When a cluster is operating in secure mode, a user with read privileges for specific data regions can use the gfsh command line utility to execute queries; the query results may contain data from another user's concurrently executing gfsh query, potentially revealing data that the user is not authorized to view.
Apache Tika does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
Inedo ProGet does not properly address dangerous package IDs during package addition, aka PG-1060.
A Stored XSS vulnerability in eGroupware Community Edition allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.
When handling a libprocess message wrapped in an HTTP request, libprocess in Apache Mesos crashes if the request path is empty, because the parser assumes the request path always starts with /. A malicious actor can therefore cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
When handling a decoding failure for a malformed URL path of an HTTP request, libprocess in Apache Mesos might crash because the code accidentally calls inappropriate function. A malicious actor can cause a denial of service of Mesos masters rendering the Mesos-controlled cluster inoperable.
hcbserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
liuyaserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
byucslabsix is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
desafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url, but is limited to accessing only .html files./n
calmquist.static-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
dylmomo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
yyooopack is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
wffserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
looppake is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
If a custom doctype entity is declared with a "SYSTEM" entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL.
caolilinode is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
shenliru is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
myprolyz is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
static-html-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
earlybird is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
censorify.tanisjr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
dcserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the sandbox option is enabled.
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
method-override is vulnerable to a regular expression denial of service vulnerability when specially crafted input is passed in to be parsed via the X-HTTP-Method-Override header.
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around k characters to block for 2 seconds making this a low severity issue.
commentapp.stetsonwood is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions. /n
lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
sspa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
shit-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
wanggoujing123 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
lab6drewfusbyu is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
serve46 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
infraserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
mockserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
zwserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n
In GeniXCMS in /inc/lib/backend/menus.control.php has an XSS via the id parameter.
GeniXCMS in /inc/lib/Control/Backend/menus.control.php has an XSS via the id parameter.
GeniXCMS, in gxadmin/index.php has an XSS via the Menu ID field in a page=menus request.
Authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a theme.
In the Upload Modules page, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module.
This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.
botbait is known to record and track user information. The module tracks the following information: * Source IP * process.versions * process.platform * How the module was invoked (test, require, pre-install)
The forwarded module is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Fresh is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry.
In a ZIP Bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
The module pandora-doomsday infects other modules. It's since been unpublished from the registry.
UEdit has XSS via the SRC attribute of an IFRAME element.
cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About k characters can block the event loop for 2 seconds.
The timespan module is vulnerable to regular expression denial of service. Given k characters of untrusted user input it will block the event loop for around seconds.
An incorrect kupu security declaration would allow any authenticated user to edit kupu settings.
Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into this specially crafted url, XSS can be achieved.
When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the Problem Report screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script.
OWASP AntiSamy before allows XSS via HTML5 entities.
geminabox (aka Gem in a Box) has an XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.
geminabox (aka Gem in a Box) is vulnerable to CSRF.
A vulnerability that allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
The tough-cookie module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly. In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context …
In the Convention plugin in Apache Struts, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
If an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
The REST Plugin in Apache Struts uses an outdated XStream library which is vulnerable and allow to perform a DoS attack using malicious request with specially crafted XML payload.
In Apache Struts, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
An attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.
The REST Plugin in this package is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this …
When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
When using a VirtualDirContext with Apache Tomcat it is possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further …
Various course reports allow teachers to view details about users in the groups they cannot access.
Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback.
The REST Plugin in this package uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
SilverStripe CMS has an XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname.
Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.
The Fastly CDN for Magento, when used with a third-party authentication plugin, might allow remote authenticated users to obtain sensitive information from authenticated sessions via vectors involving caching of redirect responses.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by …
In Apache Brooklyn, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content.
The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error.
Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.
There is a SQL injection vulnerability in don/list.
Dolibarr contains an SQL injection vulnerability in admin/menus/edit.
There is a sensitive information disclosure vulnerability in dolibarr.
Information disclosure in backend content tree menu.
If a view has been disabled in site.ini SiteAccessRules Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu may contain hidden items, this may lead to information disclosure.
Kura takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. The Equinox console port is left open, logs into Kura without any user credentials over unencrypted telnet and executes commands using the Equinox exec command. As the process is running as root full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and …
Multiple cross-site scripting vulnerabilities.
dolibarr is vulnerable to Cross-site scripting.
GeniXCMS allows remote attackers to cause a denial of service (account blockage) by leveraging the mishandling of certain username substring relationships, such as the admin<script> username versus the admin username, related to register.php, User.class.php, and Type.class.php.
In Netwide Assembler (NASM) rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.
When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
charset is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is relatively low.
serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
If untrusted user input is allowed into the resolve() method then command injection is possible.
The application is vulnerable to Cross-Site Request Forgery because of the lack of "protect_from_forgery" in the Rails controllers.
The library is vulnerable to LDAP injection through the "username" parameter.
tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
In order to be fully RFC compliant for TOTPs, no valid OTP may be used more than once for a given timestep.
Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.
Information Disclosure in TYPO3 CMS.
HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.
Information Disclosure in TYPO3 CMS.
Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.
XSS in TYPO3 CMS Backend.
Arbitrary Code Execution in TYPO3 CMS.
Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups.
The secureCompare method in lib/SimpleSAML/Utils/Crypto when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
SimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.
The SimpleSAML_Session class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).
The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
The multiauth module in SimpleSAMLphp allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.
fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.