Advisories

AdPlug has a double free in the Cu6mPlayer class in u6m.h.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, …

A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby's Kernel.open method.

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename.

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

This issue has been marked as a false positive.

An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Istio mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

An issue was discovered |20 Storage A Path Traversal vulnerability in the TwentyTwenty.Storage library in the LocalStorageProvider allows creating and reading files outside of the specified basepath. If the application using this library does not sanitize user-supplied filenames, then this issue may be exploited to read or write arbitrary files. This affects LocalStorageProvider.cs.

An issue was discovered in the mysql (aka mysqljs) module for Node.js. The LOAD DATA LOCAL INFILE option is open by default.

Bagisto allows CSRF under /admin URIs.

A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version allows a remote attacker to perform HTTP requests to internal endpoints.

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

verdaccio allows XSS.

The Backpack component for Laravel allows XSS via the select field type.

AdPlug has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp.

AdPlug has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp.

AdPlug has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp.

The PHP JOSE Library is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin does not properly apply masking to some values expected to be hidden when logging the configuration being applied.

YOURLS is affected by a type juggling vulnerability in the api component that can result in login bypass.

In certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem)

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

AdPlug has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp.

AdPlug has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp.

AdPlug has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

In Apache Tika, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs.

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper.

A server-side request forgery (SSRF) vulnerability exists in Magento. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper.

An insecure direct object reference (IDOR) vulnerability in Magento can lead to unauthorized disclosure of company credit history details.

A remote code execution vulnerability exists in Magento. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.

A remote code execution vulnerability exists in Magento. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.

A cryptograhic flaw in Magento could be abused by an unauthenticated user to discover an invariant used in gift card generation.

A stored cross-site scripting vulnerability exists in the product catalog form of Magento. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This can be exploited by an authenticated user with permissions to manage customer groups.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This can be exploited by an authenticated user with permissions to manage tax rules.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify product information.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento. An authenticated user with privileges to the editor can inject malicious SWF files.

A reflected cross-site scripting vulnerability exists in the admin panel of Magento when the feature that adds a secret key to the Admin URL is disabled.

A cross-site scripting mitigation bypass exists in Magento. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to email templates.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.

A cross-site request forgery vulnerability in Magento can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.

It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's dataConfig parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging/development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. The use of this …

A flaw was found in Jolokia which is vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of method pointer expressions allows attackers to execute arbitrary code in sandboxed scripts.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of type casts allows attackers to execute arbitrary code in sandboxed scripts.

Jenkins Configuration as Code Plugin does not treat the proxy password as a secret to be masked when logging or encrypted for export.

Jenkins Configuration as Code Plugin does not reliably identify sensitive values expected to be exported in their encrypted form.

Missing permission checks in Jenkins Configuration as Code Plugin in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.

Jenkins Configuration as Code Plugin does not properly apply masking to values expected to be hidden when logging the configuration being applied.

Jenkins Configuration as Code Plugin does not not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Teachers in a quiz group could modify group overrides for other groups in the same quiz.

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

Teachers in an assignment group could modify group overrides for other groups in the same assignment.

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.

This is a Cross-Site Request Forgery (CSRF) vulnerability. It affects Socket.IO and Engine.IO web servers that authenticate clients using cookies.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

A flaw was discovered in the way Ansible templating was implemented causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Yarn is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.

Cross-site scripting (XSS) vulnerability in http-file-server allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

Cross-site scripting (XSS) vulnerability in min-http-server allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser.

When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user …

When Rancher starts for the first time, it creates a default admin user with a well-known password. After initial setup, the Rancher administrator may choose to delete this default admin user. If Rancher is restarted, the default admin user will be recreated with the well-known default password. An attacker could exploit this by logging in with the default admin credentials. This can be mitigated by deactivating the default admin user …

The yard package is vulnerable to path traversal.

SubTypeValidator.java in FasterXML jackson-databind mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

stacktable.js allows XSS.

In Pallets Werkzeug, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.

A cross-site scripting (XSS) vulnerability in upload.php in SunHater KCFinder allows remote attackers to inject arbitrary web script or HTML via the CKEditorFuncNum parameter.

Zendesk Samlr allows attackers to perform XML injection attacks.

Ladon since 0.6.1 (since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059) is affected by: XML External Entity (XXE). The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance: https://bitbucket.org/jakobsg/ladon/src/42944fc012a3a48214791c120ee5619434505067/src/ladon/interfaces/soap.py#lines-688. The attack vector is: Send a specially crafted SOAP call.

In Apache Storm, when the user is using the storm-kafka-client, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server.

In Apache Storm, when the user is using the storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class.

The simple_captcha2 gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The datagrid gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

aubio v0.4.0 to v0.4.8 has a NULL pointer dereference in new_aubio_filterbank via invalid n_filters.

MetadataExtract allows stack consumption.

undertow is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

The Apache Storm Logviewer daemon exposes HTTP-accessible endpoints to read/search log files on hosts running Storm. In Apache Storm versions it is possible to read files off the host's file system that were not intended to be accessible via these endpoints.

lodash is vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

The package marginalia is affected by an SQL injection vulnerability enabling attackers to inject HTTP parameters/Headers into SQL queries.

In libnasm.a in Netwide Assembler (NASM), asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.

ServiceStack ServiceStack Framework The fixed version is:

OSS Http Request (Apache Cordova Plugin) does not properly validate SSL certificates, rendering the system vulnerable to certificate spoofing.

It was found that xstream API introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

scapy is affected by a Denial of Service vulnerability resulting in an infinite loop and resource consumption rendering the program unresponsive. The component is: _RADIUSAttrPacketListField.getfield(self..). The attack vector is over the network or in a pcap. both work.

The Pallets Project Flask before 1.0 is affected by unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. The fixed version is 1. NOTE this may overlap CVE-2018-1000656.

Premium Software CLEdit The impact is: An attacker might be able to inject arbitrary html and script code into the web site. The component is: jQuery plug-in. The attack vector is: the victim must open a crafted href attribute of a link (A) element.

lodash prior to 4.17.11 is affected by CWE-400 Uncontrolled Resource Consumption. The impact is a Denial of service. The component is the Date handler. The attack vector is an Attacker provides very long strings, which the library attempts to match using a regular expression.

lodash prior to 4.17.11 is affected by CWE-400 Uncontrolled Resource Consumption. The impact is a Denial of service. The component is the Date handler. The attack vector is an Attacker provides very long strings, which the library attempts to match using a regular expression.

python-libnmap is affected by a Billion-Laughs -style XML injection vulnerability.

Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.

Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.

Gitea is affected by a Cross Site Scripting vulnerability. An attacker may be able execute arbitrary JS in a victim's browser.

Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.

Firefly III is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.

Dolibarr is affected by a Cross Site Request Forgery vulnerability.

lodash is affected by Uncontrolled Resource Consumption which can lead to a denial of service.

A path traversal vulnerability in Jenkins in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

A vulnerability in the Stapler web framework allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.

tinymce The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

A security feature bypass vulnerability exists in Windows Defender Application Control (WDAC) which could allow an attacker to bypass WDAC enforcement, aka 'Windows Defender Application Control Security Feature Bypass Vulnerability'.

CSRF tokens in Jenkins did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.

In libssh2 such as CVE-2019-3855.

invenio-app allows host header injection.

The field_test gem 0.3.0 for Ruby has unvalidated input. A method call that is expected to return a value from a certain set of inputs can be made to return any input, which can be dangerous depending on how applications use it. If an application treats arbitrary variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS).

A Cross-Site Scripting (XSS) vulnerability was discovered when rendering JSON for a record in the administration interface. The vulnerability could be exploited by e.g. a user who had access to upload a new record, that an admin user would then later view in the admin interface.

Several Cross-Site Scripting (XSS) vulnerabilities have been found in the JSON, Markdown and iPython Notebook previewers. The vulnerabilities would allow a malicous user to upload a JSON, Markdown or Notebook file with embedded scripts that would be executed by a victims browser.

A Cross-Site Scripting (XSS) vulnerability was discovered in two Jinja templates in the Invenio-Communities module. The vulnerability allows a user to create a new community and include script element tags inside the description and page fields.

A spoofing vulnerability exists in ASP.NET Core that could lead to an open redirect, aka 'ASP.NET Core Spoofing Vulnerability'.

A path traversal vulnerability of the http-file-server npm module allows attackers to list files in arbitrary folders.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1106, CVE-2019-1107.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1004, CVE-2019-1056, CVE-2019-1059.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1107.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107.

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Dolibarr is affected by Cross Site Scripting (XSS) in htdocs/product/stats/card.php.

Slanger is affected by a remote code execution. A remote attacker can execute arbitrary commands by sending a crafted request to the server.

The paranoid2 gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

In lib/mini_magick/image.rb in MiniMagick, a fetched remote image filename could cause remote command execution.

A missing permission check in Jenkins Docker Plugin in various fillCredentialsIdItems methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

A missing permission check in Jenkins Docker Plugin in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

In Apache Kafka it is possible to manually craft a Produce request which bypasses transaction/idempotent ACL validation.

parse-server before 3.6.0 allows account enumeration.

Nuxt.js mishandles object keys, leading to XSS.

@nuxt/devalue mishandles object keys, leading to XSS.

Gitea is affected by a Cross Site Scripting (XSS) vulnerability. an attacker may be able to execute arbitrary JS code in the victim's browser.

A cross-site request forgery vulnerability in Jenkins Docker Plugin in DockerAPI.DescriptorImpl#doTestConnection allows users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Attacker can construct a special url and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Versions of lodash lower than are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Path traversal vulnerability in serve-here.js npm module allows attackers to list any file in arbitrary folder.

An issue has been found in third-party PNM decoding associated with libpng It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.

libpng does not properly check the length of chunks against the user limit.

Contao allows SQL Injection.

An issue was discovered in FasterXML jackson-databind. The use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content.

TYPO3 allows Deserialization of Untrusted Data.

Reflected Cross-Site-Scripting in simplesamlphp.

TYPO3 allows XSS.

The strong_password gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

Flarum allows CSRF against all POST endpoints, as demonstrated by changing admin settings.

Relative Path Traversal in serve-here.

OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

All users of versions prior to 0.5.1 can receive incorrect response from daemon under rare conditions, rendering downgrade of effective STS policy.

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. This attack occurs when an attacker inserts a header field that is exactly the size of the HPACK dynamic header table into the dynamic header table. The attacker can then send a header block that is simply repeated requests …

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Versions of mem are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.

When user POST the XML formats parameter to CodeIgniter Rest Server, the parameter is not properly sanitized before being used in a call to the simplexml_load_string() function. This can be exploited to carry out XML External Entity attacks.

Hawt Hawtio is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI.

DNN (aka DotNetNuke) incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

DNN (aka DotNetNuke) incorrectly converts encryption key source values, resulting in lower than expected entropy.

DNN (aka DotNetNuke) uses a weak encryption algorithm to protect input parameters.

DNN (aka DotNetNuke) uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

Subrion CMS has XSS.

infusionsoft-php-sdk is vulnerable to a reflected XSS in the leadscoring.php resulting code execution

The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected. In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).

fstream is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

An issue was discovered in mxGraph related to the draw.io Diagrams plugin for Confluence and other products. Improper input validation/sanitization of a color field leads to XSS. This is associated with javascript/examples/grapheditor/www/js/Dialogs.js.

Centreon allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

In numbers.c in libxslt, which is used by nokogiri, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

In numbers.c in libxslt, which is used by nokogiri, an xsl:number with certain format strings could lead to an uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters [AaIi0], or any other character.

In DiffPlug Spotless (library and Maven plugin), the XML parser would resolve external entities over both HTTP and HTTPS and ignores the resolveExternalEntities setting. This allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file.

In DiffPlug Spotless, the XML parser would resolve external entities over both HTTP and HTTPS and ignores the resolveExternalEntities setting. This could allow disclosure of file contents to a MITM attacker, if a victim performs a spotlessApply operation on an untrusted XML file.

Istio mishandles certain access tokens, leading to Epoch 0 terminated with an error in Envoy. This is related to a jwt_authenticator.cc segmentation fault.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in mobile-icon-resizer.

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak …

JSONP allows untrusted resource URLs, which provides a vector for attack by malicious actors.

The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.

In Couchbase Sync Gateway, an attacker with access to the Sync Gateway's public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters startkey and endkey on the _all_docs endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for …

Spring Security supports plain text passwords using PlaintextPasswordEncoder. a malicious user (or attacker) can authenticate using a password of null.

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.

Spring Security support plain text passwords using PlaintextPasswordEncoder. a malicious user (or attacker) can authenticate using a password of null.

A web service fetching messages was not restricted to the current user's conversations.

Security Misconfiguration in Frontend Session Handling.

Security Misconfiguration in Frontend Session Handling.

Insecure Deserialization in TYPO3 CMS.

Insecure Deserialization in TYPO3 CMS.

Information Disclosure in Backend User Interface.

Information Disclosure in Backend User Interface.

Broken Access Control in Import Module.

Broken Access Control in Import Module.

Possible deserialization side-effects in symfony/cache.

Possible deserialization side-effects in symfony/cache.

Cross-Site Scripting in Link Handling.

Cross-Site Scripting in Link Handling.

Arbitrary Code Execution and Cross-Site Scripting in Backend API.

Arbitrary Code Execution and Cross-Site Scripting in Backend API.

libexpat in Expat, XML input including XML names that contain many colons could make the XML parser consume a high amount of RAM and CPU resources while processing, leading to a possible denial-of-service attack.

FasterXML jackson-databind might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Shopware has XSS via the Query String to the backend/Login or backend/Login/load/ URI.

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

When an Apache Geode server is operating in secure mode, a user with write permissions for specific data regions can modify internal cluster metadata. A malicious user could modify this data in a way that affects the operation of the cluster.

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks. Recommendation Upgrade to version 3.18.0 or later.

A Regular Expression Denial of Service vulnerability was discovered in esm The issue is that esm's find-indexes is using the unescaped identifiers in a regex, which, in this case, causes an infinite loop.

Versions less than of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js ).

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in open.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Leaking cached authenticated requests Impact If you've been using one MemoryCacheMethod object in multiple instances of Gw2WebApiClient and are requesting authenticated endpoints with different access tokens, then you are likely to run into this bug. When using an instance of MemoryCacheMethod and using it with multiple instances of Gw2WebApiClient, there's a possibility that cached authenticated responses are leaking to another request to the same endpoint, but with a different Guild …

An issue was discovered in RubyGems. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.

An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.

An issue was discovered in RubyGems. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)

A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by ensure_loadable_spec during the pre-installation check.

An issue was discovered in RubyGems. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS). The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s f characters but grows exponentially with larger inputs. Upgrade to or higher.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in constantinople.

All versions of squel are vulnerable to sql injection. The squel package does not properly escape user provided input when provided using the setFields method. This could lead to sql injection if the query was then executed. Proof of concept demonstrating the injection of a single quote into a generated sql statement from user provided input. > console.log(squel.insert().into('buh').setFields({foo: "bar'baz"}).toString()); INSERT INTO buh (foo) VALUES ('bar'baz') ``` ## Recommendation There is …

A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root.

Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. …

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

XML Entity Expansion (Billion Laughs Attack) on Pippo 1.12.0 results in Denial of Service.Entities are created recursively and large amounts of heap memory is taken. Eventually, the JVM process will run out of memory. Otherwise, if the OS does not bound the memory on that process, memory will continue to be exhausted and will affect other processes on the system.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lutils-merge.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in @apollo/gateway.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in wiki-plugin-datalog.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ids-enterprise.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ids-enterprise.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ids-enterprise.

** DISPUTED ** A deserialization vulnerability exists in the way parso through 0.4.0 handles grammar parsing from the cache. Cache loading relies on pickle and, provided that an evil pickle can be written to a cache grammar file and that its parsing can be triggered, this flaw leads to Arbitrary Code Execution. NOTE: This is disputed because "the cache directory is not under control of the attacker in any common …

In createInstanceFromNamedArguments in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.

Spring Security OAuth could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked …

All versions of sql are vulnerable to sql injection as it does not properly escape parameters when building SQL queries. No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1051, CVE-2019-1052.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1051, CVE-2019-1052.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0989, CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003, CVE-2019-1024, CVE-2019-1052.

Versions of npmconf allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js Update to or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used.

An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t,exchange).

The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (http or ldap) and hence the caller should verify the signature and possibly the certification path. Keycloak currently does not validate signatures on CRL, which …

It was found that Keycloak's Node.js adapter did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1023.

An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge, aka 'Scripting Engine Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0990.

fs-path is vulnerable to command injection is unsanitized user input is passed in.

SQL injection vulnerability in silverstripe/registry allows attackers to execute arbitrary SQL commands.

SQL injection vulnerability in silverstripe/restfulserver allows attackers to execute arbitrary SQL commands.

Relative Path Traversal in m-server.

Relative Path Traversal in localhost-now.

An XML external entities (XXE) vulnerability in Jenkins Token Macro Plugin allows attackers, who are able to control the content of the input file for the "XML" macro, to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in node-os-utils.

Versions of http-proxy-agent are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to Buffer. ## Recommendation Update to or later.

Cross Site Request Forgery (CSRF) Protection Bypass in GraphQL.

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.

Ruby OpenID (aka ruby-openid) has a remotely exploitable flaw. This library is used by Rails web applications to integrate with OpenID Providers. Severity can range from medium to critical, depending on how a web application developer chose to employ the ruby-openid library. Developers who based their OpenID integration heavily on the "example app" provided by the project are at highest risk.

HTML Injection has been discovered in the Fat Free CRM product via an authenticated request to the /comments URI.

A vulnerability exists in Rancher in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics, e.g., displaying a "This version of Rancher is outdated, please visit https://malicious.rancher.site/upgrading" message.

A vulnerability exists in Rancher in the login component, where the errorMsg parameter can be tampered to display arbitrary content, filtering tags but not special characters or symbols. There's no other limitation of the message, allowing malicious users to lure legitimate users to visit phishing sites with scare tactics.

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

A Regular Expression vulnerability was found in nwmatcher The fix replacing multiple repeated instances of the "\s*" pattern.

All versions of express-brute are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting. No fix is currently available. Consider using an alternative module until a fix is made available.

A vulnerability was found in querystringify It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string.

aubio has a new_aubio_onset NULL pointer dereference.

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

aubio has a Buffer Overflow vulnerability in new_aubio_tempo

Versions of express-basic-auth are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the exponential increase in entropy gained from longer secrets.

Versions of typeorm before 0.1.15 are vulnerable to SQL Injection. Field names are not properly validated allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation Upgrade to version 0.1.15

Versions of jwt-simple prior to 0.5.3 are vulnerable to Signature Verification Bypass. If no algorithm is specified in the decode() function, the packages uses the algorithm in the JWT to decode tokens. This allows an attacker to create a HS256 (symmetric algorithm) JWT with the server's public key as secret, and the package will verify it as HS256 instead of RS256 (asymmetric algorithm). Recommendation Upgrade to version 0.5.3 or later.

Relative Path Traversal in servey.

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 2.3.1 or higher.

A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems …

Versions of redbird have a vulnerable default configuration of allowing TLS connections on lib/proxy.js. The package does not provide an option to disable TLS which is deprecated and vulnerable. Upgrade to or later.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in upmerge.

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.

In Rancher, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain data to the cloud. The problem is that a user could choose to post a sensitive file such as /root/.kube/config or /var/lib/rancher/management-state/cred/kubeconfig-system.yaml.

HashiCorp has Incorrect Access Control. Keys not matching a specific ACL rule used for prefix matching in a policy can be deleted by a token using that policy even with default deny settings configured.

The Chartkick gem for Ruby allows XSS.

In Rancher, Project owners can inject additional fluentd configuration to read files or execute arbitrary commands inside the fluentd container.

A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature.

Versions of sequelize-cli are vulnerable to Sensitive Data Exposure. The function filteredURL() does not properly sanitize the config.password value which may cause passwords with special characters to be logged in plain text. ## Recommendation

Relative Path Traversal in statics-server.

Versions of marked prior to 0.6.2 and later than 0.3.14 is vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2 or later.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

clean-css is vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Recommendation Upgrade to version 4.1.11 or higher.

Versions of tesseract.js default to using a third-party proxy. Requests may be proxied through crossorigin.me which clearly states is not suitable for production use. This may lead to instability and privacy violations. Upgrade to or later.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in dot.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

Istio has Incorrect Access Control.

Urgent Upgrade The static file server module included with GUN had a serious vulnerability: Using curl –path-as-is allowed reads on any parent directory or files. This did not work via the browser or via curl without as-is option. Fixed This has been fixed since version 0.2019.416 and higher. Who Was Effected? Most NodeJS users who use the default setup, such as: npm start node examples/http.js Heroku 1-click-deploy Docker Now If …

All versions of url-relative are vulnerable to Denial of Service. If the values to and from are equal, the function hangs and never returns. This may cause a Denial of Service. No fix is currently available. Consider using an alternative module until a fix is made available.

Versions of js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Recommendation Upgrade to version 3.13.0.

Versions of canvas prior to 1.6.10 are vulnerable to Denial of Service. Processing malicious JPEGs or GIFs could crash the node process. Recommendation Upgrade to version 1.6.10

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. (This module is not generally used in production systems so the attack surface is expected to be low, but affected systems are recommended to upgrade immediately.)

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.

Versions of pem expose sensitive data when the readPkcs12 is used. The readPkcs12 function reads the certificate and key data from a pkcs12 file using the encryption password. As part of this process it creates a globally readable file with a filename of random 0-f characters in the temporary directory containing the password which is then read by OpenSSL. The file containing the password is never cleaned up after it …

Versions of floody are vulnerable to remote memory exposure. . appending a chunk of uninitialized memory. Proof of Concept: var f = require('floody')(process.stdout); f.write(USERSUPPLIEDINPUT); 'f.stop(); ## Recommendation Update to or later.

Versions of byte allocate uninitialized buffers and read data from them past the initialized length Update to or later.

Versions of sequelize prior to 4.12.0 are vulnerable to NoSQL Injection. Query operators such as $gt are not properly sanitized and may allow an attacker to alter data queries, leading to NoSQL Injection. Recommendation Upgrade to version 4.12.0 or later

Versions of loopback-connector-mongodb are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where property in a filter to execute JavaScript (client can pass in a malicious script) on the database Driver. This is an intended feature of MongoDB unless disabled (instructions …

Grails uses cleartext HTTP to resolve the SDKMan notification service.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in opencv.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in js-yaml.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cloudcmd.

Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent. Proof of concept const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', Sec-WebSocket-Extensions: ${payload}, 'Upgrade: websocket', '\r' …

secure-compare 3.0.0 and below do not actually compare two strings properly. compare was actually comparing the first argument with itself, meaning the check passed for any two strings of the same length.

Versions of express-cart before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users. Recommendation Update to version 1.1.6 or later.

Versions of tunnel-agent are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Update to or later.

Versions of concat-stream is vulnerable to memory exposure if userp provided input is passed into write() are not affected due to not using unguarded Buffer constructor. Update to or later. If you are unable to update make sure user provided input into the write() function is not a number.

Versions of bl before 0.9.5 and 1.0.1 are vulnerable to memory exposure. bl.append(number) in the affected bl versions passes a number to Buffer constructor, appending a chunk of uninitialized memory Recommendation Update to version 0.9.5, 1.0.1 or later.

ExampleMatcher using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING could return more results than anticipated when a maliciously crafted example value is supplied.

An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.

Versions of ircdkit are vulnerable to a remote denial of service.

Versions of command-exists are vulnerable to command injection. This is exploitable if user input is provided to this module. Update to or later.

Relative Path Traversal in angular-http-server.

Versions of deap before 1.0.1 are vulnerable to prototype pollution. Recommendation Update to version 1.0.1 or later.

In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Versions of base64-url are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Update to or later.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in public.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react-svg.

An issue was discovered in Hybrid Group Gobot. The mqtt subsystem skips verification of root CA certificates by default.

Jenkins Gitea Plugin does not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

All versions of foreman are vulnerable to Regular Expression Denial of Service when requests to it are made with a specially crafted path.

A user who can escalate to yarn user can possibly run arbitrary commands as root user.

All versions of web3 are vulnerable to Insecure Credential Storage. The package stores encrypted wallets in local storage and requires a password to load the wallet. Once the wallet is loaded, the private key is accessible via LocalStorage. Exploiting this vulnerability likely requires a Cross-Site Scripting vulnerability to access the private key. No fix is currently available. Consider using an alternative module until a fix is made available.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in bootbox.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bracket-template.

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

of ipns are vulnerable to improper key validation. This is due to the public key verification was not being performed properly, resulting in any key being valid. Update to or later.

Affected versions of ltt.js resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo ``` No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Versions of terriajs-server are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server allow listed by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain allow listed by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment. Upgrade …

Versions of jquery.terminal are vulnerable to Reflected Cross-Site Scripting. If the application has either of the options anyLinks or invokeMethods set to true, the application may execute arbitrary JavaScript through crafted malicious payloads due to insufficient sanitization.

Versions of concat-with-sourcemaps allocates uninitialized Buffers when a number is passed as a separator. Update to or later.

Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in fs-git.

XSS exists in Shave because output encoding is mishandled during the overwrite of an HTML element.

core/api/datasets/internal/actions/Explode.java in the Dataset API in DKPro Core through 1.10.0 allows Directory Traversal, resulting in the overwrite of local files with the contents of an archive.

Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted authorization token from OAuth and uses it to authenticate a user. If an attacker has a token allowing them to read the user details of a victim, they can login as the victim.

Apache Camel contains an XML external entity injection vulnerability due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson component, which was removed.

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

In PrestaShop, the shop_country parameter in the `install/index.Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Versions of mysql before 2.14.0 is vulnerable to remove memory exposure. Affected versions of mysql package allocate and send an uninitialized memory over the network when a number is provided as a password. Only mysql running on Node.js versions below 6.0.0 is affected due to a throw added in newer node.js versions. Proof of Concept: require('mysql').createConnection({ host: 'localhost', user: 'user', password : USERPROVIDEDINPUT, // number database : 'my_db' }).connect(); Recommendation …

ZooKeeper's getACL() command does not check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

Affected versions of generate-password generate random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords. Update to or later.

Versions of webpack-bundle-analyzer are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

XSS injection in the Grid component.

Jenkins Credentials Plugin allows users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

XSS injection in the Grid component.

XSS injection in the Grid component.

A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking.

A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking.

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs …

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

Symfony allows for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

In Symfony, when service ids allow user input, this could allow for SQL Injection and remote code execution.

In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

In Symfony, when service ids allow user input, this could allow for SQL Injection and remote code execution.

In Symfony, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0884, CVE-2019-0918.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0912, CVE-2019-0913, CVE-2019-0914, CVE-2019-0915, CVE-2019-0916, CVE-2019-0922, CVE-2019-0923, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled.

In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.

It is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

In Symfony it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to.

In Symfony validation messages are not escaped, which can lead to XSS when user input is included.

In Symfony, validation messages are not escaped, which can lead to XSS when user input is included.

In Symfony, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

In Symfony validation messages are not escaped, which can lead to XSS when user input is included.

This package would deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.

If the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Certain input files could make the code to enter into an infinite loop when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

This vulnerability relates to the user's browser processing of DUCC webpage input data.The javascript comprising Apache UIMA DUCC (<= 2.2.2) which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.

Certain input files could make the code hang when Apache Sanselan 0.97-incubator was used to parse them, which could be used in a DoS attack. Note that Apache Sanselan (incubating) was renamed to Apache Commons Imaging.

An issue was discovered in Singularity, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

In remarkable lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters.

Simditor allows DOM XSS via an onload attribute within a malformed SVG element.

lib/common/html_re.js in remarkable allows Regular Expression Denial of Service (ReDoS) via a CDATA section.

If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

core/api/datasets/internal/actions/Explode.java in the Dataset API in DKPro Core allows Directory Traversal, resulting in the overwrite of local files with the contents of an archive.

Path traversal using symlink in npm harp module.

Information exposure through the directory listing in npm's harp module allows to access files that are supposed to be ignored according to the harp server rules.

Apache Karaf Config service provides a install method (via service or MBean) that could be used to travel in any directory and overwrite existing file. The vulnerability is low if the Karaf process user has limited permission on the filesystem.

The PharStreamWrapper (aka phar-stream-wrapper) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

The PharStreamWrapper (aka phar-stream-wrapper) package does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

TYPO3 allows remote code execution because it does not properly configure the applications used for image processing, as demonstrated by ImageMagick or GraphicsMagick.

An issue was discovered in SmtpTransport in CakePHP. An unserialized object with modified internal properties can trigger arbitrary file overwriting upon destruction.

Ratpack generates a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Security Misconfiguration in User Session Handling.

Security Misconfiguration in User Session Handling.

Information Disclosure in Page Tree.

Information Disclosure in User Authentication.

Information Disclosure in Page Tree.

Information Disclosure in User Authentication.

Axios allows attackers to cause a denial of service (application crash) by continuing to accepting content after maxContentLength is exceeded.

Cross-Site Scripting in Fluid Engine.

Cross-Site Scripting in Fluid Engine.

Possible Arbitrary Code Execution in Image Processing.

Possible Arbitrary Code Execution in Image Processing.

Spring Cloud Config allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.

Xtext & Xtend were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.

Certain input files could make the parser enter an infinite loop when Apache Sanselan (aka Apache Commons Imaging) was used to parse them, which could be used in a DoS attack.

By-passing Protection of PharStreamWrapper Interceptor.

By-passing Protection of PharStreamWrapper Interceptor.

Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.

Xtext & Xtend were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised.

Certain input files could make the parser hang when Apache Sanselan (aka Apache Commons Imaging) was used to parse them, which could be used in a DoS attack.

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service.

A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module.

Server side request forgery (SSRF) in phpBB allows checking for the existence of files and services on the local network of the host through the remote avatar upload function.

The fulltext search component in phpBB allows Denial of Service.

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis distribution.

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Apache Camel's File is vulnerable to directory traversal.

NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.

NULL pointer dereference in Google TensorFlow before 1.12.1 could cause a denial of service via an invalid GIF file.

A maliciously crafted meta checkpoint could be used to cause the TensorFlow process to perform an out of bounds read on in process memory.

A maliciously crafted meta checkpoint could be used to cause the TensorFlow process to perform an out of bounds read on in process memory.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

In Apache Archiva it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

In Apache Archiva, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

A vulnerability was found in tar-fs. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user’s browser session.

Gitea allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

The input fields of the Apache Pluto "Chat Room" demo portlet is vulnerable to Cross-Site Scripting (XSS) attacks.

The request phase of the OmniAuth is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Both the search filter in the back end and the "listing" module in the front end are vulnerable to SQL injection. To exploit the vulnerability in the back end, a back end user has to be logged in, whereas the front end vulnerability can be exploited by anyone.

Contao contains an SQL injection vulnerability in the back end as well as in the listing module.

User/Command/ConfirmEmailHandler.php in Flarum mishandles invalidation of user email tokens.

Google TensorFlow is affected by a Null Pointer Dereference vulnerability.

Google TensorFlow is affected by a Null Pointer Dereference vulnerability.

LibreNMS allows remote attackers to execute arbitrary OS commands by using the community parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhostrequest that triggershtml/includes/output/capture.inc.php` command mishandling.

Google TensorFlow 1.0.0 through 1.5.1 is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.

Google TensorFlow 1.0.0 through 1.5.1 is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.

Google TensorFlow is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.

Keycloak allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. As a result an attacker with access to service provider backend could hijack user's browser session.

Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local). Users passing a malformed or malicious version of a TFLite graph into TOCO will cause TOCO to crash or cause a buffer overflow, potentially allowing malicious code to be executed.