Advisories

Response discrepancy in the login and password reset forms in SilverStripe CMS allows remote attackers to enumerate users via timing attack.

XML external entity (XXE) vulnerability in Umbraco CMS allows attackers to obtain sensitive information by reading files on the server or sending TCP requests to intranet hosts (aka SSRF), related to Umbraco.Web/umbraco.presentation/umbraco/dialogs/importDocumenttype.aspx.cs.

Cross-site scripting (XSS) vulnerability in Umbraco CMS allows remote attackers to inject arbitrary web script or HTML via the "page name" (aka nodename) parameter during the creation of a new page, related to Umbraco.Web.UI/umbraco/dialogs/Publish.aspx.cs and Umbraco.Web/umbraco.presentation/umbraco/dialogs/notifications.aspx.cs.

This vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which uses PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which uses PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to decrypt arbitrary ciphertexts. Users should upgrade to a fixed version unless there are not using the RSA public key functionality.

Two wchp and wchc commands are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests.

An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity.

yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. /nThe files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a on etc/passwd/index.js.

nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

wind-mvc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin.

jn_jj_server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

lessindex is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

tencent-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

enserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

ltt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

peiserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

sgqserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

dmmcquay.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

mfrserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

The file http.rb of the http package fails to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a Man-in-the-Middle attack.

The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

The cofee-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation.

There are CSRF vulnerabilities in Subrion CMS.

The Datadog Plugin stores an API key to access the Datadog service in the global Jenkins configuration.

Docker Commons Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with a Docker Registry. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

This plugin stores passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords.

GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead.

The Periodic Backup Plugin does not perform any permission checks, allowing any user with Overall/Read access to change its settings, trigger backups, restore backups, download backups, and also delete all previous backups via log rotation. Additionally, the plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks.

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.

The optional "Run/Artifacts" permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, "Item/Read" permission was sufficient.

The script-security plugin allows circumventing many of the access restrictions implemented in the script sandbox.

The Parameterized Trigger Plugin does not check the build authentication it was running as and allowed triggering any other project in Jenkins.

Builds in Jenkins are associated with an authentication that controls the permissions that the build has to interact with other elements in Jenkins.

Illegal Media Range in Accept Header Causes StackOverflowError leading to Denial of Service.

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It does not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allows users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the …

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API does not check the current user's authentication or credentials. If the GitHub organization folder is created via Blue Ocean, …

The OWASP Dependency-Check Plugin is vulnerable to a persisted cross-site scripting vulnerability: Malicious users able to influence the input to this plugin could insert arbitrary HTML into this view.

The Sidebar Link plugin allows users able to configure jobs, views, and agents to add entries to the sidebar of these objects. There was no input validation, which meant users were able to use javascript: schemes for these links.

The Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue …

GitHub Branch Source Plugin connects to a user-specified GitHub API URL as part of form validation and completion. This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins …

The Git plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenkins URL which would result in the Jenkins Git client sending the username and password to an attacker-controlled server.

Role-based Authorization Strategy Plugin is not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

Subversion Plugin connects to a user-specified Subversion repository as part of form validation. This functionality improperly checked permissions, allowing any user with Item/Build permission (but not Item/Configure) to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via …

When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

dcdcdcdcdc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

uv-tj-demo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

zjjserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

sly07 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

getcityapi.yoehoehne is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

iter-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

cypserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

open-device is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

reecerver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

susu-sum is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

ritp is vulnerable to a directory traversal issue whereby an attacker can gain access to the file system by placing ../ in the URL. Access is restricted to files with a file extension, so files such as /etc/passwd are not accessible.

uekw1511server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

serverxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

pytservce is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

picard is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

quickserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

When an Apache Geode cluster is operating in secure mode, an unauthenticated client can enter multi-user authentication mode and send metadata messages. These metadata operations could leak information about application data types. In addition, an attacker could perform a denial of service attack on the cluster.

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources.

serverabc is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

section2.madisonjbrooks12 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

chatbyvista is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

whispercast is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

dasafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. File access is restricted to only .html files./n

intsol-package is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

jansenstuffpleasework is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

ewgaddis.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

wintiwebdev is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

utahcityfinder is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries; the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.

Apache Tika does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.

Inedo ProGet does not properly address dangerous package IDs during package addition, aka PG-1060.

A Stored XSS vulnerability in eGroupware Community Edition allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.

When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos crashes if the request path is empty, because the parser assumes the request path always starts with /. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos might crash because the code accidentally calls inappropriate function. A malicious actor can cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.

hcbserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

liuyaserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

byucslabsix is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

desafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url, but is limited to accessing only .html files./n

calmquist.static-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

dylmomo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

yyooopack is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

wffserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

If a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL.

caolilinode is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

shenliru is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

myprolyz is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

static-html-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

earlybird is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

censorify.tanisjr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

dcserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.

The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around k characters to block for 2 seconds making this a low severity issue.

commentapp.stetsonwood is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions. /n

lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

shit-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

wanggoujing123 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

lab6drewfusbyu is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

serve46 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

infraserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

mockserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

zwserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n

In GeniXCMS in /inc/lib/backend/menus.control.php has an XSS via the id parameter.

GeniXCMS in /inc/lib/Control/Backend/menus.control.php has an XSS via the id parameter.

GeniXCMS, in gxadmin/index.php has an XSS via the Menu ID field in a page=menus request.

Authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a theme.

In the Upload Modules page, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module.

This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

botbait is known to record and track user information. The module tracks the following information: * Source IP * process.versions * process.platform * How the module was invoked (test, require, pre-install)

The forwarded module is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Fresh is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry.

In a ZIP Bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

The module pandora-doomsday infects other modules. It's since been unpublished from the registry.

UEdit has XSS via the SRC attribute of an IFRAME element.

cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About k characters can block the event loop for 2 seconds.

The timespan module is vulnerable to regular expression denial of service. Given k characters of untrusted user input it will block the event loop for around seconds.

An incorrect kupu security declaration would allow any authenticated user to edit kupu settings.

Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into this specially crafted url, XSS can be achieved.

When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the Problem Report screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script.

OWASP AntiSamy before allows XSS via HTML5 entities.

geminabox (aka Gem in a Box) has an XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.

geminabox (aka Gem in a Box) is vulnerable to CSRF.

A vulnerability that allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

The tough-cookie module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly. In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context …

In the Convention plugin in Apache Struts, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

If an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

The REST Plugin in Apache Struts uses an outdated XStream library which is vulnerable and allow to perform a DoS attack using malicious request with specially crafted XML payload.

In Apache Struts, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

An attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

The REST Plugin in this package is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this …

When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

When using a VirtualDirContext with Apache Tomcat it is possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further …

Various course reports allow teachers to view details about users in the groups they cannot access.

Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

The REST Plugin in this package uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

The REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

SilverStripe CMS has an XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname.

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.

The Fastly CDN for Magento, when used with a third-party authentication plugin, might allow remote authenticated users to obtain sensitive information from authenticated sessions via vectors involving caching of redirect responses.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.

Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by …

This package is vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine.

In Apache Brooklyn, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content.

The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.

tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error.

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.

There is a SQL injection vulnerability in don/list.

Dolibarr contains an SQL injection vulnerability in admin/menus/edit.

There is a sensitive information disclosure vulnerability in dolibarr.

Information disclosure in backend content tree menu.

If a view has been disabled in site.ini SiteAccessRules Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu may contain hidden items, this may lead to information disclosure.

Kura takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. The Equinox console port is left open, logs into Kura without any user credentials over unencrypted telnet and executes commands using the Equinox exec command. As the process is running as root full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and …

Multiple cross-site scripting vulnerabilities.

dolibarr is vulnerable to Cross-site scripting.

GeniXCMS allows remote attackers to cause a denial of service (account blockage) by leveraging the mishandling of certain username substring relationships, such as the admin<script> username versus the admin username, related to register.php, User.class.php, and Type.class.php.

In Netwide Assembler (NASM) rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.

When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

charset is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is relatively low.

serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

If untrusted user input is allowed into the resolve() method then command injection is possible.

The application is vulnerable to Cross-Site Request Forgery because of the lack of "protect_from_forgery" in the Rails controllers.

The library is vulnerable to LDAP injection through the "username" parameter.

tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

In order to be fully RFC compliant for TOTPs, no valid OTP may be used more than once for a given timestep.

Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Information Disclosure in TYPO3 CMS.

HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.

Information Disclosure in TYPO3 CMS.

Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.

XSS in TYPO3 CMS Backend.

Arbitrary Code Execution in TYPO3 CMS.

Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups.

The secureCompare method in lib/SimpleSAML/Utils/Crypto when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

SimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.

The SimpleSAML_Session class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).

The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

The multiauth module in SimpleSAMLphp allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.

Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

This package can be tricked into connecting to a host different from the one extracted by java.net.URI if a'?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a query command.

Async Http Client can be tricked into connecting to a host different from the one extracted by java.net.URI if a ? character occurs in a fragment identifier.

RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name Solr does not validate the file name, hence it is possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk …

serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Baser CMS contains a SQL injection vulnerability.

ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.

baserCMS allows remote attackers to delete arbitrary files via unspecified vectors when the "File" field is being used in the mail form.

This package allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

Error responses from Apache Atlas include stack traces, exposing excessive information.

Apache Atlas allow access to the webapp directory contents by pointing to URIs like /js and /img.

list-n-stream is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Apache Atlas uses cookies that could be accessible to client-side script.

Apache Atlas is vulnerable to DOM XSS in the edit-tag functionality.

Apache Atlas is vulnerable to cross frame scripting.

Apache Atlas is vulnerable to Stored Cross-Site Scripting in the edit-tag functionality.

Apache Atlas is vulnerable to Reflected XSS in the search functionality.

This package is vulnerable to Cross-site Scripting (XSS) attacks. The autoescape option was set to False in the jinja configuration, allowing attackers to use inject content into user input.

The fs-git module relies on child_process.exec, however, the buildCommand method used to construct exec strings does not properly sanitize data and is vulnerable to command injection across all methods that use it and call exec.

baserCMS allows an attacker to execute arbitrary PHP code on the server via unspecified vectors.

This package is vulnerable to Arbitrary File Download. A client can use backslashes to escape the directory the files where exposed from. Note: Only if the host server is a windows-based operating system.

Zend/Diactoros/Uri::filterPath in zend-diactoros does not properly sanitize path input, which allows remote attackers to perform cross-site scripting (XSS) or open redirect attacks.

Cross-site request forgery (CSRF) vulnerability this package.

components/filemanager/class is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.

There is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Nimbus JOSE+JWT proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Nimbus JOSE+JWT proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

The gem open-uri-cached contains a flaw that is due to the program creating predictable temporary files and loading YAML without a safe loader. This may allow a local attacker to gain elevated privileges.

The Reporting feature in X-Pack has an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

hawtio is vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.

The numpy.pad function in Numpy versions is missing input validation. An empty list or array will stick into an infinite loop, which can allow attackers to cause a DoS attack.

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name.

The HTTP/2 implementation in Tomcat bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

The CORS Filter in Apache Tomcat does not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability".

The CORS Filter in Apache Tomcat did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

The Realm implementations in Apache Tomcat does not process the supplied password if the supplied user name did not exist which makes it possible to use a timing attack to determine valid user names.

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage.

In Apache Tomcat, a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

The HTTP transport module in Apache CXF uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest which is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back …

The package rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal …

Express do not specify a charset field in the content-type header while displaying level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

It was found that under some situations and configurations of Apache Storm, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.

cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

IdentityServer3 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response.

openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

fabric-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodefabric was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mariadb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

sqlite.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodesqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

ffmepg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

sqliter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-sqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

d3.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-opensl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

jquery.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-fabric was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

When a call-site passes a subject for an email that contains line-breaks, the caller can add arbitrary SMTP headers.

Recent Electron versions do not have strict Same Origin Policy (SOP) enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host.

The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code.

Safemode is vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete-permissions or possibly to privilege escalation.

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

Contao allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.

An XSS vulnerability exists in framework/views/errorHandler/exception.

The code_generator.phps example does not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There's also an undisclosed potential XSS vulnerability in the default exception handler (unused by default).

DNN (aka DotNetNuke) has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

Csrf.cs in NancyFX Nancy has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.

In the XSS Protection API module in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

In the XSS Protection API module in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

When access is denied, mysql_pconnect() raises a warning that exposes the user credentials.

phpMyAdmin is vulnerable to an open redirect weakness.

Apache OpenMeetings does not check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server.

Apache OpenMeetings responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.

Apache OpenMeetings is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.

Modx is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.

phpMyAdmin is vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server.

Mautic fails to set flags on session cookies.

Chef Software's mixlib-archive are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using .. in tar archive entries.

Apache OpenMeetings has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.

Akeneo PIM is vulnerable to shell injection in the mass edition, resulting in remote code execution.

Kubernetes is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

Moodle has a user fullname disclosure through the user preferences page.

The re-key admin monitor in Jenkins re-encrypts all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups are world-readable and not removed.

Apache OpenMeetings displays Tomcat version and detailed error stack trace.

The course overview block reveals activities in hidden courses.

Uploaded XML documents are not correctly validated in Apache OpenMeetings.

Apache OpenMeetings uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.

Course creators are able to change system default settings for courses.

phpMyAdmin is vulnerable to a DoS weakness in the table editing functionality.

Apache OpenMeetings is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.

phpMyAdmin is vulnerable to a DoS attack in the replication status by using a specially crafted table name.

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies.

The qs module is vulnerable to a DoS. A malicious user can send an evil request to cause the web framework crash.

Akka is vulnerable to a java deserialization attack in its remoting component, resulting in remote code execution in the context of the ActorSystem.

phpMyAdmin is vulnerable to a CSS injection attack through crafted cookie parameters.

Bolt CMS allows stored XSS by uploading an SVG document with a Content-Type: image/svg+xml header.

Mapbox is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.

Mapbox is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control

Bolt CMS allows stored XSS via text input, as demonstrated by the Title field of a new entry.

Global and Room chat are vulnerable to XSS attack in Apache OpenMeetings.

Plotly suffers from an XSS issue.

Apache OpenMeetings is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

RVM automatically loads environment variables from files in $PWD resulting in command execution.

Apache OpenMeetings updates user password in insecure manner.

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.

If an application allows to enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Missing anchor in generated regex for rack-cors allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.

It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not …

The Traffic Router component of the incubating Apache Traffic Control project is vulnerable to a Slowloris style Denial of Service attack. TCP connections made on the configured DNS port will remain in the ESTABLISHED state until the client explicitly closes the connection or Traffic Router is restarted. If connections remain in the ESTABLISHED state indefinitely and accumulate in number to match the size of the thread pool dedicated to processing …

The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

In Netwide Assembler (NASM) rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.

This package uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using …

This package allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

ikst downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

A Cross-site scripting allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/.

In Netwide Assembler (NASM) rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write …

An XSS can be exploited through index.php in Zen by means of the products_id parameter.

Apache Ignite uses an update notifier component to update the users about new project releases that include additional functionality, bug fixes and performance improvements. To do that the component communicates to an external PHP server (http://ignite.run) where it needs to send some system properties like Apache Ignite or Java version. Some properties might contain user sensitive information.

Remote attackers could execute arbitrary PHP code via HTTP POST data beginning with a <?php substring

f2e-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by f2e-server requiring elevated privileges to run.

Multiple cross-site request forgery vulnerabilities are present in vimbadmin.

Dolibarr ERP/CRM allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.

Remote Code Execution Vulnerability in shopware.

SPIP does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Jetty is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

The client libraries in Apache Thrift might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to false) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

The mail package does not disallow CRLF in email addresses; an attacker can inject SMTP commands in specially crafted email addresses passed to RCPT TO and MAIL FROM.

Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

Craft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework via null or malformed token identifiers.

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework via null or malformed token identifiers.

Improprer symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment. File copying is not performed by code that is operating within the restricted environment (chroot, jail, or zone).

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. The Default Servlet in Apache Tomcat does not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured …

TeamPass is vulnerable to an SQL injection in users.queries.php.

Dolibarr ERP/CRM is vulnerable to an SQL injection in user/index.php (search_supervisor and search_statut parameters).

In Apache Hadoop, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

The pidusage module passes unsanitized input to child_process.exec, resulting in command injection in the ps method, as the pid is never cast to an integer as the comment expects. This module is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable.

The LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

Under certain circumstances, it’s possible to execute an authorized foreign code in Shopware.

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive does not seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) …

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive does not seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) …

Missing state parameter in OAuth requests leading to CSRF vulnerability.

There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice …

There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice …

This package does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

Directory traversal vulnerability in Contao allows remote authenticated back end users to view files outside their file mounts or the document root via unspecified vectors.

An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox.

Both Firefox and Safari are vulnerable to XSS if we use an inert document created via document.implementation.createHTMLDocument().

This package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring …

Under some situations, this package is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

This package did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

When processing user provided XML documents, the Spring Framework does not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Spring Security relies on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring …

The ActiveDirectoryLdapAuthenticator in this package does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

When using the CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, …

Multiple cross-site scripting vulnerabilities in vimbadmin.

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session.

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session.

Cairo is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

The findLoad method passes a provided string directly to the shell, allowing arbitrary command execution.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash.

A buffer overflow was discovered in libxml2 . The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits …

libxml2 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Arbitrary shell execution in php_codesniffer.

A malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications that were found vulnerable to Cross-Site Request Forgery.

A properly crafted filename would allow for arbitrary code execution when using the –filter=gitmodified command line option

Sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.

Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

In Moodle, searching of arbitrary blogs is possible because a capability check is missing.

A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

pygmentize contains a Remote Code Execution vulnerability.

Cross-site scripting vulnerability in ADOdb allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

An authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.

Keycloak does not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Cross-site scripting vulnerability in the baserCMS Blog plugin allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in the baserCMS Blog plugin allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in baserCMS allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in the baserCMS Mail plugin allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Dolibarr has an SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

Dolibarr ERP/CRM stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

Dolibarr ERP/CRM allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.

Dolibarr has an XSS in doli/societe/list.php via the sall parameter.

Multiple cross-site request forgery vulnerabilies exist in Matic.

Product: Apache Cordova Android. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android (Jelly Bean), …

Cookie leakage to wrong origins and non-restricted cookie acceptance

A null dereference vulnerability has been found in the MIME handling component of LibEtPan.

forgotpassword.php lacks a rate limit, which might allow remote attackers to cause a denial of service (login inability) or possibly conduct Arbitrary User Password Reset attacks via a series of requests.

Zen Cart has an XSS in the main_page parameter to `index.php.

Cookies of foo.bar.example.com are leaked to foo.bar. Additionally, any site can set cookies for any other site.

pcre2test.c in PCRE2 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.

GeniXCMS has an XSS that can be triggered by a comment that is mishandled during a publish-operation by an administrator.

GeniXCMS has an XSS that can be triggered by an authenticated user who submits a page.

RuboCop does not use /tmp in safe way, allowing local users to exploit this to tamper with cache files belonging to other users.

Carefully crafted requests can expose information about strings and objects allocated during the request for unauthorised users.

Craft CMS does not prevent modification of the URL in a forgot-password email message.

GeniXCMS has an SQL Injection in inc/lib/Control/Backend/menus.control.php that can be exploited via the menuid parameter.

PCRE2 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."

Craft CMS does not properly restrict viewing the contents of files in the craft/app/ folder.

GeniXCMS contains an XSS that can be triggered by an authenticated comment that is mishandled during a mouse operation by an administrator.

Craft CMS allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based.

GeniXCMS allows remote attackers to bypass the alertDanger MSG_USER_EMAIL_EXIST protection mechanism via a register.php?act=edit&id=1` request.