The default configuration in this package binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
semver is vulnerable to regular expression denial of service when extremely long version strings are parsed.
The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().
The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().
Critical vulnerabilities in JSON Web Token libraries.
Since algorithm isn't enforced in jwt.decode(), a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.
It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.
It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.
It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)". It is also possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.
It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)".
Dulwich contains an overflow condition in the py_apply_delta() function in _pack.c. The issue is triggered as user-supplied input is not properly validated when handling pack files. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
Remote attackers can conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data.
It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors.
Privilege Escalation in TYPO3 Neos.
XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in this package allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in Apache Batik allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
IE requests not properly behaving with rewritehashlinks.
XSS In rewritten hash links.
XSS in Director::force_redirect().
SiteTree Creation Permission Vulnerability in silverstripe.
The resolve_redirects() function in sessions.py allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.
File and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.
The kex_agree_methods function in libssh2 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.
The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.
Critical vulnerabilities in JSON Web Token libraries.
This package allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a <x:parse> or <x:transform> JSTL XML tag.
Apache Standard Taglibs allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.
The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
XSS injection in backoffice.
XSS injection in backoffice.
Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.
This package contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.
Passenger Gem for Ruby contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.
Attackers able to impersonate users.
Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL.
There's a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.
The execute function in the xaviershay-dm-rail package exposes user credentials to the process table in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in this package uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.
Race condition in this package allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.
Race condition in JBoss Weld Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.
XSS In FormAction.
History XSS Vulnerability in silverstripe.
VirtualPage XSS in silverstripe.
XSS In GridField print.
TreeDropdownField and TreeMultiSelectField XSS.
The program stores sensitive information in production logs. This may allow a local attacker to gain access to sensitive information.
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
The gem contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.
Marked is vulnerable to content injection even when sanitize: true is enabled. [xss link](vbscript:alert(1)) will get a link <a href="vbscript:alert(1)">xss link</a> this script does not work in IE edge mode, but works in IE compatibility view.
SQL Injection is possible in an application using the npm module sequelize if untrusted user input is passed into the order parameter. Example: Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] })
Incomplete block list vulnerability in marked for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
Marked is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.
Because the /topic command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser.
Due to the use of child_process.exec when executing git commands, ungit allows for commands to be injectied from user input fields that end up in an executed git command.
This package allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
When using serve-static middleware and it's configured to mount at the root it creates an open redirect on the site. For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to www.google.com
Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service.
Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
A flaw in PngImagePlugin.py is triggered when handling PNG image decompression. This may allow a remote attacker to cause a denial of service.
XSS vulnerability in login redirect param.
wx.tools.img2py creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against an unspecified file to cause the program to unexpectedly overwrite an arbitrary file.
Cross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Commons ZfcUser allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.
Session validation vulnerability.
Session validation vulnerability.
Heap-based buffer overflow in the png_combine_row function in libpng, when running on systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.
RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when parsing textile links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Cross-site request forgery (CSRF) vulnerability in doorkeeper allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.
Header injection in NativeMailerHandler.
The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.
The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.
The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.
The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation.
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.
An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Fixed versions of the gem depend on fixed versions of libgit2.
Docker does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) docker load operation or (2) registry communications.
Docker allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
The inert directory handler always allows files in hidden directories to be served, even when showHidden is false.
Browserify has a security vulnerability where a malicious file can be executed when browserified.
Possible link spoofing on the homepage when anchors are used.
This package uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
Possible cache poisining on the homepage when anchors are used.
squelize-restful can crash when called on a crafted URL.
paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. "With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production." See provided link.
Directory traversal vulnerability in this package when running on Windows, allows remote attackers to read arbitrary files via a .. in a resource URI.
DocumentProvider in this package does not configure the external-general-entities or external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true
An attacker can provide input such as ../ to read files outside of the served directory.
Versions less than of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.
MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files, etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.
Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.
The validator module is vulnerable to Regular Expression Denial of Service (ReDoS) in the isURL method.
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application's root directory. The files will not be served, but attackers can determine whether the file exists.
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true
parser.c in libxml2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.
Script language="php" HTML tags are interpreted even in secure mode. This may allow a remote attacker to bypass secure mode's intended restrictions and execute arbitrary PHP code.
Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as …
This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
When using TransportBinding, wss4j does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
The SamlHeaderInHandler in this package allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.
Tastypie uses the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code. Servers without the yaml module installed are not affected.
Piston uses the yaml.load method, which is unsafe. In certain circumstances this could be used to allow remote execution of arbitrary code.
There is an invalid security fix against shell injection.
Certificates.java in Not Yet Commons SSL does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Denial of Service in OpenID System Extension.
The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
Arbitrary Shell Execution in Swiftmailer library.
Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password.
A flaw in the iptype() function is triggered when handling octal encoding. This may allow a remote attacker to bypass the IP exclusion feature.
Requests (aka python-requests) allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
Requests (aka python-requests) allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.
Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability."
Cross-site scripting (XSS) vulnerability in the CORS functionality in this package allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A vulnerability allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.
This is a malicious package. You may want to install sidekiq.
This package allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
Web Console Gem contains an unspecified flaw. This impact of this security issue is unknown.
A flaw in Active Job that can allow string arguments to be deserialized as if they were Global IDs. This may allow a remote attacker to inject arbitrary objects.
As Gem for Ruby contains a flaw that is due to the program displaying credential information in plaintext in the process list. This may allow a local attacker to gain access to credential information.
SQL injection vector when manually quoting values for sqlsrv extension, using null byte.
SQL injection vector when manually quoting values for sqlsrv extension, using null byte.
This package is vulnerable to Cross-Site Scripting (XSS) attacks.
Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged-in users.
When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.
The gem contains a flaw in helper method dispatch where it uses Kernel::send to call helpers without checking that they are defined within the template context first. This allows expressions such as {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed.
Entropy is lost in the TokenGenerator.
The OPC SAX setup in this package allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
This package allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Denial of service with a malicious HTTP Host header.
Denial of service with a malicious HTTP Host header.
Direct access of ESI URLs behind a trusted proxy
Security issue when parsing the Authorization header.
Security issue when parsing the Authorization header.
Direct access of ESI URLs behind a trusted proxy.
CSRF vulnerability in the Web Profiler.
CSRF vulnerability in the Web Profiler
The getCN function in Apache Axis does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.
The gem contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.
There is a flaw that is triggered when handling zero-length block headers. This may allow a remote attacker to crash the program.
There is a flaw that is triggered when handling zero-length block headers. This may allow a remote attacker to crash the program.
Salt contains a flaw in seed.py, salt-ssh, and salt-cloud that is due to the program creating temporary files insecurely. This may allow a local attacker to have an unspecified impact.
The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection.
RESTEasy does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
XML Quadratic Blowup vulnerability.
qs is affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.
See links attached for details
When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. A configuration and scenario where this would occur is unlikely, …
This package is vulnerable to Cross-Site Scripting (XSS) attacks due to not escaping HTML tags.
The SslHandler in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Fixed potential path traversal attack and remote code injection.
Code injection in the way Symfony implements translation caching in FrameworkBundle.
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
jmx-remoting.sar in JBoss Remoting does not properly implement the JSR specification, which allows remote attackers to execute arbitrary code via unspecified vectors.
This package does not perform appropriate encoding when a <h:outputText> tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
This package does not perform appropriate encoding when a <h:outputText> tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
When a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, attackers could conduct cross-site scripting (XSS) attacks via application-specific vectors.
sanitize-html will merge an incomplete attribute like SRC= with the next attribute. While the result is not valid HTML it may be misinterpreted by the browser.
Code injection in the way Symfony implements translation caching in FrameworkBundle.
Docker uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.
The package lz4-ruby is vulnerable to an integer overflow attack. When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit.
This package contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /lib/brbackup.rb script not properly sanitizing user-supplied input to the 'name' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
This package contains a flaw that is triggered as input passed via the 'dbuser' variable is not properly sanitized. This may allow a remote attacker to inject shell metacharacters and execute arbitrary commands.
Someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains. Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and Github.
SQLi vulnerability in activerecord.
SQLi vulnerability in activerecord.
An integer overflow can occur when processing any variant of a "literal run". When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit.
If it is used in the context of a RoR application, since the user input isn't properly sanitized, the method decrypt in /lib/backup/cli/utility.rb is vulnerable to command injection.
org.jboss.seam.web.AuthenticationFilter in JBoss allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.
The CDetailView widget in Yii PHP Framework allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.
The library does not properly escape attribute values making XSS exploits possible.
The library does not properly escape attribute values making XSS exploits possible.
The file in /lib/karo/db.rb passes unsanitized user supplied input to the command line. This may allow a remote attacker to execute arbitrary commands.
The file /lib/kompanee-recipes/heroku.rb does not properly escape user controlled input for the 'password', 'user', 'deploy_name', and 'application' variables. A remote attacker, by passing shell metacharacters, may be able to execute arbitrary commands.
The file /lib/cmd_parse.rb contains a flaw that is triggered when handling shell metacharacters passed via the 'ip' variable. This may allow a remote attacker to inject arbitrary commands.
There is a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
This package allow remote attackers to read arbitrary files via a .. in the ln parameter to faces/javax.faces.resource/web.xml or the PATH_INFO to faces/javax.faces.resource/.
Django's JSON serialization does not handle escaping of any characters to make them safe for injecting into HTML. This allows an attacker who can provide part of a JSON-serializable object to craft a string that can break out of a tag and create its own, injecting a custom script.
The generated gravatar HTML wasn't handling escaping of the display name of the user, allowing an attacker to choose a name that would close out the tag and inject a tag.
Yar uses an encrypted cookie for session support which can crash the process if it contains an invalid value.
Sendmail transport arbitrary shell execution.
The default configuration for the Xerces SAX Parser in this package allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.
The default configuration for the Xerces SAX Parser in this package allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.
Potential SQL injection in the ORDER implementation of Zend_Db_Select.
Unfortunately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted requests.
The Dragonfly gem for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.
SabreDAV allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
getID3() allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
The query caching functionality in the Extbase Framework does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.
TYPO3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to Host Spoofing.
The Authentication component in TYPO3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.
Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.
The Yaml::parse function in Symfony remote attackers to execute arbitrary PHP code via a PHP file.
Symfony allows remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml arser::parse function.
Symfony allows remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml arser::parse function.
The Yaml::parse function in Symfony allows remote attackers to execute arbitrary PHP code via a PHP file.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in screen_capture.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lingq.
Since the /tmp directory is readable by everybody on Unix, and since the patch name could be public or easy to guess, an attacker could create a symlink to a file writable by the user running hub, which would be replaced by the patch.
A malicious email attachment with a file name consisting of shell metacharacters could inject commands into the shell. If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.
The ExtJS JavaScript framework that is shipped with TYPO3 is susceptible to XSS.
This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.
Risk of mass-assignment vulnerabilities.
Risk of mass-assignment vulnerabilities in laravel framework.
The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.
The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.
pyxtrlock uses an incorrect variable name, which allows physically proximate attackers to bypass the lock screen via multiple failed authentication attempts, which trigger a crash.
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with _jinja2 in /tmp.
pyxtrlock does not properly check the return values of the (1) xcb_grab_pointer and (2) xcb_grab_keyboard XCB library functions, which allows physically proximate attackers to gain access to the keyboard or mouse without unlocking the screen via unspecified vectors.
See CVE-2013-4489 advisory for GitLab: Remote code execution vulnerability in the code search feature http://seclists.org/oss-sec/2013/q4/224
The validation for redirects does not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly.
A file descriptor leak that when triggered repeatedly will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the process file descriptor limit. No other side effects or exploits have been identified.
Django contains a flaw that is triggered as the program improperly removes Vary and Cache-Control headers from HTTP responses during a reply to a request from some older versions of Internet Explorer or the Chrome Frame client. This may allow a context-dependent attacker to gain access to potentially sensitive cross-session information.
The tomato API uses an access key to protect the admin API from unauthorized access. The key passed as parameter is checked to see if it is included in the configured value, not equal. As a result a single character contained in the key is sufficient to gain access to the admin API.
HTML cleaning can fail to strip Javascript links that mix control characters into the link scheme.
The Identity v3 API in OpenStack Dashboard (Horizon) does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
Incomplete denylist in the lxml.html.clean module in lxml allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.
A local file inclusion is possible by specifying full path to any desired file in the Kickstart value in Cobbler's WebUI.
The package omniauth-facebook is vulnerable to CSRF.
It is vulnerable to XML External Entity Processing attack.
Unescaped user supplied input is passed to the command line for shell execution in lib/dragonfly/imagemagickutils.rb.
lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.
It is vulnerable to a Billion laughs attack.
Kafo, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file.
tag.py in eyeD3 (aka python-eyed3) allows local users to modify arbitrary files via a symlink attack on a temporary file.
CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server.
Multiple integer overflows in libpng rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.
Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
This package is vulnerable to Arbitrary Code Execution. The current directory '.' is on the load path for Ruby. If users create ruby source files with names that correspond to those that hiera trys to load, it may result in loading and the execution of these files.
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss allow remote attackers to inject arbitrary web script or HTML via a (1) parameter or (2) id name.
Unsanitized input is passed to the shell. A malicious user can inject shell commands by sending shell meta characters like ';' in some variables.
This package contains a flaw that is triggered when handling a root element in an XML document. This may allow a remote attacker to cause a consumption of memory resources.
Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts
This package does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts
This package does not properly restrict access to the getClass method, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponents tampering protection.
This package contains a flaw that is due to the API client code passing the API_KEY to a curl command. This may allow a local attacker to gain access to API key information by monitoring the process table.
CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
An arbitrary file read vulnerability is present on dompdf.php file that allows remote or local attackers to read local files using a special crafted argument. This vulnerability requires the configuration flag DOMPDF_ENABLE_PHP to be enabled (which is disabled by default). Using PHP protocol and wrappers it is possible to bypass the dompdf's "chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing system files or other files on the webserver. Please note …
Pillow might allow remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors related to CVE-2014-1932, possibly JpegImagePlugin.py.
Authentication adapter did not verify validity of tokens.
An attacker can Import Java classes to circumvent the security protections and execute arbitrary code outside the sandboxed environment.
There is a flaw in the json() function in bottle.py. The issue is due to the program using insufficient restrictions when parsing JSON content-types. This may allow a remote attacker to bypass access restrictions.
Django incorrectly handle dotted Python paths when using the django.core.urlresolvers.reverse function. An attacker can use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution.
The gem contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
When using a MySQL database, Django don't perform explicit conversion of the fields: * FilePathField * GenericIPAddressField * IPAddressField If a query is performed without first converting values to the appropriate type, this can produce unexpected results, similar to what would occur if the query itself had been manipulated. An attacker can possibly use this issue to obtain unexpected results.
Django incorrectly cache certain pages that contain CSRF cookies. An attacker can possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions.
npm allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.
By a malicious user creating /tmp/browser.html first and repeatedly writing to it, they can inject malicious html into the file right before it is about to be opened.
This package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
The rbovirt gem uses rest-client with SSL verification disabled. Any products making use of this gem are likely vulnerable to MITM attacks.
In JpegImagePlugin.py, the load_jpeg(self) method generates a temporary file name and sends it to an external process. It is possible to alter the target file before it is read since the command line arguments are not kept secret.
In JpegImagePlugin.py, the load_jpeg(self) method makes an unsafe call to tempfile.mktemp(). It is possible to alter the temporary file between the moment the file is generated and the moment it is used.
Hijacked authentication cookies vulnerability in auth.
Hijacked authentication cookies vulnerability.
By doing repeated requests, with sufficient load on the target system, an authenticated user may in certain situations assume another authenticated user's complete identity and multi-tenant authorizations, potentially resulting in a privilege escalation. Note that it is related to a bad interaction between eventlet and python-memcached that should be avoided if the calling process already monkey-patches "thread" to use eventlet. Only keystone middleware setups using auth_token with memcache are vulnerable.
The default configuration of the Resources plugin does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.
The default configuration of the Resources plugin does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.
Sauce Connect is vulnerable to the HeartBleed bug (CVE-2014-0160). A new has been release to fix the bug. The package sauce-connect-launcher (up to included) is downloading vulnerable version of Sauce Connect.
There's a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Insufficient input validation allows for code injection and remote execution.
This package is vulnerable to Information Exposure. When an exception message occurs, it contains the full path of the project directory.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jruby-sandbox.
MultipartStream.java in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
MultipartStream.java in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
The doFilter function in webapp/PushHandlerFilter.java this package allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a large number of malformed atmosphere push requests.
Awesome spawn contains an OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input is included in command arguments, an attacker could use this flaw to execute arbitrary commands.
The gem contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
Some adapters (i.e. jruby-rack) will pass through bad URIs, then display the resulting exception. This creates an attack vector for XSS attacks.
As stated on "The NPM Blog", "it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files." The NPM registry relies on st, meaning that all the versions of all the npms published prior …
The XSLT component in this package allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The XSLT component in this package allows remote attackers to execute arbitrary Java methods via a crafted message.
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in this package allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
The HTMLBrowser plugin does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a backslash character.
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Display Name field in the Manage Profile.
Open redirect vulnerability in DotNetNuke (DNN) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
A vulnerability has been reported allowing an attacker to read arbitrary files on a system. Specially crafted url strings can be used to access unintended files via an escaped slash character %2e
The Execute class in shellutils in logilab-commons uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.
The ParametersInterceptor in this package allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.
The extract_keys_from_pdf and fill_pdf functions in pdf_ext.py in logilab-commons allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the {{link-to}} helper means that any user-supplied data bound to the {{link-to}} helper's title attribute will not be escaped correctly. In applications that use the {{link-to}} helper in non-block form and bind the title attribute to user-supplied content, a specially-crafted payload could …
The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.
Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.
Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.
Potential XXE/XEE attacks using PHP functions: simplexml load *, DOMDocument::loadXML, and xml parse.
Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.
Potential XSS vector in multiple view helpers.
Potential XSS vector in multiple view helpers.
Potential XSS vector in multiple view helpers.
Potential XSS vector in multiple view helpers.
There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails. These helpers allow users to nicely format a numeric value. Some helper parameters (format, negative_format and units) are not escaped correctly. Applications which pass user controlled data as one of these parameters are vulnerable to an XSS attack. All users passing user controlled data to these parameters of the number helpers should either upgrade …
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
Strings sent in specially crafted headers will be converted to symbols.
There is a data injection vulnerability in Active Record.
Python Swift client fails to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client's communication with the server, including any used credentials.
Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer.
Potential security issue in login mechanism of ZendOpenId and Zend_OpenId consumer.
The BasicParserPool, StaticBasicParserPool, XML Decrypter, and SAML Decrypter in this package set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
PHP object injection vulnerability allows for arbitrary code execution.
LibYAML, the library that libyaml provides bindings for is vulnerable to a heap-based buffer overflow when parsing YAML tags.
Marked comes with an option to sanitize user output to help protect against content injection attacks. sanitize: true Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations - gfm codeblocks (language) - javascript url's
This package is vulnerable to Cross-site Scripting (XSS).
rply stores its cache files in /tmp. This is insecure, because /tmp is world-writable, and the filenames rply uses are of course predicatable.
The SourceHttpMessageConverter in this package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML.
The WSDL/WADL import functionality in SoapUI allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
This package does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
The Spring OXM wrapper when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Issue with broken validation of JSONP callbacks.
libxml2 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.
The readObject method in the DiskFileItem class in JBoss Web allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
A remote attacker able to supply a serialized instance of the DiskFileItem class, which will be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process.
The org.spring.web.util.JavaScriptUtils.javaScriptEscape method insufficiently escaped some characters. Applications using this method to escape user-supplied content that will be rendered in HTML 5 documents may expose cross-site scripting (XSS) flaws.
The png_do_expand_palette function in libpng allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.
When applying Transforms, remote attackers could cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
The file lib/paratrooper-pingdom.rb executes curl requests with pingdom API credentials (app_key, username & password). If a malicious user manages to monitor the process tree that run on your server, he can then have access to these credentials.
The file lib/paratrooper-newrelic.rb executes curl requests with Newrelic API credentials (account_id, application_id & api_key). If a malicious user manages to monitor the process tree that run on your server, he can then steal these credentials.
When applying Transforms this package allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
Libcloud does not set the scrub_data parameter for the DigitalOcean API, which allows local users to obtain sensitive information by leveraging a new VM.
The passenger ruby gem, when used in standalone mode, does not use temporary files securely. If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start a nginx instance with their own configuration file.
This package contains a flaw that is triggered when the attacker sends a direct request for XML data. This may allow a remote attacker to gain access to potentially sensitive information.
In app/controllers/home_controller.rb, the timeline method exposes an SQL Injection vulnerability.
In app/controllers/application_controller.rb the protect_from_forgery statement is missing, therefore Fat Free CRM is vulnerable to CSRF attacks.
In config/initialiers/secret_token.rb a static secret token is defined, with the knowledge of this token an attacker is able to execute arbitrary Ruby code server side.
The users controller renders JSON requests with a full JSON object.
Bypass of security constraints via URL parameter injection.
The package will_paginate generate pagination links without escaping result. If user-controlled data is sent to will_paginate, there is a potential XSS vulnerability.
The package flukso4r contains a flaw in /lib/flukso/R.rb that is due to the application failing to properly validate user-supplied input. This may allow a context-dependent attacker to execute arbitrary commands.
Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.
Code located in: ./lib/webbynode/notify.rb does not fully sanitize user supplied input before passing it to the shell via %x. Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.
This security hole enable DoS attack to any RPs using ruby-openid gem.
The unpack_zip function in archive_unpacker.rb in the sprout gem for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename or path.
This package allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
The DocumentAnalysisRequestHandler in this package does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.
Directory traversal vulnerability in SolrResourceLoader in Apache Solr allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT.
Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call.
actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
Sup allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.
lib/sup/message_chunks.rb in Sup allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
Directory traversal vulnerability in SolrResourceLoader in this package allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.
The number_to_currency helper allows users to nicely format a numeric value. The unit parameter is not escaped correctly. Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.
When a translation is missing, the HTML exception message raised does not escape the keys. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.
Due to the way that Rack::Request and Rails::Request interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries …
There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.
Multiple cross-site scripting (XSS) vulnerabilities in this package allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to actionNames.action and showConfig.action in config-browser/.
Due to the method of variable interpolation in Cocaine to, an attacker may be able to inject hostile commands into a command line via a crafted hash object which are not properly escaped. The impact is lessened on Ruby * because hashed are not ordered by default, and so an attacker must rely on luck for the attack to work. An attack of this sort cannot take place if there …
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress.
The DiskFileItem class in this package allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
When the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
The Crypto.Random.atfork function in PyCrypto does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
This package allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
This package allows remote attackers to affect availability via unknown vectors related to Security.
A carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby's sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: "some string #{user_input}" % some_number
Some code does not sanitize user supplied input before passing it to the System() function for execution. If this API is used in the context of a RoR application remote commands can be injected into the shell if the user supplies shell meta characters like ; and &.
Algorithmic complexity vulnerability in the ssl.match_hostname function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.
This package allows remote attackers to execute arbitrary simple language expressions by including $simple{} in a CamelFileName message header to a FILE or FTP producer.
This package allows remote attackers to read arbitrary files via a .. in the p parameter to index.php.
The user-password-update command in python-keystoneclient accepts the new password in the –password argument, which allows local users to obtain sensitive information by listing the process.
RubyGems can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
RubyGems does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
This package contains a flaw as the program creates temporary directories insecurely. It is possible for a local attacker to use a symlink attack against the Utils.cpp file to allow the attacker to gain elevated privileges.
The authenticated-encryption feature in the symmetric-encryption implementation in the this package does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
The X509Extension in pyOpenSSL does not properly handle a \0 character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
This package allows remote attackers to bypass access controls via a crafted action: prefix.
The DiagnosticsHandler in this package allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials.
The login form in the FriendsOfSymfony FOSUserBundle bundle for Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation.
The authentication framework (django.contrib.auth) computes the hash of a password each time a user attempts to log in, no matter the length of the password. Thus, a remote attacker can cause a denial of service (CPU consumption) by repeatedly submitting long passwords.
Directory traversal vulnerability allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. in a ssi template tag.
This package is vulnerable to Cross-site Scripting (XSS). Strings parsed from the anchor in the address bar were not sanitized, allowing for arbitrary HTML to be embedded into the page.
A malicious user creating /tmp/out.html first and repeatedly writing to it can inject malicious html into the file right before it is opened. PoC: nobody () sp0rk:/$ while (true); do echo " alert('Hello'); " >> /tmp/out.html; done Will pop up a javascript alert in other gem users browser.
Sounder passes user supplied data directly to command line. See link for a proof of concept.
When a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
When a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
When a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
Users are able to log themselves in with a blank password, even for users who are NOT currently in the users table (ie have never previously logged in).
The Python client library for Glance (python-glanceclient) does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
Auth/Yadis/XML.php in PHP OpenID allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in this package allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
Attackers could spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature.
The streaming XML parser in Apache CXF allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes, (3) nested constructs, and possibly other vectors.
The streaming XML parser in this package allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.
The streaming XML parser in this package remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.
The $_SERVER['HOST'] can be manipulated by a user and cannot be trusted.
Request::getHost() poisoning vulnerability in Symfony.
The Django administrative application, django.contrib.admin, consider value of a URLField to be safe. Thus, when displaying it, Django does not escape it allowing an attacker to perform XSS in the administrative interface.
The is_safe_url() function, due to the manner in which it parses the URL, will permit redirects to schemes other than HTTP and HTTPS such as javascript:.
This package is vulnerable to Open Redirect attacks due to no detection of faked urls.
The issue is triggered when handling exec commands called via send(). This may allow a remote attacker to execute arbitrary commands.
Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made.
In the vulnerable versions, the uploader.swf and io.swf utilities contain a vulnerability allowing cross-site scripting through the .swf files used in these components. Through a url accessing these files, and attacker can inject script in the context of these files, potentially exposing cookies or other sensitive information. The vulnerability resurfaced in v0.10.2, but only with io.swf.
wsf/common/DOMUtils.java does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that …
XMLscanner.java allows remote attackers to cause a denial of service via vectors related to XML attribute names.
ResourceBuilderImpl.java does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data.
This package allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted action:, redirect:, or redirectAction: prefix.
Multiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the redirect: or redirectAction: prefix.
Hash caches and dynamic Symbol creation can be exploited by an attacker.
Apache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Apache Struts allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both ${} and %{} sequences, which causes the OGNL code to be evaluated twice.
This package allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
This package allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both ${} and %{} sequences, which causes the OGNL code to be evaluated twice.
The BrokerFactory functionalitycreates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.
This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the URL or A tag.
This package allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the URL or A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
This package allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
parser.c in libxml2, as used in Google Chrome and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
The module contains functionality meant to filter potential XSS attacks but that can be bypassed.
JS-YAM contains a code execution vulnerability.
A fatal syntax error has been published by mistake.
The middleware overwrites req.method with the req.body['_method'] value. When you don't catch the error it responds with a default error msg: "Cannot [METHOD] [URL]" . Because this is not enough sanitized, you can force a Cross-Site Scripting in the response.
The package enum_column3 for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
Login via zero-valued password credential in doctrine-module.
Untrusted input passed in to the hubot-scripts/package/src/scripts/email.coffee module can allow for command injection. This may be unexpected behavior for the caller.
Untrusted input passed in the call to libnotify.notify could result in execution of shell commands. Callers may be unaware of this.
ep_imageconvert is vulnerable to remote command injection.
The V1 of gemnasium.com's API has been deprecated due to major changes.
Multiple use-after-free vulnerabilities in libxml2 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.
User supplied input isn't sanitized against shell metacharacters and is fed directly to the shell. If the user is tricked into extracting a file with shell characters, arbitrary code can be executed remotely.
In md2pdf/converter.rb we see user supplied input being passed to the command line without proper sanitization.
Remote commands can be executed if the file name contains shell meta characters
The multi_xml Gem for Ruby contains a flaw that is triggered when an error occurs during the parsing of XML parameters. With a crafted request containing arbitrary symbol and yaml types, a remote attacker can execute arbitrary commands.
libxml2 allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
Using a specially crafted request, an attacker could trick the database type conversion code to return incorrect records. For some token values this could allow an attacker to bypass the proper checks and gain control of other accounts.
A bug in the Ruby agent causes database connection information and raw SQL statements to be transmitted to New Relic servers. The database connection information includes the database IP address, username, and password. The information is not stored or retransmitted by New Relic and is immediately discarded.
Specially crafted URLs can result in remote code execution if the URL contains shell metacharacters. This is due to the fact that the url is passed directly to the shell in the code thumbshooter.rb create method.
Similar to CVE-2013-0156 (Rails issue)
Similar to CVE-2013-0156 (Rails issue)
Similar to CVE-2013-0156 (Rails issue)
Nori has a parameter parsing error that may allow an attacker to execute arbitrary code. This vulnerability has to do with type casting during parsing, and is related to CVE-2013-0156.
lib/rexml/text.rb in the REXML parser allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
The package omniauth-oauth2 for Ruby contains a flaw related to omniauth.state that allows a remote attacker to conduct a session injection attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session …
Vulnerability in the filesystem loader.
The package ldoce passes a URL to commandline for audio output of the pronunciation of a dictonary word. If the URL contains a shell metacharacter, arbitrary code can be executed remotely as the client.
Socket.io will leak memory if used with HTTPS. This version seems to fix also other memory issues, even if HTTPS is not used.
Commands executed if the remote URL or filename contains the shell character ';'. The commands will be executed as the client user if tricked into using the malicious URL or filename.
Specially crafted URLs can result in remote code execution.
If the url contains any ; characters code will be executed as the user. For example if fastreader is fed http://www.g;id;.com id will be executed.
If a URL is from an untrusted source, commands can be injected into it for remote code execution with the ; character.
The sanitize helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious.
Carefully crafted text can bypass the sanitization provided in the sanitize_css method in Action Pack.
There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. you should upgrade or use one of the work arounds immediately.
When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce params[:name] to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately.
The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
The default configuration of javax.servlet.context.tempdir in this package uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
XSS vulnerability for html files served up with Content-Disposition attachment headers.
Potential SQL injection due to execution of platform-specific SQL containing interpolations.
Route Parameter Injection Via Query String in Zend\Mvc.
Potential Information Disclosure and Insufficient Entropy vulnerabilities in Zend\Math\Rand and Zend\Validate\Csrf Components.
When the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element.
The URIMappingInterceptor in this package bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request.
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
This exploit may lead to cookie disclosure to third parties. The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation. RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit.
lib/rack/multipart.rb in Rack uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."
If files downloaded contain shell characters it's possible to execute code as the client user
The ldap_fluff gem for Ruby, as used in Red Hat CloudForms, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.
The ruby_parser Gem does not create temporary files securely. In the diff_pp function contained in lib/gauntlet_rubyparser.rb function, it creates files as /tmp/a.[pid] and /tmp/b.[pid] which can be predicted and used for either a denial of service (file cannot be overwritten), or to change the contents of files that are writable.
multipart/parser.rb in Rack allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.
The ls interface can have commands injected into it if option or filename contain the shell character. This vulnerability requires that the file having commands injected in to it be in the Current Working Directory (CWD).
Ms does not correctly parse minutes, people should remain on until it’s fixed. (Kindly reported by ForbesLindesay)
ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
The package fileutils handles temporary files insecurely.
The bundled angular.js library contains a security issue and a memory leak that have been adressed in the latest version.
This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.
This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.
There is a vulnerability in the serialized attribute handling code in Ruby on Rails, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities.
This package contains a flaw that is triggered during the redirection to other hosts. This may allow a remote attacker to gain access to HTTP basic authentication credential information.
When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used …
This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.
The attr_protected method allows developers to exclude model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.
The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.
Affected versions allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time.
Affected versions allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
The NonManagedConnectionFactory in JBoss logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file.
There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.
The PubSubHubbub Service Hooks support was broken since url_encoded requests have been removed.
Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect …
There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.
Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.
Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks.
Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.
Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.