Off-by-one Error
There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.
There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.
Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.
devcert-sanscache allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization.
Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
Sonatype Nexus Repository before 3.21.2 allows XSS.
Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.
Oasis has a potential DNS rebinding or CSRF vulnerability. If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks.
wolfSSL has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.
cpp-httplib does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.
dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying …
In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.
The ZlibDecoders in Netty allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
npm-programmatic is vulnerable to Command Injection. The packages and option properties are concatenated together without any validation and are used by the exec function directly.
fsa is vulnerable to Command Injection. The first argument of execGitCommand(), located within lib/rep.js can be controlled by users without any sanitization to inject arbitrary commands.
clamscan is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the _is_clamav_binary function located within Index.js.
Jenkins Code Coverage API Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
This advisory has been marked as a false positive.
The ZlibDecoders in Netty contains an unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
sds is vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js.
express-mock-middleware is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the Object.prototype. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by express-mock-middleware.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded.
Jenkins AWSEB Deployment Plugin does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.
Jenkins FitNesse Plugin does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users who are able to control the XML input files processed by the plugin.
Jenkins Gatling Plugin prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.
Multiple form validation endpoints in Jenkins Mango Runner Plugin do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users who are able to control the values returned from the useMango service.
There is an information disclosure issue in DNN (formerly DotNetNuke) within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.
apiconnect-cli-plugins is vulnerable to Command Injection. It allows execution of arbitrary commands via the pluginUri argument.
compass-compile is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
diskusage-ng is vulnerable to Command Injection. It allows execution of arbitrary commands via the path argument.
adb-driver is vulnerable to Command Injection. It allows execution of arbitrary commands via the command function.
heroku-addonpool is vulnerable to Command Injection.
node-mpv is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
Jooby is vulnerable to HTTP Response Splitting if DefaultHttpHeaders is set to false.
All versions of Jooby are vulnerable to HTTP Response Splitting. if DefaultHttpHeaders is set to false.
A vulnerability was found in all versions of Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
A vulnerability was found in Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
An attacker could alter the configuration concerning Pollers in Apache Centreon so that it is possible to run arbitrary code with root privileges.
confinit is vulnerable to Prototype Pollution. The setDeepProperty function could be tricked into adding or modifying properties of Object.prototype using a proto payload.
class-transformer is vulnerable to Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a proto payload.
dot is vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying properties of Object.prototype using a proto payload.
Affected versions of acorn is vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.
This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.
An input validation flaw in npm package utils-extend may allow prototype pollution attacks resulting in remote code execution or denial of service.
op-browser is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.
install-package is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
node-key-sender is vulnerable to Command Injection. It allows execution of arbitrary commands via the arrParams argument in the execute() function.
git-add-remote is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.
jscover is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.
umount is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.
get-git-data is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
karma-mojo is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.
pomelo-monitor is vulnerable to Command Injection. It allows injection of arbitrary commands.
install-package is vulnerable to Command Injection. It allows execution of arbitrary commands via the device function.
effect is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.
ini-parser is vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a proto payload.
There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.
libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.
Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains. Recommendation If using ecstatic 4.x, upgrade to 4.1.2 or later. If using ecstatic 3.x, upgrade to 3.3.2 or later. If using ecstatic 2.x, upgrade to 2.2.2 or later.
When LDAP authentication is enabled in Apache Druid, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid.
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to …
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the createMBServerConnectorFactory property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack.
mocha is vulnerable to ReDos
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
There is a vulnerability in knockout, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves.
The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a malicious filename rendered in a directory listing.
The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo.
Scripts in Sling CMS do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.
In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. If a node receives a request for a collection it does not host, it forwards the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests.
phpMyAdmin allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.
In Twisted Web before 20.3.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
A vulnerability was found in Moodle: OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
In Twisted Web through 20.3.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.*.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider.
Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.
odata4j suffers from a SQL injection vulnerability in ExecuteCountQueryCommand.java.
odata4j suffers from a SQL injection flaw in ExecuteJPQLQueryCommand.java.
An issue was discovered in USC iLab cereal. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if a std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same address. Serialization fidelity thereby becomes dependent upon memory layout. In short, serialized std::shared_ptr variables cannot always be expected to serialize back into their original …
Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service . Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, ``bleach.clean(…, attributes={'a': 'style' Workarounds do not allowlist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 Credits Reported by schwag09 of r2c For more information If you have any questions …
Next.js contains a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
In Symfony, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace was displayed in a non-debug configuration. The ErrorHandler now escapes alls properties of the exception, and the stacktrace is only displayed in debug configurations.
In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. …
In symfony/security-http, when a Firewall checks access control rule, it iterates overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in a unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.
The Micronaut HTTP client is vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.
The Gradle publish plugin is vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the –info log level flag, the Gradle Logger logs an AWS pre-signed URL.
An issue was discovered in USC iLab cereal. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if the archive is distributed outside a trusted context.
NetBeans autoupdate does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code.
In Symfony, when a Response does not contain a Content-Type header, affected versions of Symfony can fallback to the format defined in the Accept header of the request, leading to a possible mismatch between the response content and Content-Type header. When the response is cached, this can prevent the use of the website by other users.
The NetBeans autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code.
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5
In Elide it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection.
All versions of bson are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
bson is vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.
Azkaban suffers from XXE injection due to invalid handling of XML in validator/XmlValidatorManager.java and user/XmlUserManager.java.
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.
The Kubelet component has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port, and the authenticated HTTPS API typically served on port
The Kubelet component has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port, and the authenticated HTTPS API typically served on port
A URL parsing issue in goog.uri of the Google Closure Library allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.`
VVE-2020-0001 Earlier today, we received a responsible disclosure of a potential issue from @montyly (security researcher at @trailofbits) for Vyper users who make assumptions about what values certain interface types can return. Impact We determined the issue to be mild and unlikely to be exploited, with an easy workaround while the correct resolution is in process. The issue stems from a number of things, which we will detail here. (1) …
FrozenNode Laravel-Administrator allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension.
http4s has a local file inclusion vulnerability due to URI normalization being applied incorrectly. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService.
The Jenkins RapidDeploy Plugin does not configure it's XML parser to prevent XML external entity (XXE) attacks.
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
Jenkins Azure Container Service Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Jenkins OpenShift Pipeline Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
AWS Steps Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Apache Shiro, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
A form validation endpoint in Jenkins Queue cleanup Plugin does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.
Jenkins does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Jenkins does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.
Jenkins improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.
PrestaShop module ps_facetedsearch has a reflected XSS in the url_name parameter.
The Jenkins RapidDeploy Plugin does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.
Jenkins uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.
Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) has a faulty implementation of Token Replay Detection. Token Replay Detection is an important defence in depth measure for Single Sign On solutions.
Python Auditing Vulnerability Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety. Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect. Usage Install safety, insecure-package, and this package with pip in the same python environment. Order doesn't matter. pip install safety pip install insecure-package pip install dist/malicious-0.1-py3-none-any.whl …
When configuring a Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.
A flaw was found in keycloak. When configuring a conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.
Impact Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected. The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has …
Impact Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected. The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has …
PyYAML is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
In Mozilla Bleach, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are in the allowlist with the keyword argument strip=False.
A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser.
A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser.
CodeIgniter allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, …
eZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
eZ allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.
An SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).
In phpMyAdmin, an SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.
A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.
An issue was discovered in HDF5. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service.
A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c. It allows an attacker to cause Denial of Service.
A NULL pointer dereference exists in the function H5AC_unpin_entry() located in H5AC.c. It allows an attacker to cause Denial of Service.
An SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.
An open URL redirect via the p parameter in login.php in Centreon allows an attacker to craft a potentially malicious payload to execute unintended behavior.
A prototype pollution vulnerability in fastify-multipart allows an attacker to crash fastify applications when parsing multipart requests by sending a specially crafted request.
Cloud Native Computing Foundation Harbor allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
Cloud Native Computing Foundation Harbor allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.
The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
Server-side request forgery (SSRF) vulnerability in Ghost CMS allows an attacker to scan local or external network or otherwise interact with internal systems.
Local File Inclusion in minPlayCommand.php in Centreon allows an attacker to traverse paths via a plugin test.
A flaw in Centreon's minPlayCommand.php allows an attacker to achieve command injection via a plugin test.
phpBB allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.
Cloud Native Computing Foundation Harbor has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
Cloud Native Computing Foundation Harbor allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.
Code injection vulnerability in blamer may result in remote code execution when the input can be controlled by an attacker.
The Library API in buger jsonparser allows attackers to cause a denial of service (infinite loop) by means of a call to Delete.
In EasyBuild, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like –new-pr, –fro,-pr, etc.) is shown in plain text in EasyBuild debug log files.
The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like –new-pr, –from-pr, etc.) is shown in plain text in EasyBuild debug log files. Scope: the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html); as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using –upload-test-report in …
Ignite Realtime Openfire allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp password parameter.
Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp driver parameter.
In ActionView there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS.
An open redirect exists in the Lesson edit page.
A vulnerability was found in Moodle where tokens used to fetch inline atachments in email notifications were not disabled when a user account was no longer active.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef.`
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory.
A reflected XSS is possible through fatal error messages.
Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp username parameter.
There is blind XSS reflected in some locations where user email is displayed.
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
OpenCart allows remote authenticated users to conduct XSS attacks via a crafted filename in the user image upload section.
Subrion CMS (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.
In OPC Foundation OPC UA .NET Standard codebase, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.
In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.
Umbraco CMS allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.
Umbraco Cloud allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.
Dolibarr ERP/CRM allows SQL Injection.
Dolibarr ERP/CRM allows XSS via the qty parameter to product/fournisseurs.php (product price screen).
An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malformed PSD input data during decoding to the PIL.Image or NumPy format, leading to a Buffer Overflow.
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the …
Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a proto payload.
When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack.
Contao is vulnerable to XSS when viewing the system log. An unauthenticated attacker can inject a script which is executed when a logged-in backend user views the system log.
Dolibarr ERP/CRM allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.
Dolibarr ERP/CRM has an Insufficient Filtering issue that can lead to user/card.php XSS.
Codiad Web IDE allows PHP Code injection.
A flaw was found in Ansible Engine when the module package or service is used and the parameter use is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.
The package integrity validation in yarn contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.
gulp-styledocco allows execution of arbitrary OS commands. The options argument of the exports function in index.js can be controlled by users without any sanitization.
node-prompt-here allows execution of arbitrary commands. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file linux/manager.js. This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization.
pulverizr allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable filename to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.
gulp-scss-lint allows execution of arbitrary commands. It is possible to inject arbitrary commands to the exec function located in src/command.js via the provided options.
docker-compose-remote-api allows execution of arbitrary OS commands. Within index.js of the package, the variable serviceName passed to the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) can be controlled by users to provide OS commands without any sanitization.
closure-compiler-stream allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization.
It is possible to inject arbitrary OS commands by passing them into gulp-tape options.
Attackers with access to a notionally invalidated token could obtain a new, working token via the refresh endpoint, because the denylist protection mechanism is incompatible with the token-refresh feature.
The dot package uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions …
In Administrate (rubygem), when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.
python-docutils allows insecure usage of temporary files.
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. If a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
Withdrawn: Duplicate of GHSA-2fch-jvg5-crf6
An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation.
Any user with access to the CMS can view and delete other users' 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other user's device they can disable the target user's 2FA devices and potentially compromise the account if they figure out their password.
Torpedo Query mishandles the LIKE operator in ConditionBuilder.java, LikeCondition.java, and NotLikeCondition.java.
querymen allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.
An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data. To exploit the vulnerability, an attacker must know the memory address of where the object was created.
A flaw was found in Ansible when a password is set with the argument password of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).
A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers.
An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'. Note this is due to axis2 clustering including a dependency to tomcat which is vulnerable to this issue.
An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'. Note this is due to axis2 clustering including a dependency to tomcat which is vulnerable to this issue.
A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
The implementations of PKCS#1 key transport mechanism for XMLEncryption Apache WSS4J is susceptible to a Bleichenbacher attack.
Blamer versions allows execution of arbitrary commands. It is possible to inject arbitrary commands as part of the arguments provided to blamer.
python-rply before 0.7.4 insecurely creates temporary files.
In Fat-Free Framework, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method.
Python keyring lib before 0.10 created keyring files with world-readable permissions.
utilitify allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype.
minimist could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload.
In Apache ShardingSphere, the web console uses the SnakeYAML library for parsing YAML inputs to load datasource configuration. SnakeYAML allows unmarshalling data to a Java type by using the YAML tag. Unmarshalling untrusted data could lead to security flaws such as Remote Code Execution (RCE).
Missing form token validation in phpBB allows CSRF in deleting post attachments.
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass
In affected versions of dojo, the deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
In dojox, the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
JBoss AS and mod_cluster do not handle default hostname in the same way, which can cause the excluded-contexts list to be mismatched and the root context to be exposed.
Python keyring has insecure permissions on new databases, allowing world-readable files to be created.
python-requests-Kerberos through 0.5 does not handle mutual authentication
Impact Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. Patches Please update uap-ruby to >= v2.6.0 For more information https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p Reported in uap-core by Ben Caller @bcaller
A cross-site scripting (XSS) vulnerability in the WSC plugin through allows remote attackers to run arbitrary web script inside an IFRAME element by injecting a crafted HTML element into the editor.
An arbitrary file write vulnerability in Jenkins Cobertura Plugin allows attackers to overwrite any file on the Jenkins master file system.
A flaw was found in Ansible when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.
Jenkins CryptoMove Plugin allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.
A missing permission check in Jenkins P4 Plugin allows attackers with Overall/Read permission to trigger builds.
An issue was discovered in Froxlor. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time, the flaw exists in _createUserdataConf of the install/lib/class.FroxlorInstall.php file.
Sandbox protection in Jenkins Script Security Plugin could be circumvented through crafted method calls on objects that implement GroovyInterceptable.
A missing permission check in Jenkins Mac Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
Sandbox protection in Jenkins Script Security Plugin could be circumvented through crafted constructor calls and crafted constructor bodies.
JPaseto generates weak hashes when using v2.local tokens.
Jenkins Mac Plugin does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.
The Jenkins Cobertura Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
Jenkins Rundeck Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.
An issue was discovered in Froxlor. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, the flaw exists in _backupExistingDatabase of the install/lib/class.FroxlorInstall.php file.
An issue was discovered in Froxlor. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, the flaw exists in _createUserdataConf of the install/lib/class.FroxlorInstall.php file.
Jenkins Literate Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Jenkins Audit Trail Plugin does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
Jenkins Timestamper Plugin does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
Jenkins Git Plugin does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.
Jenkins Timestamper Plugin does not sanitize HTML output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
A cross-site request forgery vulnerability in Jenkins P4 Plugin allows attackers to trigger builds or add a labels in Perforce.
A cross-site request forgery vulnerability in Jenkins Mac Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
Jenkins Sonar Quality Gates Plugin transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Jenkins Backlog Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.
Jenkins Logstash Plugin transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Jenkins Quality Gates Plugin transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
Jenkins Repository Connector Plugin transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor allows remote attackers to inject arbitrary web script through a crafted protected comment (with the cke_protected syntax).
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor allows remote attackers to inject arbitrary web script through a crafted protected comment (with the cke_protected syntax).
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor allows remote attackers to inject arbitrary web script through a crafted protected comment (with the cke_protected syntax).
The verifyVerifiablePresentation() method check the cryptographic integrity of the Verifiable Presentation, but it does not check if the credentialSubject.id` DID matches the signer of the VP proof.
The verifyVerifiableCredential() method check the cryptographic integrity of the Verifiable Credential, but it does not check if the credential.issuer DID matches the signer of the credential.
A SQL Injection vulnerability exists in include/monitoring/status/Hosts/xml/hostXML.php and could be exploited via the instance parameter.
Spring Cloud Config allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
Unauthenticated users could access sensitive information by issuing a direct request to api/external.php?object=centreon_metric&action=listByService.
Unauthenticated users could access sensitive information by issuing a direct request to include/configuration/configObject/service/refreshMacroAjax.php.
The Autodiscovery plugin of Centreon allows CSRF with remote command execution via shell metacharacters through a POST request to centreon-autodiscovery-server/views/scan/ajax/call.php.
The SEOmatic component for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
An issue was discovered in Centreon which provides sensitive information via an unauthenticated direct request for include/monitoring/recurrentDowntime/GetXMLHost4Services.php.
An issue was discovered in Centreon which provides sensitive information via an unauthenticated direct request for include/configuration/configObject/host/refreshMacroAjax.php.
In parser-server, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
The HttpClient from Reactor Netty may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
Hotels Styx through 1.0.0.beta8 allows HTTP response splitting due to CRLF Injection. This is exploitable if untrusted user input can appear in a response header.
Reactor Netty HttpServer, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a response.
A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig.
FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig.
A flaw was discovered in FasterXML jackson-databind that permits polymorphic deserialization of malicious objects. Specifically when the xalan JNDI gadget is used in conjunction with polymorphic type handling methods such as enableDefaultTyping(). The gadget may also be combined with @JsonTypeInfo when it is using Id.CLASS or Id.MINIMAL_CLASS, or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
A flaw was discovered in jackson-databind where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
InfluxDB has a reflected XSS in the Write Data module.
Centreon allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.
The kill-port-process is vulnerable to a Command Injection vulnerability.
The package push-dir allows execution of arbritary commands. Arguments provided as part of the variable opt.branch are not validated before being provided to the git command within index.js#L139. This could be abused by an attacker to inject arbitrary commands.
The package giting allows execution of arbritary commands. The first argument repo of function pull() is executed by the package without any validation.
The serial-number package allows execution of arbritary commands. The cmdPrefix argument in serialNumber function is used by the exec function without any validation.
enpeem allows execution of arbitrary commands. The options.dir argument is provided to the exec function without any sanitization.
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
In Puma (RubyGem), if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR, LF or /r, /n) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as …
In Puma (RubyGem), if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR, LF or/r, /n) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site …
A lack of input validation in pdf-image npm package version may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.
valib allows Internal Property Tampering. A maliciously crafted JavaScript object can bypass several inspection functions provided by valib. Valib uses a built-in function (hasOwnProperty) from the unsafe user-input to examine an object. It is possible for a crafted payload to overwrite this function to manipulate the inspection results to bypass security checks.
Insufficient validation in cross-origin communication (postMessage) in reveal.js allows attackers to perform cross-site scripting attacks.
There is an XSS vulnerability in GwtUpload in the file upload functionality. Someone can upload a file with a malicious filename, which contains JavaScript code, which would result in XSS. Cross-site scripting enables attackers to steal data, change the appearance of a website, and perform other malicious activities like phishing or drive-by hacking.
It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer.
Apache Struts has a cross-site scripting (XSS) vulnerability.
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
Arbitrary filesystem write vulnerability in Yarn allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install a malicious package.
There is an OS command injection vulnerability in Ruby Rake in Rake::FileList when supplying a filename that begins with the pipe character |.
compile-sass allows execution of arbritary commands. The function setupCleanupOnExit(cssPath) within dist/index.js is executed as part of the rm command without any sanitization.
rpi allows execution of arbitrary commands. The variable pinNumber in function GPIO within src/lib/gpio.js is used as part of the arguments to the exec function without any sanitization.
In BuddyPress, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed.
DNN (formerly DotNetNuke) has Insecure Permissions.
In Apache Tomcat, the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner.
In Apache Tomcat M1 to to to the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
In Apache Tomcat, the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner.
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
DNN (formerly DotNetNuke) allows XSS.
DNN (formerly DotNetNuke) allows Path Traversal.
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Tomcat is shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was …
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.
Impact Any website using discord-markdown with user-generated markdown is vulnerable to having code injected into the page where the markdown is displayed. Patches This has been patched Workarounds Escape the characters <>& before sending plain code blocks to discord-markdown. References https://github.com/brussell98/discord-markdown/issues/13
In Mozilla Bleach, a mutation XSS affects users calling bleach.clean with noscript.
uap-core is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core
uap-core is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby as used in rubygem-moped allows remote attackers to cause a denial of service (worker resource consumption) via a crafted string.
The vault subsystem in Ansible does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.
The safe_eval function in Ansible does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.
openHAB allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB.
golang.org/x/crypto allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
archive_read_support_format_rar5.c in libarchive attempts to unpack a RAR5 file with an invalid or corrupted header (such as a header size of zero), leading to a SIGSEGV or possibly unspecified other impact.
Nokogiri is vulnerable to XXE attacks.
SilverStripe allows a Denial of Service on flush and development URL tools.
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting strict_hostname_checking = true in …
taffy allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, taffyDB will ignore other query conditions and directly return the …
taffy through 2.6.2 allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. However, it is found that the internal index can be forged by adding additional properties into user-input. If index is found in the query, taffyDB will ignore other query conditions and directly …
JYaml allows remote code execution during deserialization of a malicious payload through the load() function.
SilverStripe is vulnerable to CSRF in GraphQL mutations
promise-probe allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
Zend framework is vulnerable to SQLi when used with the sqlsrv PHP extension.
The codecov-node npm module allows remote attackers to execute arbitrary commands. The value provided as part of the gcov-root argument is executed by the exec function within lib/codecov.js.
Moodle is vulnerable to information exposure of service tokens for users enrolled in the same course.
Joplin allows Arbitrary File Read via XSS.
SilverStripe allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input.
Dolibarr allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
An unintended require and server-side request forgery vulnerabilities in jsreport allow attackers to execute arbitrary code.
An out-of-bounds read was discovered in PCRE when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.
In aws-lambda versions, the "config.FunctioName" is used to construct the argument used within the "exec" function without any sanitization. It is possible for a user to inject arbitrary commands to the "zipCmd" used within "config.FunctionName".
In "index.js" file line, the run command executes the git command with a user controlled variable called remoteUrl. This affects git-diff-apply all
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a source equal to ingress. To exploit this vulnerability, someone has to encode a source.uid in this header.
An Unintended Require vulnerability in the script-manager npm package may allow attackers to load and execute arbitrary code.
matestack-ui-core (RubyGem) is vulnerable to XSS/Script injection. This vulnerability is patched
dojox is vulnerable to Cross-site Scripting in all versions before version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
Jenkins Eagle Tester Plugin stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master where it can be viewed by users with access to the master file system.
Jenkins S3 publisher Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Jenkins Dynamic Extended Choice Parameter Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Jenkins Debian Package Builder Plugin stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Jenkins Harvest SCM Plugin stores passwords unencrypted in it's global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the master file system (both).
Jenkins Parasoft Environment Manager Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Jenkins Applatix Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Jenkins DigitalOcean Plugin stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.
Jenkins BMC Release Package and Deployment Plugin stores credentials unencrypted in it's global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master where they can be viewed by users with access to the master file system.
Jenkins ECX Copy Data Management Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Jenkins Harvest SCM Plugin stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
libnotify allows remote attackers to execute arbitrary commands via unspecified characters in a call to libnotify.notify.
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin in form-related methods allowed users with Overall/Read access to enumerate credential ID of the credentials stored in Jenkins.
Jenkins NUnit Plugin does not configure the XML parser to prevent XML external entity (XXE) attacks.
Jenkins FitNesse Plugin does not configure the XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
Jenkins NUnit Plugin does not configure the XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. …
Sandbox protection in Jenkins Script Security Plugin could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside other annotations.
The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. For example, an attacker can add a ? or # character to a URI that would otherwise satisfy an exact-path match.
Jenkins RadarGun Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
Jenkins Git Parameter Plugin does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
Jenkins Brakeman Plugin does not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability exploitable by users able to control the Brakeman post-build step input data.
Jenkins Subversion Plugin does not escape the error message for the Project Repository Base URL field form validation, resulting in a stored cross-site scripting vulnerability.
Jenkins Git Parameter Plugin does not escape the default value shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing the credentials stored in Jenkins.
Jenkins Google Kubernetes Engine Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Ruby PDFKit has a Code Execution Vulnerability
An attacker is able to guess generated digits due to insufficient entropy.
In Apache NiFi, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.
This advisory has been marked as a False Positive and has been removed.
Persistent XSS in /course/modedit.php of Moodle allows authenticated users (Teacher) to inject JavaScript into the session of another user (e.g., enrolled student or site administrator) via the introeditor[text] parameter.
FasterXML jackson-databind lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
FasterXML jackson-databind lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
SockJS's function htmlfile in lib/transport/htmlfile.js is vulnerable to Reflected XSS via the /htmlfile endpoint through the c callback parameter.
In Keycloak, links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
Links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authenticated malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
An unrestricted file upload vulnerability in the jQuery File Upload Plugin server/php/UploadHandler.php allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension. This file is then accessible via a direct request to the file in files/.
The omniauth-weibo-oauth2 gem for Ruby included a code-execution backdoor inserted by a third party.
A vulnerability exists in nw.js when calling nw methods from normal frames, which has an unspecified impact.
Multiple relative path traversal vulnerabilities in the oneup/uploader-bundle allow remote attackers to upload, copy, and modify files on the filesystem.
bbPress is vulnerable to XSS through the /bb-login.php url via the re parameter.
A denial of service exists in strapi can be abused in the admin console using admin rights can lead to arbitrary restart of the application.
Apache Olingo versions 4.0.0 to 4.7.0 provide the AsyncRequestWrapperImpl class which reads a URL from the Location header, and then sends a GET or DELETE request to this URL. It may allow to implement a SSRF attack. If an attacker tricks a client to connect to a malicious server, the server can make the client call any URL including internal resources which are not directly accessible by the attacker.
im-resize allows remote attackers to execute arbitrary commands via the exec argument. The cmd argument used within index.js can be controlled by user without any sanitization.
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to 4.6.0 reads the Retry-After header and passes it to the Thread.sleep() method without any check. If a malicious server returns a huge value in the header, then it can help to implement a DoS attack.
Flaw in input validation in npm package klona version may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.
network-manager allows remote attackers to execute arbitrary commands via the execSync() argument.
Insufficient validation and sanitization of user input exists in url-parse npm package may allow attacker to bypass security checks.
Prototype pollution vulnerability in dot-prop npm package version allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse case.
When waitress receives a header that contains invalid characters it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions. This would allow an attacker to send a single request with an invalid header and take the service offline. Invalid header example: Bad-header: xxxxxxxxxxxxxxx\x10 Increasing the number of x's in the header will increase the amount of time …
The Kubernetes kubectl cp command in versions allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
Auth0 Lock allows XSS when additionalSignUpFields is used with an untrusted placeholder.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.
When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by either of two vectors: hash collisions - leading to large CPU consumption disproportionate to the size of the data being deserialized. stack overflow - leading to the deserializing process crashing.
HashiCorp Consul allows unbounded resource usage, and is susceptible to unauthenticated denial of service.
HashiCorp Consul does not enforce ACLs across all API endpoints, resulting in potential unintended information disclosure.
HashiCorp Consul and Consul Enterprise does not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure.
All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulnerable to XML External Entity (XXE) Injection due to an incomplete fix for CVE-2019-9658.
Opencast enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials.
Opencast stores passwords using the outdated and cryptographically insecure MD5 hash algorithm. Password hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide. This is problematic especially for common users like the default admin user. This means that for an attacker it might be feasible to reconstruct a user's password given access to these hashes. Note that …
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default admin user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access …
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to …
node-uuid uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing.
Opencast allows near-arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString() vs Id.compact() behavior, the latter trying to mitigate some of the file system problems, can cause errors due …
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but only in the security configuration. From the name – implying an admin for a specific course – users would never expect that this …
A user who owns an ENS domain can set a trapdoor, allowing them to transfer ownership to another user, regain ownership without the new owners consent or awareness. A new ENS deployment is being rolled out that fixes this vulnerability in the ENS registry.
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system …
In Opencast using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication.
Jenkins improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
Jenkins is vulnerable to a UDP amplification reflection denial of service attack on port
Magento is vulnerable to SQL injection. Successful exploitation could lead to sensitive information disclosure.
contao has a sql injection vulnerability
Magento is vulnerable to a path traversal. Successful exploitation could lead to sensitive information disclosure.
Jenkins Fortify Plugin stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
The npm module is vulnerable to Command Injection. Every exported method used by the package uses the exec function to parse user input.
Jenkins does not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
Jenkins uses a non-constant time comparison function when validating an HMAC.
Jenkins exposes session identifiers on a user detail object in the whoAmI diagnostic page.
Jenkins allows users with Overall/Read access to view a JVM memory usage chart.
HttpObjectDecoder.java in Netty allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an invalid fold.
HttpObjectDecoder.java in Netty allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
REST API endpoints in Jenkins are vulnerable to clickjacking attacks.
Magento has a deserialization vulnerability. Successful exploitation could lead to arbitrary code execution.
Jenkins Code Coverage API Plugin does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations.
Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
Magento has a security bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
Converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints …
Converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints …
Converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints …
opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG has a heap-based buffer overflow in the qmfbid==1 case, a different issue than CVE-2020-6851.
Authenticated Apache Superset users are able to retrieve other users' information, including hashed passwords, by accessing an unused and undocumented API endpoint on Apache Superset.
An information disclosure vulnerability was found in Apache NiFi. The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present.
The optional initial password change and password expiration features are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials object but does not remove it upon processing during the first phase of the authentication. In combination with additional, independent authentication mechanisms, this may lead to the new password being disclosed.
The (1) create_branch, (2) create_tag, (3) import_project, and (4) fork_project functions in lib/gitlab_projects.rb allows remote authenticated users to include information from local files into the metadata of a Git repository via the web interface.
The parse_cmd function in lib/gitlab_shell.rb allows remote authenticated users to gain privileges and clone arbitrary repositories.
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb). This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex …
This advisory has been marked as a False Positive and has been removed.
A XSS vulnerability was found in Apache NiFi. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.
ratpack is vulnerable to Cross-site Scripting (XSS). This affects the development mode error handler when an exception message contains untrusted data. Note the production mode error handler is not vulnerable - so for this to be utilized in production it would require users to not disable development mode.
A stored XSS vulnerability is present within the node-red npm package, which is a visual tool for wiring the Internet of Things. This issue will allow the attacker to steal session cookies, deface web applications, etc.
CRLF injection vulnerability allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API.
Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header.
This advisory has been marked as a false positive.
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is kernel.debug will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
Netty allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
In Ktor before 1.3.0, request smuggling is possible when running behind a proxy that doesn't handle Content-Length and Transfer-Encoding properly or doesn't handle \n as a headers separator.
svg.swf in TYPO3 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.
svg.swf in TYPO3 could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system. This may be at a contrib/websvg/svg.swf pathname.
The htdocs/index.php?mainmenu=home login page in Dolibarr allows an unlimited rate of failed authentication attempts.
htdocs/user/passwordforgotten.php in Dolibarr allows XSS via the Referer HTTP header.