Advisories

All versions of express-brute are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting. No fix is currently available. Consider using an alternative module until a fix is made available.

A vulnerability was found in querystringify It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

aubio has a new_aubio_onset NULL pointer dereference.

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

aubio has a Buffer Overflow vulnerability in new_aubio_tempo

Versions of express-basic-auth are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the exponential increase in entropy gained from longer secrets.

Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15

Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode() function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 (symmetric algorithm) JWT with the server's public key as secret, and the package will verify it as HS256 instead of RS256 (asymmetric algorithm). Recommendation Upgrade to version 0.5.3 or later.

Relative Path Traversal in servey.

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 2.3.1 or higher.

A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems …

Versions of redbird have a vulnerable default configuration of allowing TLS connections on lib/proxy.js. The package does not provide an option to disable TLS which is deprecated and vulnerable. Upgrade to or later.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in upmerge.

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

In Rancher, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

HashiCorp has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

The Chartkick gem for Ruby allows XSS.

In Rancher, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container.

A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.

Versions of sequelize-cli are vulnerable to Sensitive Data Exposure. The function filteredURL() does not properly sanitize the config.password value which may cause passwords with special characters to be logged in plain text. ## Recommendation

Relative Path Traversal in statics-server.

Versions of marked prior to 0.6.2 and later than 0.3.14 is vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2 or later.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

clean-css is vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Versions of tesseract.js default to using a third-party proxy. Requests may be proxied through crossorigin.me which clearly states is not suitable for production use. This may lead to instability and privacy violations. Upgrade to or later.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dot.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

Istio has Incorrect Access Control.

Urgent Upgrade The static file server module included with GUN had a serious vulnerability: Using curl –path-as-is allowed reads on any parent directory or files. This did not work via the browser or via curl without as-is option. Fixed This has been fixed since version 0.2019.416 and higher. Who Was Effected? Most NodeJS users who use the default setup, such as: npm start node examples/http.js Heroku 1-click-deploy Docker Now If …

All versions of url-relative are vulnerable to Denial of Service. If the values to and from are equal, the function hangs and never returns. This may cause a Denial of Service. No fix is currently available. Consider using an alternative module until a fix is made available.

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0.

Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

Versions of pem expose sensitive data when the readPkcs12 is used. The readPkcs12 function reads the certificate and key data from a pkcs12 file using the encryption password. As part of this process it creates a globally readable file with a filename of random 0-f characters in the temporary directory containing the password which is then read by OpenSSL. The file containing the password is never cleaned up after it …

Versions of floody are vulnerable to remote memory exposure. . appending a chunk of uninitialized memory. Proof of Concept: var f = require('floody')(process.stdout); f.write(USERSUPPLIEDINPUT); 'f.stop(); ## Recommendation Update to or later.

Versions of byte allocate uninitialized buffers and read data from them past the initialized length Update to or later.

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. Recommendation Upgrade to version 4.12.0 or later

Versions of loopback-connector-mongodb are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions …

Grails uses cleartext HTTP to resolve the SDKMan notification service.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in opencv.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in js-yaml.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cloudcmd.

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent. Proof of concept const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', Sec-WebSocket-Extensions: ${payload}, 'Upgrade: websocket', '\r' …

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. Recommendation Update to version 1.1.6 or later.

Versions of tunnel-agent are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Update to or later.

Versions of concat-stream is vulnerable to memory exposure if userp provided input is passed into write() are not affected due to not using unguarded Buffer constructor. Update to or later. If you are unable to update make sure user provided input into the write() function is not a number.

Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later.

ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Versions of ircdkit are vulnerable to a remote denial of service.

Versions of command-exists are vulnerable to command injection. This is exploitable if user input is provided to this module. Update to or later.

Relative Path Traversal in angular-http-server.

Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later.

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Versions of base64-url are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Update to or later.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in public.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react-svg.

An issue was discovered in Hybrid Group Gobot. The mqtt subsystem skips verification of root CA certificates by default.

Jenkins Gitea Plugin does not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

All versions of foreman are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path.

A user who can escalate to yarn user can possibly run arbitrary commands as root user.

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. No fix is currently available. Consider using an alternative module until a fix is made available.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bootbox.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bracket-template.

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

of ipns are vulnerable to improper key validation. This is due to the public key verification was not being performed properly, resulting in any key being valid. Update to or later.

Affected versions of ltt.js resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo ``` No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Versions of terriajs-server are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server allow listed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allow listed by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment. Upgrade …

Versions of jquery.terminal are vulnerable to Reflected Cross-Site Scripting. If the application has either of the options anyLinks or invokeMethods set to true, the application may execute arbitrary JavaScript through crafted malicious payloads due to insufficient sanitization.

Versions of concat-with-sourcemaps allocates uninitialized Buffers when a number is passed as a separator. Update to or later.

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in fs-git.

XSS exists in Shave because output encoding is mishandled during the overwrite of an HTML element.

core/api/datasets/internal/actions/Explode.java in the Dataset API in DKPro Core through 1.10.0 allows Directory Traversal, resulting in the overwrite of local files with the contents of an archive.

Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.

Apache Camel contains an XML external entity injection vulnerability due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

In PrestaShop, the shop_country parameter in the `install/index.Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Versions of mysql before 2.14.0 is vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions. Proof of Concept: require('mysql').createConnection({ host: 'localhost', user: 'user', password : USERPROVIDEDINPUT, // number database : 'my_db' }).connect(); Recommendation …

ZooKeeper's getACL() command does not check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords. Update to or later.

Versions of webpack-bundle-analyzer are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

XSS injection in the Grid component.

Jenkins Credentials Plugin allows users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

XSS injection in the Grid component.

XSS injection in the Grid component.

A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking.

A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking.

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs …

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

Symfony allows for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

In Symfony, when service ids allow user input, this could allow for SQL Injection and remote code execution.

In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

In Symfony, when service ids allow user input, this could allow for SQL Injection and remote code execution.

In Symfony, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0884, CVE-2019-0918.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.

It is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.

In Symfony validation messages are not escaped, which can lead to XSS when user input is included.

In Symfony, validation messages are not escaped, which can lead to XSS when user input is included.

In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

In Symfony validation messages are not escaped, which can lead to XSS when user input is included.

This package would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

If the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Certain input files could make the code to enter into an infinite loop when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

This vulnerability relates to the user's browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.

Certain input files could make the code hang when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

An issue was discovered in Singularity, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

In remarkable lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters.

Simditor allows DOM XSS via an onload attribute within a malformed SVG element.

lib/common/html_re.js in remarkable allows Regular Expression Denial of Service (ReDoS) via a CDATA section.

If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

core/api/datasets/internal/actions/Explode.java in the Dataset API in DKPro Core allows Directory Traversal, resulting in the overwrite of local files with the contents of an archive.

Path traversal using symlink in npm harp module.

Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem.

The PharStreamWrapper (aka phar-stream-wrapper) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

The PharStreamWrapper (aka phar-stream-wrapper) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

TYPO3 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.

An issue was discovered in SmtpTransport in CakePHP. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.

Ratpack generates a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Security Misconfiguration in User Session Handling.

Security Misconfiguration in User Session Handling.

Information Disclosure in Page Tree.

Information Disclosure in User Authentication.

Information Disclosure in Page Tree.

Information Disclosure in User Authentication.

Axios allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Cross-Site Scripting in Fluid Engine.

Cross-Site Scripting in Fluid Engine.

Possible Arbitrary Code Execution in Image Processing.

Possible Arbitrary Code Execution in Image Processing.

Spring Cloud Config allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Xtext & Xtend were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.

Certain input files could make the parser enter an infinite loop when Apache Sanselan (aka Apache Commons Imaging) was used to parse them, which could be used in a DoS attack.

By-passing Protection of PharStreamWrapper Interceptor.

By-passing Protection of PharStreamWrapper Interceptor.

Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Xtext & Xtend were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.

Certain input files could make the parser hang when Apache Sanselan (aka Apache Commons Imaging) was used to parse them, which could be used in a DoS attack.

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service.

A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module.

Server side request forgery (SSRF) in phpBB allows checking for the existence of files and services on the local network of the host through the remote avatar upload function.

The fulltext search component in phpBB allows Denial of Service.

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis distribution.

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Apache Camel's File is vulnerable to directory traversal.

NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.

NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.

A maliciously crafted meta checkpoint could be used to cause the TensorFlow process to perform an out of bounds read on in process memory.

A maliciously crafted meta checkpoint could be used to cause the TensorFlow process to perform an out of bounds read on in process memory.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

In Apache Archiva it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

In Apache Archiva, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

A vulnerability was found in tar-fs. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

Gitea allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

The input fields of the Apache Pluto "Chat Room" demo portlet is vulnerable to Cross-Site Scripting (XSS) attacks.

The request phase of the OmniAuth is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Contao contains an SQL injection vulnerability in the back end as well as in the listing module.

User/Command/ConfirmEmailHandler.php in Flarum mishandles invalidation of user email tokens.

Google TensorFlow is affected by a Null Pointer Dereference vulnerability.

Google TensorFlow is affected by a Null Pointer Dereference vulnerability.

LibreNMS allows remote attackers to execute arbitrary OS commands by using the community parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhostrequest that triggershtml/includes/output/capture.inc.php` command mishandling.

Google TensorFlow 1.0.0 through 1.5.1 is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.

Google TensorFlow 1.0.0 through 1.5.1 is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.

Google TensorFlow is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.

Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). Users passing a malformed or malicious version of a TFLite graph into TOCO will cause TOCO to crash or cause a buffer overflow, potentially allowing malicious code to be executed.

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). Users passing a malformed or malicious version of a TFLite graph into TOCO will cause TOCO to crash or cause a buffer overflow, potentially allowing malicious code to be executed.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow could cause a crash or read from other parts of process memory via a crafted configuration file.

libseccomp-golang incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.

Memcpy parameter overlap in Google Snappy library, as used in Google TensorFlow, could result in a crash or read from other parts of process memory.

Memcpy parameter overlap in Google Snappy library, as used in Google TensorFlow, could result in a crash or read from other parts of process memory.

Apache Zeppelin is vulnerable to session fixation which allows an attacker to hijack valid user sessions.

Google TensorFlow is affected by a Null Pointer Dereference.

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Google TensorFlow is affected by a Buffer Overflow which enables an attacker to run arbitrary code.

python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() method could be tricked into executing malicious code if an attacker supplies a .pyc file.

Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and can result in takeover of MySQL Connectors.

Under some circumstances Apache Qpid Proton versions (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

In Apache Zeppelin, the cron scheduler is enabled by default and could allow users to run paragraphs as other users without authentication.

Apache Zeppelin suffers from a stored Cross-site Scripting (XSS) issue via Note permissions.

A issue was discovered in SiteServer CMS It allows remote attackers to execute arbitrary code because an administrator can add the permitted file extension .aassp, which is converted to .asp because the "as" substring is deleted.

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

OpenAPI Tools OpenAPI Generator uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies.

In Kubernetes, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

In Eclipse Jetty version, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this error, it presents the various …

In Eclipse Jetty, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

In Eclipse Jetty, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this error, it presents the various configured …

In Eclipse Jetty version, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Eclipse Vorto resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

In Kubernetes, schema info is cached by kubectl in the location specified by –cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If –cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Eclipse Jetty server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Jetty server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

jQuery, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

The jQuery library, which is included in rdoc, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

An SSRF vulnerability was found in an API from Ctrip Apollo through 1.4.0-SNAPSHOT. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.

CertificatePinner.java allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.

A sandbox bypass vulnerability in Jenkins ontrack Plugin allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM.

A number of HTTP endpoints in the Airflow webserver (both RBAC and classic) did not have adequate protection and were vulnerable to cross-site request forgery attacks.

Contao has a Weak Password Recovery Mechanism for a Forgotten Password.

Contao has a Weak Password Recovery Mechanism for a Forgotten Password.

Contao allows Use of a Key Past its Expiration Date.

Contao allows Use of a Key Past its Expiration Date.

Apache PDFBox does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

OmniAuth OmnitAuth-SAML may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing an attacker to potentially bypass authentication to SAML service providers.

Contao has Incorrect Access Control.

Contao allows CSRF.

Contao allows CSRF.

Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A …

Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A …

SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.

madskristensen Miniblog.Core allows remote attackers to execute arbitrary ASPX code via an IMG element with a data: URL, because SaveFilesToDisk in Controllers/BlogController.cs writes a decoded base64 string to a file without validating the extension.

models/repo_mirror.go in Gitea mishandles mirror repo URL settings, leading to remote code execution.

repo/setting.go in Gitea does not validate the form.MirrorAddress before calling SaveAddress.

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat (and will be disabled by default in all versions in response to this vulnerability).

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

SilverStripe allowss Reflected SQL Injection through Form and DataObject.

Auth0 Auth0-WCF-Service-JWT leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

Kentico CMS allows unrestricted upload of a file with a dangerous type.

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database.

In Rancher, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it.

In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.

In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. The sandbox is used to restrict what code can be evaluated when rendering untrusted, user-provided templates. Due to the way string formatting works in Python, the str.format_map method could be used to escape the sandbox. This issue was previously addressed for the str.format method in Jinja 2.8.1, which discusses the issue in detail. However, the less-common str.format_map method was overlooked. …

In Rancher, project members have continued access to create, update, read, and delete namespaces in a project after they have been removed from it.

Sequelize does not properly ensure that standard conforming strings are used.

SPIP allows authenticated visitors to execute arbitrary code on the host server because var_memotri is mishandled.

Users who cached their CLI authentication would remain authenticated because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches.

The f:validateButton form control for the Jenkins UI did not properly escape job URLs resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

The libxslt binary, which is included in nokogiri, allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

In Eclipse Kura, the SkinServlet did not checked the path passed during servlet call, potentially allowing path traversal in get requests for a limited number of file types.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0860.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0752, CVE-2019-0753, CVE-2019-0862.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0783.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0860, CVE-2019-0861.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0806, CVE-2019-0810, CVE-2019-0829, CVE-2019-0860, CVE-2019-0861.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0773, CVE-2019-0783.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0829, CVE-2019-0861.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0609, CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0783.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0806, CVE-2019-0810, CVE-2019-0812, CVE-2019-0860, CVE-2019-0861.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0806, CVE-2019-0812, CVE-2019-0829, CVE-2019-0860, CVE-2019-0861.

Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and roundup/cgi/wsgi_handler.py mishandle 404 errors.

In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0609, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0783.

Spring Security contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Spring Security contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Spring Security containa an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Eclipse Kura exposes the underlying Ui Web server version in its replies. This can be used as a hint by an attacker to specifically craft attacks to the web server run by Kura.

An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.

In Eclipse Kura, the Web UI package and component services, the Artemis simple Mqtt component and the emulator position service (not part of the device distribution) could potentially be target of XXE attack due to an improper factory and parser initialisation.

In Materialize, XSS is possible via the Autocomplete feature.

In Materialize, XSS is possible via the Toast feature.

In Materialize through 1.0.0, XSS is possible via the Tooltip feature.

In Materialize through 1.0.0, XSS is possible via the Toast feature.

In Materialize, XSS is possible via the Tooltip feature.

In Materialize through 1.0.0, XSS is possible via the Autocomplete feature.

This issue has been marked as a false positive.

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'.

Elgg has an open redirect.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0639, CVE-2019-0680, CVE-2019-0769, CVE-2019-0770, CVE-2019-0771, CVE-2019-0773, CVE-2019-0783.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0592.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0611.

simple-markdown.js in Khan Academy simple-markdown allows XSS via a data: or vbscript: URI.

ThinkAdmin does not prevent continued use of an administrator's cookie-based credentials after a password change.

The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages.

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.

Parsedown, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class. This occurs because spaces are permitted in code block infostrings, which interferes with the intended behavior of a single class name beginning with the language- substring.

Cross Site Request Forgery (CSRF) in the bolt/upload File Upload feature in Bolt CMS allows remote attackers to execute arbitrary code by uploading a JavaScript file to include executable extensions in the file/edit/config/config.yml configuration file.

An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare.

The (1) HttpResource and (2) FileBackedHttpResource implementations in OpenSAML do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) through relies on the HOME environment variable, which might be untrusted.

An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.

Using the lockable module contains a vulnerability that can result in multiple concurrent requests can prevent an attacker from being blocked on brute force attacks.

Path traversal vulnerability in http-live-simulator npm package allows arbitrary path to be accessed on the file system by a remote attacker.

Eclipse hawkBit resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

XSS in buttle causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the server.

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

In all previously released Apache HBase 2.x versions (2.0.0-2.0.4, 2.1.0-2.1.3), authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. …

Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.

Total.js CMS 12.0.0 has XSS related to themes/admin/views/index.html (item.message) and themes/admin/public/ui.js (column.format).

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers.

This advisory has been marked as a False Positive and has been removed.

The Serialize.deserialize() method in CoAPthon3 mishandles certain exceptions, leading to a denial of service.

Pivotal Concourse contains an API that is vulnerable to SQL injection. An Concourse resource can craft a version identifier that can carry a SQL injection payload to the Concourse server, allowing the attacker to read privileged data.

An SSRF vulnerability was found in an API from Ctrip Apollo. An attacker may use it to do an intranet port scan or raise a GET request via /system-info/health because the %23 substring is mishandled.

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on …

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on …

An Open Redirect vulnerability for all browsers in Jupyter allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

An Open Redirect vulnerability for all browsers in Jupyter Notebook and some browsers (Chrome, Firefox) allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

Laravel is vulnerable to Error based SQL injection in save.php via dhx_user and dhx_version parameters.

LibreNMS allows SQL injection via the html/ajax_table.php sort[hostname] parameter, exploitable by authenticated users during a search.

A sandbox bypass vulnerability in Jenkins Script Security Plugin allows attackers to invoke arbitrary constructors in sandboxed scripts.

A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki which could be used by an attacker to obtain registered users' details.

Information disclosure in zend-developer-tools.

In all previously released Apache HBase, authorization was incorrectly applied to users of the HBase REST server. Requests sent to the HBase REST server were executed with the permissions of the REST server itself, not with the permissions of the end-user. This issue is only relevant when HBase is configured with Kerberos authentication, HBase authorization is enabled, and the REST server is configured with SPNEGO authentication. This issue does not …

In Apache JSPWiki, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

In Apache ActiveMQ unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

In Apache ActiveMQ unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

In Apache ActiveMQ, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

There is a possible denial of service vulnerability in Action View (Rails) where specially crafted Accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Ansible fetch module has a path traversal vulnerability which allows copying and overwriting files outside the specified destination in the local ansible controller host, by not restricting an absolute path.

There is a File Content Disclosure vulnerability in Action View where specially crafted Accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

In Select2, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

There is a File Content Disclosure vulnerability in Action View and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

A remote code execution vulnerability in development mode Rails can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

A remote code execution vulnerability in development mode Rails can allow an attacker to guess the automatically generated development mode secret token. This secret token can be used in combination with other Rails internals to escalate to a remote code execution exploit.

In Eclipse Jetty, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.

There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.

The get_with_capability_join and get_users_by_capability functions were not taking context freezing into account when checking user capabilities

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events.

HashiCorp Consul lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true.

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

This advisory has been marked as a False Positive and has been removed.

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Splunk-SDK-Python before 1.6.6 does not properly verify untrusted TLS server certificates, which could result in man-in-the-middle attacks.

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

A flaw was found in libssh2 A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out-of-bounds memory write error.

An integer overflow flaw which could lead to an out-of-bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

An integer overflow flaw, which could lead to an out-of-bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

An out-of-bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

An out-of-bounds read flaw was discovered in libssh2 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

A code injection issue was discovered in ipycache versions up to 0.1.4.

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.

Apache Karaf kar deployer reads .kar archives and extracts the paths from the "repository/" and "resources/" entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it doesn't do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with ".." directory names and break out of the …

A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos. A malicious actor can therefore gain root-level code execution on the host.

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) is vulnerable to Command Injection. It does not validate user input allowing attackers to execute arbitrary commands.

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.

Under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the openid scope and a prompt=none value. This allows phishing attacks against the authorization flow.

Moodle allows SSRF.

A path traversal vulnerability in localhost-now allows the attackers to read content of arbitrary files on the remote server.

Apache Karaf kar deployer reads .kar archives and extracts the paths from the repository/ and resources/ entries in the zip file. It then writes out the content of these paths to the Karaf repo and resources directories. However, it does not do any validation on the paths in the zip file. This means that a malicious user could craft a .kar file with .. directory names and break out of …

A path traversal vulnerability in serve allows attackers to read content of arbitrary files on the remote server.

An integer overflow flaw which could lead to an out-of-bounds write was discovered in libssh2 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.

An out-of-bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

An out-of-bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

An out-of-bounds read flaw was discovered in libssh2 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.

If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module.

A bug in handling the ignore files and directories feature in serve allows an attacker to read a file or list the directory that the victim has not allowed access to.

Apache Hadoop blocks users or grants access to users incorrectly, if the system uses non-default groups mapping mechanisms.

DNN (formerly DotNetNuke) allows cross-site scripting (XSS) via XML.

python-gnupg allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted.

Chloride's use of net-ssh resulted in host fingerprints for previously unknown hosts getting added to the user's known_hosts file without confirmation.

When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan.

Cross-site Scripting vulnerability in drupal.

Cross-site Scripting vulnerability in drupal.

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the "redirect_uri" parameter. …

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

In js/parts/SvgRenderer.js in Highcharts, the use of backtracking regular expressions permitted an attacker to conduct a denial of service attack against the SVGRenderer component, aka ReDoS.

Checkstyle before 8.18 loads external DTDs by default.

Editor.md 1.5.0 has DOM-based XSS via vectors involving the '<EMBED SRC="data:image/svg+xml' substring.

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a …

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive before 1.2.2 and 2.0.x before 2.0.1 doesn't seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a …

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

The LDAP implementation in HiveServer2 in Apache Hive before 1.0.1 and 1.1.x before 1.1.1, as used in IBM InfoSphere BigInsights 3.0, 3.0.0.1, and 3.0.0.2 and other products, mishandles simple unauthenticated and anonymous bind configurations, which allows remote attackers to bypass authentication via a crafted LDAP request.

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application.

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome …

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the user's view of the Spark UI. While some browsers like recent versions of Chrome …

Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.

Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2.3.1 expose an interface through which masking policies can be defined on tables or views, e.g., using Apache Ranger. When a view is created over a given table, the policy enforcement does not happen correctly on the table for masked columns.

A stack-based buffer overflow may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port/TCP or crafted JSON inputs.

An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.

azure-umqtt-c (available through GitHub October 6) allows remote attackers to cause a denial of service via unspecified vectors.

Sandbox Information Disclosure.

An XSS issue was discovered in the Admin UI in eZ Platform.

There is a Server Side Request Forgery in Apache Solr. Because the shards parameter does not have a corresponding allowlist mechanism, a remote attacker with access to the server could make Solr perform an HTTP GET request to any reachable URL.

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java allowing attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin in src/main/java/hudson/plugins/groovy/StringScriptSource.java allowing attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin in src/main/java/hudson/matrix/FilterScript.java that allowing attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.

Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked …

Controller/Async/FilesystemManager.php in the filemanager in Bolt allows remote attackers to execute arbitrary PHP code by renaming a previously uploaded file to have a .php extension.

An issue was discovered in Dolibarr expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.

A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 which allows an unauthenticated attacker to crash the broker instance by sending specially crafted commands using AMQP protocol versions below 1.0 (AMQP 0-8, 0-9, 0-91 and 0-10). Users of Apache Qpid Broker-J versions 6.0.0-7.0.6 (inclusive) and 7.1.0 utilizing AMQP protocols 0-8, 0-9, 0-91, 0-10 must upgrade to Qpid Broker-J versions 7.0.7 or 7.1.1 or …

In Apache Solr versions, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

An issue was discovered in Dolibarr There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.

Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests running in Distributed mode.

** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because denylisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor doesn’t consider this issue a vulnerability because the denylist is being misused. SOFA Hessian supports custom denylist and a disclaimer was posted encouraging users to update the denylist or to use the allowlist feature for their …

In Apache Airflow before 1.10.2, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views.

A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileged Vulnerability'.

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0648.

HashiCorp Consul (and Consul Enterprise) allows a client to bypass intended access restrictions and obtain the privileges of one other arbitrary token within secondary datacenters, because a token with literally <hidden> as its secret is used in unusual circumstances.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0652, CVE-2019-0655.

When parsing a JSON payload with deeply nested JSON structures, the parser in Apache Mesos might overflow the stack due to unbounded recursion.

elFinder has a command injection vulnerability in the PHP connector.

In irisnet-crypto, the util/utils.js file allows code execution because of unsafe eval usage.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

Versions of bootstrap prior to 3.4.1 for 3.x and 4.3.1 for 4.x are vulnerable to Cross-Site Scripting (XSS). The data-template attribute of the tooltip and popover plugins lacks input sanitization and may allow attacker to execute arbitrary JavaScript.

SQL injection vulnerabilities have been found in multiple call handlers in Koji’s hub code. An anonymous attacker can use these vulnerabilities to issue arbitrary database commands.

Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases.

Some field types do not properly sanitize data from non-form sources in Drupal. This can lead to arbitrary PHP code execution in some cases.

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

In Bootstrap, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap, XSS is possible in the tooltip or popover data-template attribute.

In Bootstrap, XSS is possible in the tooltip or popover data-template attribute.

igniteui downloads JavaScript and CSS resources over insecure protocol.

index.js in Total.js Platform allows path traversal.

cobalt-cli downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where …

MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.

sequelize is an Object-relational mapping, or a middleman to convert things from Postgres, MySQL, MariaDB, SQLite and Microsoft SQL Server into usable data for NodeJS If user input goes into the limit or order parameters, a malicious user can put in their own SQL statements. This affects sequelize 3.16.0 and earlier.

waterline-sequel is a module that helps generate SQL statements for Waterline apps Any user input that goes into Waterline's like, contains, startsWith, or endsWith will end up in waterline-sequel with the potential for malicious code. A malicious user can input their own SQL statements in waterline-sequel 0.50 that will get executed and have full access to the database.