Advisories

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url.

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the release. A workaround is to ensure only authorized users are able to access the editor url.

Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API. The issue has been patched in Node-RED The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary …

Magento UPWARD-php An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which allows reading arbitrary files from the remote server. Access to the admin console is required for successful exploitation.

A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root.

The restify-paginate package for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Apache XmlGraphics Commons is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Jenkins Support Core Plugin provides the serialized user authentication as part of the "About user (basic authentication details only)" information, which can include the session ID of the user creating the support bundle in some configurations.

Jenkins Active Choices Plugin does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Artifact Repository Parameter Plugin does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Repository Connector Plugin does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

The Markdown Preview can be exploited to execute arbitrary code.

A cross-site request forgery (CSRF) vulnerability in Jenkins Configuration Slicing Plugin allows attackers to apply different slice configurations.

A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability.

An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot.

Spring Security can fail to save the SecurityContext if it is changed more than once in a single request. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the …

An out-of-bounds read issue was found in jp2_decode function whic may lead to disclosure of information or program crash.

A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service.

A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request.

org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Connect server implementation for MITREid Connect contains a Mass Assignment (aka Autobinding) vulnerability. This arises due to unsafe usage of the @ModelAttribute annotation during the OAuth authorization flow, in which HTTP request parameters affect an authorizationRequest.

An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

This advisory has been marked as a False Positive and has been removed.

An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD The GeneralHandler class implements a basic GET handler that prints debug information as an HTML page. Any web server that extends this class without implementing its own GET handler is vulnerable to reflected XSS, because the GeneralHandler GET handler prints user input passed through the query string without any sanitization.

All versions of package theme-core are vulnerable to Command Injection via the lib/utils.js file, which is required by main entry of the package.

All versions of package nuance-gulp-build-common are vulnerable to Command Injection via the index.js file.

All versions of package wc-cmd are vulnerable to Command Injection via the index.js file.

All versions of package geojson2kml are vulnerable to Command Injection via the index.js file.

Smarty allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

Constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).

This advisory has been marked as a false positive.

URI.js (aka urijs) mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

url-parse mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Smarty allows code injection via an unexpected function name after a {function name= substring.

An integer overflow in the PngImg::InitStorage_() function of png-img leads to an under-allocation of heap memory and subsequently an exploitable heap-based buffer overflow when loading a crafted PNG file.

The slashify package for Node.js allows open-redirect attacks, as demonstrated by a localhost:3000///example.com/ substring.

A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package for Node.js.

Jinjava allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure.

TweetStream uses the library eventmachine in an insecure way that does not have TLS hostname validation. This allows an attacker to perform a man-in-the-middle attack.

In voloko twitter-stream, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused).

It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more //// characters

In the default configuration, Apache MyFaces Core to to to use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

The package prismjs are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

This affects the package three This can happen when handling rgb or hsl colors.

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge.

A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class.

Opencast is a free, open-source platform to support the management of educational audio and video content.On removal of an episode, this may lead to an access control list for series metadata with broader access rules than the merged access rules of all remaining events, or the series metadata still being available although all episodes of that series have been removed.

Opencast is a free, open-source platform to support the management of educational audio and video content.On removal of an episode, this may lead to an access control list for series metadata with broader access rules than the merged access rules of all remaining events, or the series metadata still being available although all episodes of that series have been removed. This problem is fixed in Opencast

Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.

The package async-git are vulnerable to Command Injection via shell meta-characters (back-ticks). For example, git.reset('atouch HACKEDb')

In RPyC, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings.

uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser.

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of …

In less-openui5, when processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.

OpenSSL supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed …

A Privilege Elevation vulnerability in OPC UA .NET Standard Stack could allow a rogue application to establish a secure connection.

command injection vulnerability

Centreon where an authorized user is able to inject additional SQL queries to perform remote command execution.

An issue was discovered in GNOME GLib The function g_bytes_new has an integer overflow on platforms due to an implicit cast from bits to bits. The overflow could potentially lead to memory corruption.

An issue was discovered in GNOME GLib If g_byte_array_new_take() was called with a buffer of 4GB or more on a platform, the length would be truncated modulo 2**32, causing unintended length truncation.

When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

In Apache Thrift, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

In Apache Thrift to, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

This advisory has been marked as a false positive.

In Apache Thrift, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Magento is vulnerable to XML injection in the Widgets module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a …

The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a …

The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

The get-ip-range package for Node.js is vulnerable to denial of service (DoS) if the range is untrusted input. An attacker could send a large range (such as /1) that causes resource exhaustion.

The PostgreSQL adapter in Active Record suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Users of Adminer versions bundling all drivers (e.g. adminer.php) are affected.

Magento is vulnerable to SQL Injection. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Magento is vulnerable to OS command injection via the scheduled operation module. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

Magento is vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required for successful exploitation.

In Lucee Admin, there is an unauthenticated remote code exploit.

All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure.

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Keycloak suffers from an information disclosure through an error message. A logged in user can do an account email enumeration attack.

Keycloak suffers from an information disclosure through error messages. A logged in user can do an account email enumeration attack.

An authorization flaw was found in podman. File permissions for non-root users running in a privileged container are not correctly checked. This flaw can be abused by a low-privileged user inside the container to access any other file in the container, even if owned by the root user inside the container. It does not allow to directly escape the container, though being a privileged container means that a lot of …

Magento is vulnerable to Cross-Site Scripting in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for successful exploitation.

This CVE has been marked as a False Positive and has been removed.

In next-auth there is a token verification vulnerability. Implementations using the Prisma database adapter in conjunction with the Email provider are impacted. Implementations using the Email provider with the default database adapter are not impacted. Implementations using the Prisma database adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the verification token, but was not verifying the email address associated with that token. …

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. When certain sequences of update() calls with large values (multiple GBs) for symetric encryption or decryption occur, it's possible for an integer overflow to happen, leading to mishandling of buffers. This is patched in version 3.3.2 and newer.

ftp-srv is an open-source FTP server designed to be simple yet configurable. In ftp-srv there is a path-traversal vulnerability. Clients of FTP servers utilizing ftp-srv hosted on Windows machines can escape the FTP user's defined root folder using the expected FTP commands, for example, CWD and UPDR. When windows separators exist within the path (), path.resolve leaves the upper pointers intact and allows the user to move beyond the root …

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID is known to an attacker.

The samba-client package for Node.js allows command injection because of the use of process.exec.

The Elastic APM agent for Go can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

Impact Generation of fake documents via public GET-call Patches We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more …

In SCIMono, it is possible for an attacker to inject and execute java expression compromising the availability and integrity of the system.

A cross-site scripting (XSS) vulnerability in the forms component of Mautic allows remote attackers to inject executable JavaScript via mautic[return] (a different attack method than CVE-2020-35124, but also related to the Referer concept).

Adminer allows XSS via the history parameter to the default URI.

The package apexcharts are vulnerable to Cross-site Scripting (XSS) via lack of sanitization of graph legend fields.

Marked is an open-source markdown parser and compiler. In marked from and, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed

Marked is an open-source markdown parser and compiler. In marked from and, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed

A second-order SQL injection issue in Widgets/TopDevicesController.php (aka the Top Devices dashboard widget) of LibreNMS allows remote authenticated attackers to execute arbitrary SQL commands via the sort_order parameter against the /ajax/form/widget-settings endpoint.

In CarrierWave, the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.

Prototype pollution vulnerability in set-or-get allows an attacker to cause a denial of service and may lead to remote code execution.

A stack overflow issue exists in Godot Engine up to v3.2 and is caused by improper boundary checks when loading .TGA image files. Depending on the context of the application, attack vector can be local or remote, and can lead to code execution and/or system crash.

An OS Command Injection vulnerability was found in node-ps located on line of lib/index.js.

The macfromip package suffers from an OS Command Injection. The vulnerability is located on line macfromip.js.

sanitize-html does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass the hostname allowlist validation set by the allowedIframeHostnames option.

sanitize-html does not properly validate the hostnames set by the allowedIframeHostnames option when the allowIframeRelativeUrls is set to true, which allows attackers to bypass the hostname allow list for an iframe element.

Impact This advisory concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions were changed at the key provider, time-based key reauthorization logic in MostRecentProvider did not reauthorize the use of the key. This created the potential for keys to be used in the DynamoDB Encryption Client after permissions …

Impact This advisory concerns users of MostRecentProvider in the DynamoDB Encryption Client with a key provider like AWS Key Management Service that allows for permissions on keys to be modified. When key usage permissions were changed at the key provider, time-based key reauthorization logic in MostRecentProvider did not reauthorize the use of the key. This created the potential for keys to be used in the DynamoDB Encryption Client after permissions …

An integer overflow issue exists in Godot Engine that can be triggered when loading specially crafted TGA image files.

In CarrierWave, there is a code injection vulnerability. Attackers can craft a string that can be executed as a Ruby code.

The spritesheet-js package depends on a vulnerable package platform-command. The injection point is located on line in lib/generator.js, which is triggered by main entry of the package.

In Dynamoose from and there was a prototype pollution vulnerability in the internal utility method lib/utils/object/set.ts. This method is used throughout the codebase for various operations throughout Dynamoose.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

This advisory has been marked as a false positive.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ.

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing …

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is …

The gitlog function in src/index.ts in gitlog has a command injection vulnerability.

Stack buffer overflow vulnerability in gitea allows remote attackers to cause a denial of service (crash) via vectors related to a file path.

An issue was discovered in October through build It reactivates an old session ID (which had been invalid after a logout) once a new login occurs.

decal is vulnerable to prototype pollution in the set function.

decal is is vulnerable to prototype pollution in the extend function.

In Eclipse Californium to, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this.

prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r–r– on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the …

When using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

When using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

The package elliptic is vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

This is a follow-up to the previous security advisory (GHSA-3p32-j457-pg5x) which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will …

This is a follow-up to the previous security advisory (GHSA-3p32-j457-pg5x) which addresses a few additional edge cases. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will …

Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s has a vulnerability which can lead to a denial-of-service.

Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. …

Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. …

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still …

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still …

Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue.

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still …

Mechanize is an open-source ruby library that makes automated web interaction easy.

Rootless containers run with Podman, receive all traffic with a source IP address of (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman onwards.

The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bleach.

This affects the package total.js The issue occurs in the image.pipe and image.stream functions. The type parameter is used to build the command that is then executed using child_process.spawn. The issue occurs because child_process.spawn is called with the option shell set to true and because the type parameter is not properly sanitized.

Prototype pollution vulnerability in dotty allows attackers to cause a denial of service and may lead to remote code execution.

SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS allows remote attackers to execute arbitrary SQL commands via the step parameter.

MinIO is vulnerable to server-side request forgery vulnerability. As a workaround you can disable the browser front-end with MINIO_BROWSER=off environment variable.

In angular-expressions there is a vulnerability which allows Remote Code Execution if you call expressions.compile(userControlledInput) where "userControlledInput" is text that comes from user input. The security of the package could be bypassed by using a more complex payload, using a constructor.constructor technique. In terms of impact: If running angular-expressions in the browser, an attacker could run any browser script when the application code calls expressions.compile(userControlledInput). If running angular-expressions on the …

openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this …

All versions of package kill-process-on-port are vulnerable to Command Injection via a.getProcessPortId.

The package nested-object-assign is vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below.

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

This advisory concerns a vulnerability which was patched and publicly released on October 5, 2020. Impact This vulnerability allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API. Users were able to remove any existing tag, and add any tag in which they are allowed to create discussions. The chosen tags still had to match the configured Tags minimums …

CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at The problem has been recognized and patched.

CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized …

Impact The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server. Patches This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login. For more information If you have any questions …

This affects all versions of package iniparserjs. This vulnerability relates when ini_parser.js is concentrating arrays. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

The npm sonatype package has been identified as malicious and removed from the npm package registry. Remediation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

The npm discord-fix package has been identified as malicious and removed from the npm package registry. Remediation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

The npm an0n-chat-lib package has been identified as malicious and removed from the npm package registry. Remediation Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no …

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target …

This affects the package @graphql-tools/git-loader The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.

DoTls13CertificateVerify in tls13.c in wolfSSL does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate).

It was found in Moodle that messaging does not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app does ANY of the following, then it is impacted by this issue: Uses remote Calls webContents.sendToFrame Calls event.reply in an IPC message handler

It was found in Moodle that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

A flaw was found in keycloak In some scenarios a user still has access to a resource after changing the role mappings in Keycloak expiration of the previous access token.

A flaw was found in keycloak In some scenarios a user still has access to a resource after changing the role mappings in Keycloak expiration of the previous access token.

A flaw was found in keycloak In some scenarios a user still has access to a resource after changing the role mappings in Keycloak expiration of the previous access token.

A flaw was found in keycloak In some scenarios a user still has access to a resource after changing the role mappings in Keycloak expiration of the previous access token.

A flaw was found in keycloak In some scenarios a user still has access to a resource after changing the role mappings in Keycloak expiration of the previous access token.

It was found in Moodle that some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.

It was found in Moodle that if the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.

A cross-site scripting (XSS) vulnerability in the assets component of Mautic allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.

It was found in Moodle that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.

jp2_decode in jp2/jp2_dec.c in libjasper in JasPer has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.

scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package for Node.js calls eval when processing a set command.

Codiad /componentss/user/class.user.php:Authenticate() is vulnerable in magic hash authentication bypass. If encrypted or hash value for the passwords form certain formats of magic hash, e.g, 0e123, another hash value 0e234 something can successfully authenticate.

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis and Apache ActiveMQ, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis and Apache ActiveMQ, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis and Apache ActiveMQ, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.

Feehi CMS potentially resulting in remote code execution. After an administrator logs in, open the administrator image upload page to potentially upload malicious files.

Jenkins allows reading arbitrary files using the file browser for workspaces and archived artifacts due to a time-of-check to time-of-use (TOCTOU) race condition.

Node-RED-Dashboard allows ui_base/js/..%2f directory traversal to read files.

node-red-contrib-huemagic used in file hue-magic.js, to fetch an arbitrary file.

The async-git package for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.

Zen Cart b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

RSSHub is an open source, easy to use, and extensible RSS feed generator. In RSSHub, there is a risk of code injection. Some routes use eval or Function constructor, which may be injected by the target site with unsafe code, causing server-side security issues.

When ORT (now via atstccfg) generates ip_allow.config files in Apache Traffic Control to to, those files include permissions that allow bad actors to push arbitrary content into and remove arbitrary content from CDN cache servers. Additionally, these permissions are potentially extended to IP addresses outside the desired range, resulting in them being granted to clients possibly outside the CDN arcitechture.

In Apache Hadoop, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

In Apache Hadoop to to to, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

In Apache Hadoop to to to, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application.

Feehi CMS When the user name is inserted as JavaScript code, browsing the post will trigger the XSS.

The Flarum Sticky extension has a cross-site scripting vulnerability.

A vulnerability exists in CakePHP The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request methods that CakePHP checks. Additionally, the route middleware does not verify that this overriden method (which can be an arbitrary string) is actually an HTTP method.

ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries.For oras CLI users, there is no workarounds other than pulling from a trusted artifact provider. For oras package users, the workaround is to not use github.com/deislabs/oras/pkg/content.FileStore, and use other content stores instead, or pull from a trusted artifact provider.

An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.

This affects the package vis-timeline An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.

OpenMage is a community-driven alternative to Magento CE. In OpenMage, an administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.

All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to xmlsec1 and xmlsec1 will not validate every signature in …

Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

OpenMage is a community-driven alternative to Magento CE. The latest OpenMage Versions up from have this Issue solved

Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.

Kubernetes Java client libraries allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

Kubernetes CSI snapshot-controller. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.

All users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. pysaml2 <= 6.4.1 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default, xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly …

OpenMage is a community-driven alternative to Magento CE. In OpenMage there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server and load it via layout xml.

When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is supplied with a manifest that runs pods on every node in a Kubernetes cluster, which are responsible for managing network connections for all other pods …

A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).

Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).

A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).

CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.

CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.

CSRF protection can be bypassed by forging a request that contains the same value for both the X-XSRF-TOKEN header and the XSRF-TOKEN cookie value, as the check in randomTokenCsrfProtection only checks that the two values are equal and non-empty.

Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by …

The use of exec and execSync in packages/loaders/git/src/load-git.ts allows arbitrary command injection.

The package jointjs is vulnerable to Denial of Service (DoS) via the unsetByPath function.

The package jointjs is vulnerable to Prototype Pollution via util.setByPath (https://resources.jointjs.com/docs/jointjs/v3.2/joint.htmlutil.setByPath). The path used the access the object's key and set the value is not properly sanitized, leading to a Prototype Pollution.

The gsap package suffers from a prototype pollution vulnerability.

If an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles, they will pollute the prototype on the application. This can be exploited further depending on the context.

immer suffers from a prototype pollution vulnerability in the applyPatches_ function of patches.ts.

In aws-sdk/shared-ini-file-loader, if an attacker submits a malicious INI file to an application that parses it with loadSharedConfigFiles, they will pollute the prototype on the application. This can be exploited further depending on the context.

The package socket.io are vulnerable to Insecure Defaults due to CORS Misconfiguration.

Apache Guacamole does not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected …

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected …

A flaw was found in jackson-databind FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Mautic is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. These actions include changing the user passwords, altering user or email addresses, or adding a new administrator to the system.

Mautic is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on the target user’s behalf, including changing the user’s password or email address or changing the attacker’s user role from a low-privileged user to an administrator account.

The generated cookie uses insecure defaults, and does not have the httpOnly flag on cookieOpts: { path: '/', sameSite: true }. Additionally, the CSRF token is available in the GET query parameter.

Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

This candidate is a reservation duplicate of CVE-2021-23336

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years …

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years …

The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a …

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

When serving resources from a network location using the NTFS file system, Apache Tomcat is susceptible to JSP source code disclosure in some configurations. The root cause is the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn is caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

The XML parsers used by XMLBeans up to does not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks.

In all version of Eclipse Hawkbit M7, the HTTP (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.

The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that is vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.

The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed

OWASP json-sanitizer can output invalid JSON or throw an undeclared exception for crafted input. This may lead to denial of service if the application is not prepared to handle these situations.

Jenkins Bumblebee HP ALM Plugin stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Jenkins does not correctly match requested URLs to the list of always accessible paths, allowing attackers without Overall/Read permission to access some URLs as if they did have Overall/Read permission.

OWASP json-sanitizer may emit closing SCRIPT tags and CDATA section delimiters for crafted input. This allows an attacker to inject arbitrary HTML or XML into embedding documents.

Jenkins allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.

Jenkins improperly validates the format of a provided fingerprint ID when checking for its existence allowing an attacker to check for the existence of XML files with a short path.

Jenkins allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global config.xml file.

Jenkins allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Jenkins does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup.

Jenkins does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

Jenkins does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

Jenkins does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

Jenkins does not limit sizes provided as query parameters to graph-rendering URLs, allowing attackers to request crafted URLs that use all available memory in Jenkins, potentially leading to out of memory errors.

ASP.NET Core and Visual Studio Denial of Service Vulnerability

RailsAdmin (aka rails_admin) allows XSS via nested forms.

Versions of Apache DolphinScheduler allowed an ordinary user under any tenant to override another users password through the API interface.

An issue was discovered in GoGo Protobuf plugin/unmarshal/unmarshal.go lacks certain index validation.

An issue was discovered in GoGo Protobuf plugin/unmarshal/unmarshal.go lacks certain index validation, aka the skippy peanut butter issue.

Certificate validation in node-sass is disabled when requesting binaries even if the user is not specifying an alternative download path.

A deserialization vulnerability existed in dubbo which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely …

Issue The /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Patches Version 3.4.5 and soon to be released 4.0.0 are patched. Workarounds If you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should …

Stored XSS was discovered in the tree mode of jsonedit through injecting and executing JavaScript.

In Redcarpet there is an injection vulnerability which can enable a cross-site scripting attack. This applies even when the :escape_html option was being used.

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in webkit subproject of HTML/Java API.

socket.io-parser allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

This affects all versions of package ts-process-promises. The injection point is located in line in main entry of package in lib/process-promises.js.

This affects all versions of package buns. The injection point is located in line in index file lib/index.js in the exported function install(requestedModule).

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.

Formstone is vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper validation of user supplied input in the upload-target.php and upload-chunked.php files. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. An attacker could use this vulnerability to steal the …

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin.

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.

RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL has an out-of-bounds write for certain relationships between key size and digest size.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce/tinymce.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TinyMCE.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.

In actionpack gem, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

In actionpack gem, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

There's a flaw in openjpeg in src/lib/openjp2/pi.c. When an attacker is able to provide crafted input to be processed by the openjpeg encoder, this could cause an out-of-bounds read. The greatest impact from this flaw is to application availability.

A flaw was found in openjpeg's src/lib/openjp2/t2.c This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

A flaw was found in OpenJPEG This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.

There's a flaw in openjpeg's t2 encoder An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.

GJSON allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call.

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request …

There's a flaw in src/lib/openjp2/pi.c of openjpeg If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.

A change introduced in Apache Flink (and released as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink if their Flink instance(s) are exposed.

GJSON allows attackers to cause a denial of service (remote) via crafted JSON.

The package asciitable.js is vulnerable to Prototype Pollution via the main function.

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In addition to upgrading, it is recommended to rotate all secrets.

Zend Framework, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php.

Laminas Project laminas-http has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php.

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the <style> tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the <style> tag so there is no risk if you have not explicitly …

By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine.

In URI.js the hostname can be spoofed by using a backslash \ character followed by an at @ character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com@observed-example.com will incorrectly return observed-example.com if using an affected version.

util/binfmt_misc/check.go in Builder of Docker Engine calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

A stored XSS vulnerability exists in Umbraco CMS. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.

A stored XSS vulnerability exists in Umbraco CMS. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.

An authenticated path traversal vulnerability exists during package installation in Umbraco CMS, which could result in arbitrary files being written outside of the site home and expected paths when installing an Umbraco package.

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server, user passwords involved in LDAP authentication are stored in cleartext. This is fixed by stripping the password after authentication to prevent cleartext password storage.

Prototype pollution vulnerability in 'deep-set' allows attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'predefine' allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'flattenizer' allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'set-object-value' allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in shvl allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in 'getobject' allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in libnested allows an attacker to cause a denial of service and may lead to remote code execution.

Prototype pollution vulnerability in dset allows attacker to cause a denial of service and may lead to remote code execution.

Apache Accumulo does not properly check the return value of some policy enforcement functions before permitting an authenticated user to perform certain administrative operations. Specifically, the return values of the canFlush and canPerformSystemActions security functions are not checked in some instances, therefore allowing an authenticated user with insufficient permissions to perform the following actions: flushing a table, shutting down Accumulo or an individual tablet server, and setting or removing system-wide …

This advisory has been marked as a False Positive and has been removed.

This advisory has been marked as a False Positive and has been removed.

server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (aka twitter-server), in some configurations, allows XSS via the /histograms endpoint.

OpenCart This vulnerability can allow an attacker to inject the XSS payload in the Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

OpenCart An admin can upload a profile image as a malicious code using JavaScript. Whenever anyone will see the profile picture, the code will execute and XSS will trigger.

date-and-time is an npm package for manipulating date and time. In date-and-time, there a regular expression involved in parsing which can be exploited to cause a denial of service. This is fixed

Dex is a federated OpenID Connect provider written in Go. In Dex there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed by using the xml-roundtrip-validator from Mattermost (see related references).

dhowden tag allows panic: runtime error: slice bounds out of range via readTextWithDescrFrame.

dhowden tag allows panic: runtime error: index out of range via readAPICFrame.

dhowden tag allows panic: runtime error: index out of range via readPICFrame.

dhowden tag allows panic: runtime error: slice bounds out of range via readAtomData.

Autobahn|Python allows redirect header injection.

The WooCommerce plugin for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.

BrowserUp Proxy allows you to manipulate HTTP requests and responses, capture HTTP content, and export performance data as a HAR file. BrowserUp Proxy works well as a standalone proxy server, but it is especially useful when embedded in Selenium tests. A Server-Side Template Injection was identified in BrowserUp Proxy enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. This has been patched

Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy, there is lack of signature verification on a specific transaction which enables an attacker to make certain unauthorized alterations to the ledger.

Dolibarr is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to admin/tools/dolibarr_export.php.

It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.

It is possible to pollute an object's prototype by specifying the proto object as part of an array.

The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

The code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, code in current (as of 0.8.0-alpha38) master https://github.com/tlsfuzzer/tlslite-ng/blob/0812ed60860fa61a6573b2c0e18771414958f46d/tlslite/utils/rsakey.py#L407-L441 and code in 0.7.5 branch https://github.com/tlsfuzzer/tlslite-ng/blob/acdde3161124d6ae37c506b3476aea9996d12e97/tlslite/utils/rsakey.py#L394-L425 has multiple ways in which it leaks information (for one, it aborts as soon as the plaintext doesn't start with 0x00, 0x02) about the decrypted ciphertext (both the bit length of the decrypted message as well as where …

What kind of vulnerability is it? Who is impacted? Open redirect vulnerability - a maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed …

Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.

Impact Information exposure via query strings in URL Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank Oliver Herrmann for reporting this issue.

Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.

Impact Authenticated Server Side Request Forgery Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020 Credits We would like to thank REQON B.V. for reporting this issue.

Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020

Impact Authenticated Privilege Escalation Patches We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 Workarounds For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin: https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on a TCP port that does not include authentication.

The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

In DolphinScheduler, with mysql connectorj a remote code execution vulnerability exists when choosing mysql as database.

In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.

A nil pointer dereference in the golang.org/x/crypto/ssh component enables remote attackers to cause a DoS against SSH servers.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. The same happenes when creating a Connection with a password field.

systeminformation suffers from a command injection vulnerability.

XStream is a Java library to serialize objects to XML and back again. XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary known files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's Security …

datatables.net is vulnerable to Prototype Pollution due to an incomplete fix

A remote code execution vulnerability occurs in OpenTSDB via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient).

A command injection vulnerability affects connection-tester. The injection point is located on line of index.js.

ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

A flaw was found in Keycloak, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

js-data is vulnerable to Prototype Pollution via the deepFillIn function.

jsonparser allows attackers to cause a denial of service (runtime panic error slice bounds out of range) via a GET call.

GJSON allows attackers to cause a denial of service via crafted JSON.

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

A flaw was found in Keycloak where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same state parameter. This flaw allows a malicious user to perform replay attacks.

Due to use of a dangling pointer, libcurl can use the wrong connection when sending data.

common/InputStreamHelper.java in Packwood MPXJ allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

curl is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

** DISPUTED ** GNOME GLib has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented.

curl is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Ignite Realtime Openfire suffers from a stored Cross-site Scripting vulnerability in plugins/dbaccess/db-access.jsp.

Ignite Realtime Openfire suffers from a Stored Cross-site Scripting vulnerability in create-bookmark.jsp.

Ignite Realtime Openfire suffers from a reflective Cross-site Scripting vulnerability in plugins/clientcontrol/spark-form.jsp.

A stored Cross-site Scripting vulnerability exists in Ignite Realtime Openfire's create-bookmark.jsp groupchatJID.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

A Denial of Service affects the package i18n due to insufficient handling of erroneous language tags.

The package ua-parser-js is vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit.

The deepFillIn function can be used to fill missing properties recursively, while the deepMixIn mixes objects into the target object, recursively mixing existing child objects as well. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.

If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.

There's a Out-of-bounds write flaw in jasper's jpc encoder. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.

node-notifier allows an attacker to run arbitrary commands on Linux machines due to the options parameters not being sanitised when being passed an array.

The lib/utils.js in mquery allows a pollution attack because a special property (e.g., proto) can be copied during a merge or clone operation.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth from and a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.

Go Ethereum, or Geth, is the official Golang implementation of the Ethereum protocol. In Geth from and a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain.

Ignite Realtime Openfire suffers from a Stored Cross-Site Scripting vulnerability in plugins/bookmarks/create-bookmark.jsp.

Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS allows attacker to add cart items via Add to cart.

A command injection vulnerability exists located in line of index.js. This is due to a dependency on the vulnerable corenlp-js-interface package.

All versions of package corenlp-js-interface are vulnerable to Command Injection via the main function.

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

The tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area: >>> import tensorflow as tf >>> with open('/tmp/test.txt','w') as f: f.write('a'*128) >>> tf.raw_ops.ImmutableConst(dtype=tf.string,shape=2, memory_region_name='/tmp/test.txt') If the file is too small, TensorFlow properly returns an error as …

In affected versions of TensorFlow under certain cases a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen.

In affected versions of TensorFlow under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by …

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

Under certain cases, a saved model can trigger use of uninitialized values during code execution. This is caused by having tensor buffers be filled with the default value of the type but forgetting to default initialize the quantized floating point types in Eigen: struct QUInt8 { QUInt8() {} // … uint8_t value; }; struct QInt16 { QInt16() {} // … int16_t value; }; struct QUInt16 { QUInt16() {} // … …

In affected versions of TensorFlow the tf.raw_ops.ImmutableConst operation returns a constant tensor created from a memory mapped file which is assumed immutable. However, if the type of the tensor is not an integral type, the operation crashes the Python interpreter as it tries to write to the memory area. If the file is too small, TensorFlow properly returns an error as the memory area has fewer bytes than what is …

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

The tf.raw_ops.DataFormatVecPermute API does not validate the src_format and dst_format attributes. The code assumes that these two arguments define a permutation of NHWC. However, these assumptions are not checked and this can result in uninitialized memory accesses, read outside of bounds and even crashes. >>> import tensorflow as tf >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='1234', dst_format='1234') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 757100143], dtype=int32)> … >>> tf.raw_ops.DataFormatVecPermute(x=[1,4], src_format='HHHH', dst_format='WWWW') <tf.Tensor: shape=(2,), dtype=int32, numpy=array([4, 32701], dtype=int32)> …

A temp directory creation vulnerability exist in Guava allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir().The permissions granted to the directory created default to the standard unix-like/tmp` ones, leaving the files open.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in getgrav/grav.

In affected versions of TensorFlow running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Under certain cases, loading a saved model can result in accessing uninitialized memory while building the computation graph. The MakeEdge function creates an edge between one output tensor of the src node (given by output_index) and the input slot of the dst node (given by input_index). This is only possible if the types of the tensors on both sides coincide, so the function begins by obtaining the corresponding DataType values …

Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.

Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.

Running an LSTM/GRU model where the LSTM/GRU layer receives an input with zero-length results in a CHECK failure when using the CUDA backend. This can result in a query-of-death vulnerability, via denial of service, if users can control the input to the layer.

user API tokens issued to single-user servers are specified in the environment of systemd units, which are accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default.

A head-based buffer overflow exists in OpenEXR in writeTileData in ImfTiledOutputFile.cpp can cause a denial of service via a crafted EXR file.

A heap-based buffer overflow vulnerability exists in OpenEXR in chunkOffsetReconstruction of ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file.

In JerryScript, there is an out-of-bounds read in main_print_unhandled_exception in the main-utils.c file.

A Null Pointer Deference issue exists in OpenEXR in generatePreview of makePreview.cpp that can cause a denial of service via a crafted EXR file.

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, …

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, …

It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic. The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by ||. When the received nonce and …

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …

Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors …

Prototype pollution vulnerability allows attacker to cause a denial of service and may lead to remote code execution.

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node.If you do use this option it is recommended that you upgrade to the latest version v4.3.6 This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.

A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.

A RCE exploit has been discovered in the Red Discord Bot - Dashboard Webserver: this exploit allows Discord users with specially crafted Server names and Usernames/Nicknames to inject code into the webserver front-end code. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Opencast If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.

A NULL pointer dereference and a crash may occur leading to a possible denial of service attack.

A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.

A Java Serialization vulnerability in Apache Tapestry Apache makes it possible to deserialize the sp parameter even before invoking the page validate method, leading to deserialization without authentication.

An XSS vulnerability was found in Moodle

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk.

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple or later.

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details.

In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.

In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.

In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files.

In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.

In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …

Impact: Potential ReDOS vulnerabilities (exponential and polynomial RegEx backtracking) oswasp: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very …

Client implementations using this library

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in html-purify.

Cross Site Scripting (XSS) vulnerability in Arachnys Cabot can be exploited via the Address column.

An attacker can use a Blind SQL injection to retrieve data or stop the MySQL service.

An issue was discovered in Play Framework Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play that used the Play Java API to serialize classes with protected or private fields to JSON.

An issue was discovered in Play Framework Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play that used the Play Java API to serialize classes with protected or private fields to JSON.

CImg suffers from integer overflows leading to heap buffer overflows in load_pnm() that can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

While investigating bug it was discovered that Apache Tomcat to to to could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.