There is an illegal address access at asm/preproc.c (function: is_mmacro) in Netwide Assembler (NASM) rc16 that will cause a denial of service (out-of-bounds array access) because a certain conversion can result in a negative integer.
The SAML broker consumer endpoint in Keycloak ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
A bypass vulnerability in Active Storage for Google Cloud Storage and Disk services allow an attacker to modify the content-disposition and content-type parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path. This vulnerability has been fixed
A Broken Access Control vulnerability in Active Job
A Broken Access Control vulnerability in Active Job allows attackers to craft user input which, when deserialized through Active Job, could give them access to information that they should not have.
A bypass vulnerability in Active Storage for Google Cloud Storage and Disk services allow an attacker to modify the content-disposition and content-type parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.
Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.
ShowDoc allows remote attackers to edit other users' notes by navigating with a modified page_id.
server/index.php?s=/api/teamMember/save in ShowDoc has a CSRF that can add members to a team.
ShowDoc allows remote attackers to obtain sensitive information by navigating with a modified page_id, as demonstrated by reading note content, or discovering a username in the JSON data at a diff URL.
Apache Hadoop contains an incomplete security fix for CVE-2016-6811. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
Persistent cross-site scripting (XSS) vulnerability in Umbraco CMS allows authenticated users to inject arbitrary web script via the Header Name of a content (Blog, Content Page, etc.). The vulnerability is exploited when updating or removing public access of a content.
The login form is not protected by a token to prevent login cross-site request forgery.
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of flatmap-stream are encouraged to remove the dependency entirely.
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version. Users of flatmap-stream are encouraged to remove the dependency entirely.
In PHP Proxy, any user can read files from the server without authentication.
ShowDoc has an XSS via the lang parameter because install/database.php mishandles the $cur_lang value.
Codiad allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
Py-EVM v0.2.0-alpha.33 allows attackers to make a vm.execute_bytecode call that triggers computation._stack.values with '"stack": [100, 100, 0]' where b'\x' was expected, resulting in an execution failure because of an invalid opcode. This is reportedly related to "smart contracts can be executed indefinitely without gas being paid."
In Apache Hive 2.3.3, 3.1.0 and earlier, local resources on HiveServer2 machines are not properly protected against malicious user if ranger, sentry or sql standard authorizer is not in use.
In Apache Hive 2.3.3, 3.1.0 and earlier, Hive "EXPLAIN" operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do "EXPLAIN" on arbitrary table or view and expose table metadata and statistics.
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
REST API returns list of all site accesses.
In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user …
In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is because FTP client code in HPL/SQL does not verify the destination location of the downloaded file. This does not affect hive cli user and hiveserver2 user …
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound …
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound …
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
An issue was discovered in YMFE YApi There is stored XSS in the name field of a project.
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
SimpleMDE has XSS via an onerror attribute of a crafted IMG element, or via certain input with [ and ( characters, which is mishandled during construction of an A element.
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
The authorization framework in Apache Hive 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0 and 1.2.1, on clusters protected by Ranger and SqlStdHiveAuthorization, allows attackers to bypass intended parent table access restrictions via unspecified partition-level operations.
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.
Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.
EZSA-2018-009 Do not interpret PHP/PHAR uploads
In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.
In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs (xpath/xpath_string/xpath_boolean/xpath_number/xpath_double/xpath_float/xpath_long/xpath_int/xpath_short) to expose the content of a file on the machine running HiveServer2 owned by HiveServer2 user (usually hive) if hive.server2.enable.doAs=false.
User data disclosure in repository-forms.
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server.
In all versions of Apache Spark, the standalone resource manager accepts code to execute on a master host, that then runs that code on worker hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound …
The code in php/upload.php does not check for a file type or for requiring any authentication allowing a user to upload an executable file to the /uploads/ directory if it exists.
Passing an absolute path to a file_exists check in phpBB allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
Centreon allows SQL Injection via the searchVM parameter.
PHPMailer is vulnerable to an object injection attack.
When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted …
Centreon allows XSS via the Service field to the URI.
An issue was discovered in Valine which allows HTML injection. This vulnerability can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.
securityScan() in PHPOffice PhpSpreadsheet allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file.
securityScan() in PHPOffice PhpSpreadsheet allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file.
Centreon allows SNMP trap SQL Injection.
Centreon allows SQL Injection via the main.php searchH parameter.
A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability."
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8557, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588.
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, CVE-2018-8588.
CKEditor allows user-assisted XSS involving a source-mode paste.
CKEditor allows user-assisted XSS involving a source-mode paste.
Centreon is vulnerable to XSS via the resource name or macro expression of a poller macro.
The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack.
There is a possible DoS vulnerability in the multipart parser in Rack. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
Apache Hadoop is exploitable via the zip slip vulnerability in locations that accept a zip file.
PHP-Proxy allows remote attackers to read local files if the default pre-installed version (intended for users who lack shell access to their web server) is used. This occurs because the app_key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion.
The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the transport.ssl(…) methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed.
When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to HTTP or HTTPS and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not be impacted, but applications that bypass the escaping mechanisms, …
When using response_mode=form_post it is possible to inject arbitrary Javascript-Code via the state-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
Netwide Assembler (NASM) has a use-after-free in detoken at asm/preproc.c.
Netwide Assembler (NASM) rc15 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for insufficient input.
Netwide Assembler (NASM) rc16 has a heap-based buffer over-read in expand_mmac_params in asm/preproc.c for the special cases of the % and $ and ! characters.
cmd/evm/runner.go in Go Ethereum (aka geth) allows attackers to cause a denial of service (SEGV) via crafted bytecode.
Netwide Assembler (NASM) rc15 has a NULL pointer dereference in the function find_label in asm/labels.c that will lead to a DoS attack.
Netwide Assembler (NASM) rc16 has memory leaks that may lead to DoS, related to nasm_malloc in nasmlib/malloc.c.
ethereumjs-vm allows attackers to cause a denial of service (vm.runCode failure and REVERT) via a code: Buffer.from(my_code, 'hex') attribute.
Caddy sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and …
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).
Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of a field composed of many decimal digits.
A time-sensitive equality check on the JWT signature in the JsonWebToken.validate method in main/scala/authentikat/jwt/JsonWebToken.scala in authentikat-jwt (aka com.jason-goodwin/authentikat-jwt) version 0.4.5 and earlier allows the supplier of a JWT token to guess bit after bit of the signature by repeating validation requests.
Flarum Core leaks email addresses.
Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.
In Apache Spark before 2.2.0, it is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS …
Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to …
From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property 'spark.authenticate.secret' establishes a shared secret for authenticating requests to submit jobs via spark-submit. However, the REST API does not use this or any other authentication mechanism, and this is not adequately documented. In this case, a user would be able to …
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the …
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the …
The Hive EXPLAIN operation does not check for necessary authorization of involved entities in a query. An unauthorized user can do EXPLAIN on arbitrary table or view and expose table metadata and statistics.
In Apache Hive, local resources on HiveServer2 machines are not properly protected against a malicious user if ranger, sentry or sql standard authorizer is not in use.
Superset uses an unsafe load method from the pickle library to deserialize data leading to possible remote code execution.
SimpleMDE suffers from XSS via an onerror attribute of a crafted IMG element, or via certain input with [ and ( characters, which is mishandled during construction of an A element.
pandao Editor.md is vulnerable to XSS via input starting with a << substring, which is mishandled during construction of an A element.
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "" (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
python-gnupg 0.3.5 and 0.3.6 allow for shell injection via a failure to escape backslashes in the shell_quote() function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
A Path Traversal in Knightjs allows an attacker to read content of arbitrary files on a remote server.
A path traversal in takeapeek module allows an attacker to list directory and files.
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.
The validator package before 2.0.0 for Node.js allows remote attackers to bypass the cross-site scripting (XSS) filter via hex-encoded characters.
Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as name[]=<script>alert(1)</script>, it is possible to bypass autoescaping and inject content into the DOM.
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to file read, file write, and code execution.
Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.
A prototype pollution attack in cached-path-relative allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS attack.
Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.
python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
An administrator with user search entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can recover sensitive security values using the fiql and orderby parameters.
A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.
A stored xss in tianma-static module versions allows an attacker to execute arbitrary javascript.
The RichFaces Framework is vulnerable to Expression Language (EL) injection via the UserResource resource.
baserCMS allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form.
An issue was discovered in baserCMS In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.
Gitea allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
xhEdit allows XSS via JavaScript code in the SRC attribute of an IFRAME element within the editor's source-code view.
An issue was discovered in com\mingsoft\basic\action\web\FileAction.java in MCMS 4.6.5. Since the upload interface does not verify the user login status, you can use this interface to upload files without setting a cookie. First, start an upload of JSP code with a .png filename, and then intercept the data packet. In the name parameter, change the suffix to jsp. In the response, the server returns the storage path of the file, …
An issue was discovered in com\mingsoft\cms\action\GeneraterAction.java in MCMS 4.6.5. An attacker can write a .jsp file (in the position parameter) to an arbitrary directory via a ../ Directory Traversal in the url parameter.
python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request.
EZSA-2018-006 XSS vulnerability in 'disabled module' error template