster UI job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user view of the Spark UI. While some browsers like recent versions of Chrome and Safari are able to block this …

It is possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.

Codiad allows Remote Code Execution.

Authentication Bypass in TYPO3 CMS.

Authentication Bypass in TYPO3 CMS.

qutebrowser is vulnerable to a cross-site request forgery flaw that allows websites to access qute://* URLs. A malicious website could exploit this to load a qute://settings/set URL, which then sets editor.command to a bash script, resulting in arbitrary code execution.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8290.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8286, CVE-2018-8290, CVE-2018-8294.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8286, CVE-2018-8294.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8279, CVE-2018-8301.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8280, CVE-2018-8290, CVE-2018-8294.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge, Internet Explorer This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296, CVE-2018-8298.

A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework, Microsoft .NET Framework, Microsoft .NET Framework /4.7/4.7.1/4.7.2, ASP.NET Core, Microsoft .NET Framework, ASP.NET Core, ASP.NET Core, .NET Core, Microsoft .NET Framework, Microsoft .NET Framework, Microsoft .NET Framework /4.6.1/4.6.2, .NET Core, .NET Core, Microsoft .NET Framework, Microsoft .NET Framework /4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core, ASP.NET Core, ASP.NET Core, ASP.NET MVC

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core, ASP.NET Core, ASP.NET Core, ASP.NET MVC

A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory, aka "Microsoft Edge Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8125, CVE-2018-8262, CVE-2018-8274, CVE-2018-8275, CVE-2018-8301.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8291, CVE-2018-8296.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore, Internet Explorer, Microsoft Edge. This CVE ID is unique from CVE-2018-8242, CVE-2018-8283, CVE-2018-8287, CVE-2018-8288, CVE-2018-8296, CVE-2018-8298.

The MongoDB bson JavaScript module is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimaljs. The flaw is triggered when the DecimalfromString() function is called to parse a long untrusted string.

The XMLUI feature in DSpace allows directory traversal via the themes/ path in an attack with two or more arbitrary characters and a colon before a pathname, as demonstrated by a themes/Reference/aa:etc/passwd URI.

A flaw was found in libgit2 which is wrapped by the rugged gem. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out-of-bound read, which allows reading before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.

The libgit2 library, which is used by pygit2, is vulnerable to an integer overflow which leads to an out-of-bound read. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.

The library libgit2, which is used by pygit2, contains an out-of-bound read vulnerability that can lead to a Denial of Service.

A flaw was found in libgit2 which is wrapped by the rugged gem. A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.

The macaddress module is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

The macaddress module for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

When a quiz question bank is imported, it is possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

A flaw was found in Moodle. It is possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories.

A flaw was found in Moodle. No option exists to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.

An attacker with access to a secure storm cluster could execute arbitrary code as a different user.

The Jenkins AWS CodePipeline Plugin contains an Insufficiently Protected Credentials vulnerability.

The Jenkins AWS CodeBuild Plugin does not properly protect credentials in AWSClientFactory.

The Jenkins AWS CodeDeploy Plugin does not properly protect credentials in AWSCodeDeployPublisher.

Eran Hammer cryptiles contains an Insufficient Entropy vulnerability in randomDigits(). An attacker is more likely to be able to brute force something that was supposed to be random. This attack appear to be exploitable depending upon the calling application.

The Jenkins AWS CodeDeploy Plugin contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.

In libpng, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

CSRF vulnerability in the admin panel.

CSRF vulnerability in the admin panel.

SQL injection vulnerability in product/card.php in Dolibarr allows remote attackers to execute arbitrary SQL commands via the statut_buy parameter.

An SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM allows remote attackers to execute arbitrary SQL commands via the statut parameter.

SQL injection vulnerability in product/card.php in Dolibarr allows remote attackers to execute arbitrary SQL commands via the status_batch parameter.

An SQL injection vulnerability in product/card.php in Dolibarr allows remote attackers to execute arbitrary SQL commands via the country_id parameter.

memjs allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage.

Path traversal in buttle module versions allows to read any file on the server-side.

This vulnerability in Apache Solr relates to an XML external entity expansion (XXE) in Solr config files.

Versions of Apache CXF Fediz do not fully disable Document Type Declarations (DTDs) when either parsing the Identity Provider response in the application plugins, or in the Identity Provider itself when parsing certain XML-based parameters.

Angular redactor is vulnerable to stored XSS when HTML content mode is used.

ruby-grape suffers from a cross-site scripting (XSS) vulnerability via format parameter.

rails_admin is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.

query-mysql is vulnerable to an SQL injection vulnerability due to lack of user input sanitization. This may allow an attacker to run arbitrary SQL queries when fetching data from database.

DNN (aka DotNetNuke) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.

In Apache PDFBox, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in the AFMParser.

Ansible does not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

The utilities function of the merge-recursive node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

The utilities function in the merge-objects node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

The utilities function in the deap node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

The utilities function of the merge-options node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

The utilities function in all versions of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

There is a Stored XSS vulnerability in the glance node module versions. File name, which contains malicious HTML (eg. embedded iframe element or javascript: pseudo-protocol handler in <a> element) allows to execute JavaScript code against any user who opens a directory listing containing such crafted file name.

The public node module allows embedding HTML in file names, which (in certain conditions) might lead to execute malicious JavaScript.

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control. The attacker can run arbitrary code as a result.

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via System.setProperty. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior the exception is caught in the reflection code and …

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via System.setProperty. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior the exception is caught in the reflection code and …

A cross-site scripting vulnerability in the xapian-core library that is wrapped by this gem due to incomplete HTML escaping by Xapian::MSet::snippet().

/upload/catalog/controller/account/password.php in OpenCart has CSRF via the index.php?route=account/password URI.

An issue was discovered in OpenTSDB that enables attackers to run arbitrary commands through the /q URI.

There is XSS in parameter type to the /suggest URI.

XSS in parameter json to the /q URI.

The default configuration in Apache Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.

When an intentionally bad query arrives that does not match a dynamic url-pattern, and is eventually handled by the DefaultServlet static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full …

The PortletV3AnnotatedDemo Multipart Portlet war file code provided in Apache Pluto allows a remote attacker to obtain sensitive information.

In PyYAML, the yaml.load() API could execute arbitrary code if used with untrusted data.

There is a race-condition which could lead to authenticated sessions being incorrectly applied to users.

baserCMS allows remote attackers with a site operator privilege to upload arbitrary files.

websockets improperly handles highly compressed data in Servers and clients unless configured with compression=None. This vulnerability can result in a Denial of Service by memory exhaustion.

A session fixation vulnerability exists in the Jenkins SAML Plugin that allows unauthorized attackers to impersonate another users if they can control the pre-authentication session.

aiohttp-session contains a Session Fixation vulnerability in the load_session function for RedisStorage that can result in Session Hijacking. This attack appears to be exploitable via any method that allows setting session cookies.

A server-side request forgery vulnerability exists in the Jenkins URLTrigger Plugin in URLTrigger.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL.

The gem rubyzip contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files, an attacker can upload a malicious file that contains symlinks or files with absolute pathnames .. to write arbitrary files to the filesystem.

baserCMS allows remote authenticated attackers to execute arbitrary OS commands via unspecified vectors.

Transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. A large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to …

A vulnerability exists in the Jenkins Configuration as Code Plugin that allows attackers with access to Jenkins log files

A vulnerability exists in the Jenkins z/OS Connector Plugin. It allows an attacker with local file system access or control of a Jenkins administrator's web browser to retrieve the configured password.

The package sprockets may leak confidential information. Specially crafted requests can be used to access files that exist on the filesystem that are outside an application's root directory when the server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.

baserCMS allows remote attackers to bypass access restriction in mail form to view a file which is uploaded by a site user via unspecified vectors.

A vulnerability exists in the Jenkins GitHub Plugin in GitHubTokenCredentialsCreator.java that allows attackers to capture credentials stored in Jenkins.

A vulnerability exists in the Jenkins Configuration as Code Plugin that allows attackers with Overall/Read access to obtain the YAML export of the Jenkins configuration.

An arbitrary file read vulnerability exists in the Jenkins SSH Credentials Plugin in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.

Eclipse Jetty contains a vulnerability that could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

json-jwt is vulnerable to improper verification of cryptographic signatures when decrypting AES-GCM encrypted JSON Web Tokens. This can result in an attacker being able to forge an authentication tag.

baserCMS allows remote attackers to bypass access restriction for a content to view a file which is uploaded by a site user via unspecified vectors.

A vulnerability exists in the Jenkins Fortify CloudScan Plugin that allows attackers able to control rulepack zip file contents to overwrite any file on the Jenkins master file system, only limited by the permissions of the user the Jenkins master process is running as.

topydo is vulnerable to byte injection due to missing input validation allowing an attacker to inject arbitrary bytes to the terminal.

A man in the middle vulnerability exists in the Jenkins CollabNet Plugin that allows attackers to impersonate any service that Jenkins connects to.

baserCMS allows remote authenticated attackers to bypass access restriction to view or alter a restricted content via unspecified vectors.

A persisted cross-site scripting vulnerability exists in the Jenkins Badge that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when other user performs some UI actions.

qutebrowser contains a Cross Site Scripting (XSS) vulnerability in history command page (qute://history) enabling attackers to steal the browsing history

Cross-site scripting vulnerability in baserCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Joplin contains an XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in the Note content field.

Cross-site scripting vulnerability in baserCMS allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Froxlor version Contains a code injection vulnerability.

Minio a Allocation of Memory Without Limits or Throttling vulnerability in write-to-RAM.

Multiple SQL injection vulnerabilities in Centreon including Centreon Web allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.

Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the jsonp and callback JSONP parameters, enabling cross-domain requests.

This advisory has been marked as a False Positive and has been removed.

This advisory has been marked as a False Positive and has been removed.

Centreon including Centreon Web is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php.

Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

There is Remote Code Execution in Centreon including Centreon Web via the RPN value in the Virtual Metric form in centreonGraph.class.php.

ruby-ffi has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String.

When using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions.

Froxl has Incorrect Access Control for tickets not owned by the current user.

Ansible has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

An issue was discovered in Phusion Passenger. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.

An issue was discovered in phpMyAdm in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for allowed pages.

An issue was discovered in js/designer/move.js in phpMyAdm A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted database name to trigger an XSS attack when that database is referenced from the Designer feature.

The daemons package loads and executes malicious scripts.

Auth0 angular-jwt treats allow listedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.allow listedDomains setting to bypass the domain allowlist filter via a crafted domain.

JBoss RichFaces allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code.

JBoss RichFaces allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code.

A Session Fixation issue exists in CodeIgniter because session.use_strict_mode in the Session Library was mishandled.

Given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.

index.js in oauth2orize-fprm is vulnerable to XSS via a crafted URL.

A Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/new_report.kp URI.

A race condition in the nginx module in Phusion Passenger allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but before it was chowned, leads to the target of the link being chowned via the path. Targeting sensitive files such as root's crontab file allows privilege escalation.

expressCart allows remote attackers to create an admin user via a /admin/setup Referer header.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka "Scripting Engine Memory Corruption Vulnerability." This affects ChakraCore. This CVE ID is unique from CVE-2018-8267.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8229.

Archive.java in Junrar is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.

Unauthorised users can hijack rooms when there is no m.room.power_levels event in force.

Unsigned versions of the DLLs distributed by the OPC Foundation may be replaced with malicious code.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8227.

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

The security handlers in the Security component in Symfony have an Open redirect vulnerability when security.http_utils is inlined by a container.

The security handlers in the Security component in Symfony have an Open redirect vulnerability when security.http_utils is inlined by a container.

A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

An issue was discovered in OPC UA .NET Standard Stack and Sample Code before GitHub commit, and OPC UA .NET Legacy Stack and Sample Code before GitHub commit . A vulnerability in OPC UA applications can allow a remote attacker to determine a Server's private key by sending carefully constructed bad UserIdentityTokens as part of an oracle attack.

Apache Geode server is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler take the content of the _target_path parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.

DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler take the content of the _target_path parameter and generate a redirect response but no check is performed on the path, which could be an absolute URL to an external domain, opening redirect vulnerability. Open redirect vulnerability are not too much considered but they can be exploited for example to mount effective phishing attacks.

An issue was discovered in the HttpFoundation component in Symfony. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

The on_get_missing_events function in handlers/federation.py in Matrix Synapse has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.

An issue was discovered in Yelp OSXCollector. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute.

An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a null password and valid username, which triggers an unauthenticated bind.

An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a null password and valid username, which triggers an unauthenticated bind.

An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a null password and valid username, which triggers an unauthenticated bind.

Ignite Realtime Openfire is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Website, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

The private_address_check ruby gem is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address.

URL Rewrite vulnerability.

URL Rewrite vulnerability in zend-feed.

URL Rewrite vulnerability in zend-http.

URL Rewrite vulnerability in zend-diactoros.

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker.

The MXNet framework will listen on a port different from DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they did not expect to be listening on.

OWASP Dependency-Check allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.

An attacker is able to craft a request that results in an HTTP (redirect) to an entirely different domain.

Unrestricted file upload (RCE) in express-cart module allows a privileged user to gain access in the hosting machine.

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

method-override is a module used by the Express.js framework to let you use HTTP verbs such as PUT or DELETE in places where the client does not support it. method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.

charset is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb, so the impact of the ReDoS is relatively low.

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control …

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around k characters to block for 2 seconds making this a low severity issue.

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

The timespan module is vulnerable to regular expression denial of service. Given k characters of untrusted user input it will block the event loop for around seconds.

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.

slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About k characters can block the event loop for 2 seconds.

The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.

The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case, it can block the event loop causing a denial of service condition.

calmquist.static-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

dcdcdcdcdc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

node module suffers from a Path Traversal vulnerability due to lack of validation of files, which allows a malicious user to read content of any file with known path.

public node module suffers from a Path Traversal vulnerability due to lack of validation of filePath, which allows a malicious user to read content of any file with known path.

xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL.

goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

caolilinode is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

glance node module suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.

ritp is vulnerable to a directory traversal issue whereby an attacker can gain access to the file system by placing ../ in the URL. Access is restricted to files with a file extension, so files such as /etc/passwd are not accessible.

citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

mfrserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL.

serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the URL.

uekw1511server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.

shenliru is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url.