Advisories

Doctrine uses mkdir($cacheDirectory ) to create caches directories. if your application runs with a umask of

Doctrine uses mkdir($cacheDirectory ) to create caches directories. if your application runs with a umask of

Doctrine uses mkdir($cacheDirectory ) to create caches directories. if your application runs with a umask of

There's an improper default directory umask that can potentially allow unauthorized modifications of PHP code.

Doctrine Annotations allows local users to execute arbitrary PHP code with additional privileges by leveraging an application with the umask set to 0 and that executes cache entries as code.

The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.

The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.

The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.

The permission masks is not properly set when creating a new directory or file. This can lead to local arbitrary code execution or privilege escalation. Such attacks typically require direct access to a user of the system to exploit, but are dangerous vectors when available.

www/logout.php and modules/core/www/no_cookie.php are not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on. It allows attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively.

nokogiri mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document.

When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.

When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.

Apache PDFBox does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

The nextBytes function in the SecureRandom class does not properly generate random numbers when used with PHP without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

The nextBytes function in the SecureRandom class does not properly generate random numbers when used with PHP without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

The nextBytes function in the SecureRandom class in Symfony does not properly generate random numbers when used with PHP without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

A lowercasing logic is used on the attribute names. Because of this, boolean attributes whose names are not all lowercase cause infinite recursion, and will exceed the stack call limit.

Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on …

Missing Access Check in TYPO3 CMS.

There's a potential Cross Site Scripting vulnerability in the Model#Escape function if a user is able to supply input. This is due to the regex that's replacing things to miss the conversion of things such as &#60; to <.

Moodle does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

The save_submission function in mod/assign/externallib.php in Moodle allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.

Cross-site scripting (XSS) vulnerability in the advanced-search feature in mod_data in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted field in a URL.

Multiple cross-site scripting (XSS) vulnerabilities in auth/db/auth.php in Moodle allow remote attackers to inject arbitrary web script or HTML via an external DB profile field.

A security vulnerability in the software mediaelement.js allows to execute arbitrary Javascript code.

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by jsinitfunctio%gn."

Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service via a crafted XML document.

Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allow remote attackers to cause a denial of service via a crafted XML document.

The htmlCurrentChar function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

The xmlPArserPrintFileContextInternal function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

The xmlDictAddString function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

safemode for Ruby, when initialized with a delegate object that is a Rails controller, allows context-dependent attackers to obtain sensitive information via the inspect method.

Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

Heap-based buffer overflow in the xmlStrncat function in libxml2, as used in Apple iOS, OS X, tvOS, and watchOS, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.

Jenkins allows remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name".

Jenkins allows remote authenticated users to trigger updating of update site metadata by leveraging a missing permission check.

Jenkins allows remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.

The xmlStringGetNodeList function in tree.c in libxml2, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.

The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.

A XSS risk exists in the returnURL parameter passed to CMSSecurity/success. An unvalidated url could cause the user to redirect to an unverified third party url outside of the site.

Due to a lack of parameter sanitisation a carefully crafted URL could be used to inject arbitrary HTML into the CMS Edit page. An attacker could create a URL and share it with a site administrator to perform an attack.

LoginForm calls disableSecurityToken(), which causes a "shared host domain" vulnerability.

savetreenode action does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites.

Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

The jv_dump_term function in jq allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted JSON file. This issue has been fixed in jg _rc1-r0.

There's a flaw in the way that node.js handles the rejectUnauthorized setting. If the value is something that evaluates to false, certificate verification will be disabled. This is problematic as engine.io-client passes in an object for settings that includes the rejectUnauthorized property, whether it has been set or not. If the value has not been explicitly changed, it will be passed in as null, resulting in certificate verification being turned …

XSLTResult in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter.

csrf-lite uses ===, a fail first string comparison, instead of a time constant string comparison. This enables an attacker being able to calculate minuscule differences in CSRF tokens, essentially enabling them to guess the token one character at a time Each check increases the variable tempCheck by one. If a malicious user is able to see what tempCheck is at each run (how long it takes to do a check), …

electron-packager is a command line tool that packages Electron source code into .app and .exe packages. along with Electron. - The –string-ssl command line option defaults to false if not explicitly set to true This could allow an attacker to Man In The Middle (MITM) the step where electron-packager does the following step: "Download all supported target platforms and arches of Electron using the installed electron-prebuilt version (and cache the …

A vulnerability that allows attackers to gain information about private site content.

A missing webdav security declaration would allow unauthorized webdav access.

A malicious user could go to your application and send a request for GET /User?distinct=password and get all the passwords for all the users in the database, despite the field being set to private. This could also be used for other private data if the malicious user knew what was set as private for specific routes.

A user who can create or edit templates can bypass Restricted Python.

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

The primary npm registry has, since late, used HTTP bearer tokens to authenticate requests from the npm command-line interface. Due to a design flaw in the CLI, these bearer tokens were sent with every request made by the CLI for logged-in users, regardless of the destination of the request. They should instead only be included for requests made against the registry or registries used for the current install. This flaw …

A malicious user could bypass the authentication and execute any command that the user who is running the console-io application is able to run. This means that if console-io was running from root, the attacker would have full access to the system. This vulnerability exists because the application does not configure socket.io to require authentication, which allows a malicious user to connect via a websocket to send commands and receive …

Integer underflow in the png_check_keyword function in pngwutil.c in libpng allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.

dict.c in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via an unexpected character immediately after the "<!DOCTYPE html" substring in a crafted HTML document.

Specifically crafted long headers or uris can cause a minor denial of service.

There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there's a potential security issue in the usage of the openssl_random_pseudo_bytes() function in Zend_Crypt_Math::randBytes, reported in PHP BUG #70014, and the security implications reported in a discussion on the random_compat library.

Potential Insufficient Entropy Vulnerability in ZF1.

The diffie_hellman_sha256 function in kex.c in libssh2 improperly truncates secrets to bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug."

Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks.

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.

Drupal might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

Drupal might allow remote attackers to execute arbitrary code via vectors related to session data truncation.

The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

The User module in Drupal allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content.

The System module in Drupal might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content.

Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on an error page, related to path manipulation.

Drupal might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a error page, related to path manipulation.

Open redirect vulnerability in the drupal_goto function in Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the destination parameter.

Open redirect vulnerability in the drupal_goto function in Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the destination parameter.

The have you forgotten your password links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

The have you forgotten your password links in the User module in Drupal allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.

Arbitrary File Disclosure in Form Component.

Privilege Escalation in TYPO3 CMS.

Authentication Bypass in TYPO3 CMS.

The Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has #access set to FALSE in the server-side form definition.

The Form API in Drupal ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has #access set to FALSE in the server-side form definition.

The File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

The File module in Drupal allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

CRLF injection vulnerability in the drupal_set_header function in Drupal allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

CRLF injection vulnerability in the drupal_set_header function in Drupal allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.

Cross-Site Scripting in TYPO3 Backend.

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE, as used in Apache Struts, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in an url-encoded parameter.

The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

The XML-RPC system in Drupal might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.

Directory traversal vulnerability in the Import/Export function in the Portal Site Manager in Apache Jetspeed allows remote authenticated administrators to write to arbitrary files, and consequently execute arbitrary code, via a .. in a ZIP archive entry.

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file.

The htmlParseComment function in HTMLparser.c in libxml2 allows attackers to obtain sensitive information, cause a denial of service (out-of-bounds heap memory access and application crash), or possibly have unspecified other impact via an unclosed HTML comment.

Cross-site scripting (XSS) vulnerability in Apache Jetspeed allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal.

A Cross-site scripting (XSS) vulnerability in Apache OpenMeetings allows remote attackers to inject arbitrary web script or HTML via the event description when creating an event.

When using the PouchDB driver in the module, an attacker can execute arbitrary commands via the collection name.

SPIP allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

Applications that pass unverified user input to the render method in a controller or a view may be vulnerable to a code injection. An attacker could use the request parameters to coerce the controller to execute arbitrary ruby code.

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: def index; render params[:id]; end. Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: def index; render params[:id]; end Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Directory traversal vulnerability in Action View in Ruby on Rails before allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. in a pathname.

Jenkins does not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

Jenkins does not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.

The Rails gem allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

BeanShell when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Administrate::ApplicationController actions don't have CSRF protection. Remote attackers can hijack user's sessions and use any functionality that administrate exposes on their behalf.

If JsRender is used with server-delivered client-side templates that dynamically embed end-user input, then it is possible for a malicious user to execute arbitrary client-side code via use of a very specific expression.

Droppy does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under his control and delete others.

The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

restafary is able to set up a root path, which should only allow it to run inside of that root path it specified. An attacker is able to provide a specifically crafted path to access files outside of this specified root path.

sanitize-html is vulnerable to cross site scripting (XSS) in certain scenarios: If allowed at least one nonTextTags, the result is a potential XSS vulnerability.

The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

The package encryptor encrypts all messages using the same key/nonce. This not only exposes the XOR of the plaintexts if you XOR together two ciphertexts, but it also leaks the AES-GCM authentication key, allowing an attacker to forge messages and potentially perform chosen ciphertext attacks, which could potentially enable full plaintext recovery.

The compile_branch function in pcre_compile.c in PCRE and pcre2_compile.c in PCRE2 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.

random_compat u ses insecure CSPRNG (openssl_random_pseudo_bytes()).

A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.

uri-js is a module that tries to fully implement RFC One of these features is validating whether a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at % usage while uri-js is trying to validate if the supplied URL is valid or not.

The checkHTTP function in libraries/Config.class.php in phpMyAdmin does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.

A Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.

Using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers.

The buildDefaults method on DevelopmentAdmin is missing a permission check. In live mode, if you access /dev/build, you are requested to login first. However, if you access /dev/build/defaults, then the action is performed without any login check. This should be protected in the same way that /dev/build is. The buildDefaults view is requireDefaultRecords() on each DataObject class, and hence has the potential to modify database state. It also lists all …

In it's default configuration, SilverStripe trusts all originating IPs to include HTTP headers for Hostname, IP and Protocol. This enables reverse proxies to forward requests while still retaining the original request information. Trusted IPs can be limited via the SS_TRUSTED_PROXY_IPS constant. Even with this restriction in place, SilverStripe trusts a variety of HTTP headers due to different proxy notations (e.g. X-Forwarded-For vs. Client-IP). Unless a proxy explicitly unsets invalid HTTP …

GridField does not have sufficient CSRF protection, meaning that in some cases users with CMS access can be tricked into posting unspecified data into the CMS from external websites. Amongst other default CMS interfaces, GridField is used for management of groups, users and permissions in the CMS.

Denial of Service attack possibility in TYPO3 component Indexed Search.

XML External Entity (XXE) Processing in TYPO3 Core.

Cross-Site Scripting in TYPO3 component Backend.

Cross-Site Scripting in TYPO3 component CSS styled content.

The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request.

Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle allows remote attackers to inject arbitrary web script or HTML via a crafted search string.

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin allow remote authenticated users to inject arbitrary web script or HTML.

libraries/common.inc.php in phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.

SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers

'Missing security check on dev/build/defaults.

CSRF vulnerability in GridFieldAddExistingAutocompleter.

SQL Injection in dbal.

The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. in a pathname.

The Rails gem supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

Cross-Site Scripting in form component.

Cross-Site Scripting in link validator component.

Cross-Site Scripting in legacy form component.

Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe.

Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer which can lead to an XSS attack.

Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for http_basic_authenticate_with method calls in your application.

Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications.

A carefully crafted Accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.

Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the permit! method …

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Carefully crafted requests can render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Carefully crafted requests can render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Users that have a route that contains the string :controller are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain :controller.

When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allow_destroy: false option to the accepts_nested_attributes_for method. The allow_destroy flag prevents the :reject_if proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if :allow_destroy is false so this leads to changes that would have been rejected being applied to the …

This package vulnerable to Arbitrary Script Injection because the shell=True flag which enables subshells in the workspace.run() method.

The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.

composer is vulnerable to Cache Injection.

The filesystem storage backend in Radicale on Windows allows remote attackers to read or write to arbitrary files via a crafted path.

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.

When attempting to allow authentication mode try in hapi, Hapi introduced an issue whereby people can bypass authentication.

A REST API endpoint that is used for development was not disabled in production environments, a malicious user can use it to fill up the server and cause a Denial of Service or content injection.

The sync-exec module is used to simulate child_process.execSync in node Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Buffer overflow in the png_set_PLTE function in libpng allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.

If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body.

Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.

Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth.

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM allow remote authenticated users to inject arbitrary web script or HTML via the parameters to htdocs/user/card.php.

Mapbox.js is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

If you use L.mapbox.map and L.mapbox.shareControl, it is possible for a malicious user with control over the TileJSON content to inject script content into the name value of the TileJSON. After clicking on the share control, the malicious code will execute in the context of the page using Mapbox.js.

It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See "Affected use-cases" in provided link …

The gem contains a flaw that is triggered when handling the params[:default_class_name] option. This allows users to search any object of all given ActiveRecord classes.

The gem contains a flaw that is triggered when handling the params[:default_class_name] option. This allows users to search any object of all given ActiveRecord classes.

The contents of the image_path, colors, and depth variables generated from possibly user-supplied input are passed directly to the shell. If a user supplies a value that includes shell metacharacters such as ';', an attacker may be able to execute shell commands on the remote system as the user id of the Ruby process.

jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter …

jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a …

When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.

A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

Keys of objects are not escaped with mysql.escape() which could lead to SQL Injection.

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.

Decamelize uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

When using rack-attack with a RoR app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path /login/ becomes /login by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and denylists to not work as expected.

Browser information is not filtered properly while saving the session values which leads to a Remote Code Execution vulnerability.

Multiple CRLF injection vulnerabilities allow attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the validateAddress function in class.phpmailer.php or SMTP command to the sendCommand function in class.smtp.php.

The vendored version of libxml2 is affected by multiple vulnerabilities.

Several vulnerabilities were discovered in the libxml2 library that this package gem depends on.

The xmlStringLenDecodeEntities function in parser.c in libxml2 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

The xmlParseMisc function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

The xmlParseXMLDecl function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.

The xmlNextChar function in libxml2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors.

Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.

All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert javascript commands by using the url scheme "javascript:".

Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

TYPO3 is susceptible to Cross-Site Flashing.

Cross-Site Scripting in TYPO3 component Indexed Search.

Cross-Site Scripting vulnerability in typolinks.

Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend.

Multiple Cross-Site Scripting vulnerabilities in frontend.

The flashplayer misses to validate flash and image files. Therefore it is possible to embed flash videos from external domains.

Remote Code Execution Vulnerability

A vulnerability allows unauthorized disclosure of registered user information.

Denial Of Service attack vector in dompdf.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Symfony allow remote attackers to have unspecified impact via a timing attack involving.

Symfony allows remote attackers to have unspecified impact via a timing attack.

Symfony allows remote attackers to have unspecified impact via a timing attack.

Symfony allow remote attackers to have unspecified impact via a timing attack.

Information Disclosure in dompdf.

Dompdf contains a Remote Code Execution vulnerability.

Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

The png_convert_to_rfc1123 function in png.c in libpng allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.

A potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup.

SavedJobData and SavedJobMessages contain php serialized data. There's no point showing these to a CMS Admin as they're not human readable. Worse, it might be insecure, as a malicious CMS Admin might be able to craft a payload thats dangerous to unserialize. This issue has been resolved by hiding this content, even from administrators.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Arbitrary file upload and XML External Entity processing.

XSS vulnerabilities in Neos.

There's a flaw that allows arbitrary file uploads, including server-side scripts, posing the risk of attacks.

By default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) Member#Password. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow. A new configuration option has been added; when this option is set to true via the Config API then only …

Parsing an unclosed comment can result in Conditional jump or move depends on uninitialised value(s) and unsafe memory access.

The xz_decomp function in xzlib.c in libxml2 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.

The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.

A high level XSS risk has been identified in the encoding of validation messages in certain FormField classes. Certain fields such as the NumericField and DropdownField have been identified, but any form field which presents any invalid content as a part of its validation response will be at risk.

The vendored libxml2 and libxslt libraries have multiple vulnerabilities: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995

"Add from URL" does not clearly sanitize URL server side in HtmlEditorField_Toolbar. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it's possible future changes would break this.

HtmlEditor improper URL sanitisation.

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

Form field validation message XSS vulnerability.

Unsafe view template filenames result in a Remote File Inclusion vulnerability.

Remote File Inclusion through View template name manipulation.

There's an XSS attack vector in Security Library method xss_clean().

XSS attack vector in Security Library method xss_clean().

gm is vulnerable to command injection when user input is passed into the arguments of the gm.compare function. The compare() function fails to sanitize meta characters correctly before calling the graphics magic binary.

ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in which can lead to long processing time that make the application unresponsive.

bleach is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into the sanitize function. This can lead to long processing time, hanging the process while they occur.

Secure-compare does not actually compare two strings properly. compare actually compares the first argument with itself, meaning the check passes for any two strings of the same length.

If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with control over the TileJSON content to inject script content into the attribution value of the TileJSON which will be executed in the context of the page using Mapbox.js.

Mapbox.js is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter.

Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI.

Hapi implement CORS incorrectly and allowes for configurations that at best return inconsistent headers and at worst allow cross-origin activities that are expected to be forbidden.

There are multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface).

A vulnerability allows attackers to gain read access to arbitrary files on the system.

The library does not properly escape attribute values making XSS exploits possible.

The library does not properly escape attribute values making XSS exploits possible.

It's possible to cause a DoS by uploading files with a spoofed media type, because it causes megabytes of logging to be written.

This library is vulnerable to LDAP injection through the "username" parameter.

Shis package are vulnerable to Open Redirect attacks. When a colon is present in the URL path, the urljoin method ignores the upstream request and redirects it to a path cntrolled by an attacker, possibly causing content injection.

A maliciously forged file opened for editing can execute javascript, specifically by being redirected to /files/ due to a failure to treat the file as plain text.

It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link that, is tricked to click on a certain HTML target. Because TYPO3 include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.

Potential SQL injection vector using null byte for PDO (MsSql, SQLite).

A member with the permission EDIT_PERMISSIONS is able to re-assign themselves (or another member) to ADMIN level.

XSS in dev/build returnURL Parameter.

XSS in install.php.

Forum Module CSRF Vulnerability.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability, an attacker can hijack a user's session. This means that the malicious hacker can change the user's password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a user session. This means that the malicious hacker can change a user's password and invalidate the session of the victim.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a user's session. This means that the malicious hacker can change the user's password and invalidate the session of the victim while the hacker maintains access.

It has been discovered, that calling a PHP script which is delivered with TYPO3 for testing purposes, discloses the absolute server path to the TYPO3 installation.

Frontend: Unauthenticated Path Disclosure.

Static file serving allows directory traversal with a URI encoded path.

File upload exposure on UserForms module.

The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without …

There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

The Zend_Xml_Security::scan in ZendXml and Zend Framework, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

There's a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated to allow potentially malicious code to be hidden within secure code, activated by minification. Affected versions erroneously minify boolean expressions.

There's a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated to allow potentially malicious code to be hidden within secure code, activated by minification. Affected versions erroneously minify boolean expressions.

If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "> and then I access to it, the cookies will be prompted.

If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "> and then I access to it, the cookies will be prompted.

A session can be created when anonymously accessing the django.contrib.auth.views.logout view (provided it wasn't decorated with django.contrib.auth.decorators.login_required as done in the admin). This allows an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.

The Bolt CMS does not allow the upload or editing of PHP files in its admin area, which should prevent code execution once an attacker gained admin credentials. However, when uploading, the actual file type is not checked. The theme editor allows for the renaming of uploaded files, and it does not check the file extension or file type when doing so. Because of this, an attacker can gain code …

Several vulnerabilities were discovered in the libxml2 and libxslt libraries that this package gem depends on.

Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

Ansible fails to adequately validate HTTPS certificates when using the get_url and uri modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections.

Remote code execution in templates.

A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures. Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data.

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

State guessing vulnerability.

State is not pulled of the session, and can be guessed later.

When a Hash containing user-controlled data is encoded as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

Critical SQL injection bug in the ODBC database driver.

Carefully crafted requests can cause a SystemStackError and potentially cause a denial of service attack.

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This nonly impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

Specially crafted remote requests can spoof their origin, bypassing the IP allowlist, in any environment where Web Console is enabled (development and test, by default).To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to https://attacker.com (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker …

Insecure state generation.

The default exclude patterns (excludeParams) in this package allow remote attackers to "compromise internal state of an application" via unspecified vectors.

The package redcarpet contains a flaw that allows a stack overflow. This flaw exists because the header_anchor() function in html.c uses variable length arrays (VLA) without any range checking. This may allow a remote attacker to execute arbitrary code.

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check.

Forced Redirect to External Website.

Forced Redirect to External Website.

random_compat uses openssl_random_pseudo_bytes() but this Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is insecure.

Sidekiq::Web lacks CSRF protection

This is a malicious package. You may want to install sidekiq.

Frontend login Session Fixation.

Information Disclosure possibility exploitable by Editors.

Brute Force Protection Bypass in backend login.

Access bypass when editing file metadata.

Cross-Site Scripting exploitable by Editors.

Cross-Site Scripting in 3rd party library Flowplayer.

The gem is vulnerable to external entity expansion attacks.

Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the nhref or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the …

A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.

The package sidekiq is vulnerable to XSS via queue name in Sidekiq::Web.

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in this package allow remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query.

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in this package allows remote attackers to read arbitrary files via an external entity in an SAXSource.

FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

This package is vulnerable to Information Exposure through the DualField and HashField columns which are insecure.

X-Forwarded-Host request hostname injection.

Denial of Service attack through XML payloads

Vulnerability on isDev, isTest and flush $_GET validation.

External redirection risk in Security?ReturnURL.

Potential SQL Injection Vulnerability in silverstripe.

The tab switching cookie is not properly escaped.

Libcontainer and Docker Engine opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.

Potential CRLF injection attacks in mail and HTTP headers.

Exploit in the private channel authentication.

This package is vulnerable to Cross-Site Scripting (XSS) attacks

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

It's possible for an attacker to circumvent authentication by crafting special socket ID.

Incorrect CSRF validation in cakephp.

Potential CRLF injection attacks in mail and HTTP headers.

Potential CRLF injection attacks in mail and HTTP headers.

This is a malicious package. You may want to install sidekiq.

The gem is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for command injection, leading to arbitrary code execution.

REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information.

XSS via job arguments display class in Sidekiq::Web (web/views/queue.erb).

The package refile contains a flaw that is triggered when input is not sanitized when handling the remote_image_url field in a form, where image is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands.

User authentication bypass.

The default configuration in this package binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.

semver is vulnerable to regular expression denial of service when extremely long version strings are parsed.

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().

Critical vulnerabilities in JSON Web Token libraries.

Since algorithm isn't enforced in jwt.decode(), a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)". It is also possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)".

Remote attackers can conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data.

It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors.

Privilege Escalation in TYPO3 Neos.

XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in this package allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in Apache Batik allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

IE requests not properly behaving with rewritehashlinks.

XSS In rewritten hash links.

XSS in Director::force_redirect().

SiteTree Creation Permission Vulnerability in silverstripe.

File and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.

The kex_agree_methods function in libssh2 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.

The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Critical vulnerabilities in JSON Web Token libraries.

This package allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a <x:parse> or <x:transform> JSTL XML tag.

Apache Standard Taglibs allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.

The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.

Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

XSS injection in backoffice.

XSS injection in backoffice.

Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.

This package contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

Passenger Gem for Ruby contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

Attackers able to impersonate users.

Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL.

There's a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.

The execute function in the xaviershay-dm-rail package exposes user credentials to the process table in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in this package uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

Race condition in this package allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

Race condition in JBoss Weld Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

XSS In FormAction.

History XSS Vulnerability in silverstripe.

VirtualPage XSS in silverstripe.

XSS In GridField print.

TreeDropdownField and TreeMultiSelectField XSS.

The program stores sensitive information in production logs. This may allow a local attacker to gain access to sensitive information.

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

The gem contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.

Marked is vulnerable to content injection even when sanitize: true is enabled. [xss link](vbscript:alert(1&#41;) will get a link <a href="vbscript:alert(1)">xss link</a> this script does not work in IE edge mode, but works in IE compatibility view.

SQL Injection is possible in an application using the npm module sequelize if untrusted user input is passed into the order parameter. Example: Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] })

Incomplete block list vulnerability in marked for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

Marked is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.

Because the /topic command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser.

Due to the use of child_process.exec when executing git commands, ungit allows for commands to be injectied from user input fields that end up in an executed git command.

This package allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.

When using serve-static middleware and it's configured to mount at the root it creates an open redirect on the site. For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to www.google.com

Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service.

Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.

XSS vulnerability in login redirect param.

wx.tools.img2py creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against an unspecified file to cause the program to unexpectedly overwrite an arbitrary file.

Cross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Commons ZfcUser allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.

Session validation vulnerability.

Session validation vulnerability.

Heap-based buffer overflow in the png_combine_row function in libpng, when running on systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when parsing textile links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Cross-site request forgery (CSRF) vulnerability in doorkeeper allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.

Header injection in NativeMailerHandler.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation.

The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Fixed versions of the gem depend on fixed versions of libgit2.

Docker does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) docker load operation or (2) registry communications.

Docker allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

The inert directory handler always allows files in hidden directories to be served, even when showHidden is false.

Browserify has a security vulnerability where a malicious file can be executed when browserified.

Possible link spoofing on the homepage when anchors are used.

This package uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

Possible cache poisining on the homepage when anchors are used.

squelize-restful can crash when called on a crafted URL.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. "With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production." See provided link.

Directory traversal vulnerability in this package when running on Windows, allows remote attackers to read arbitrary files via a .. in a resource URI.

DocumentProvider in this package does not configure the external-general-entities or external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true

An attacker can provide input such as ../ to read files outside of the served directory.

Versions less than of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files, etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

The validator module is vulnerable to Regular Expression Denial of Service (ReDoS) in the isURL method.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application's root directory. The files will not be served, but attackers can determine whether the file exists.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true

parser.c in libxml2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Script language="php" HTML tags are interpreted even in secure mode. This may allow a remote attacker to bypass secure mode's intended restrictions and execute arbitrary PHP code.

Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as …

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

When using TransportBinding, wss4j does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

The SamlHeaderInHandler in this package allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Certificates.java in Not Yet Commons SSL does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Denial of Service in OpenID System Extension.

The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

Arbitrary Shell Execution in Swiftmailer library.

Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password.

A flaw in the iptype() function is triggered when handling octal encoding. This may allow a remote attacker to bypass the IP exclusion feature.

Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability."

Cross-site scripting (XSS) vulnerability in the CORS functionality in this package allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

A vulnerability allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.

This is a malicious package. You may want to install sidekiq.

This package allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

Web Console Gem contains an unspecified flaw. This impact of this security issue is unknown.

A flaw in Active Job that can allow string arguments to be deserialized as if they were Global IDs. This may allow a remote attacker to inject arbitrary objects.

As Gem for Ruby contains a flaw that is due to the program displaying credential information in plaintext in the process list. This may allow a local attacker to gain access to credential information.

SQL injection vector when manually quoting values for sqlsrv extension, using null byte.

SQL injection vector when manually quoting values for sqlsrv extension, using null byte.

This package is vulnerable to Cross-Site Scripting (XSS) attacks.

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged-in users.

When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

The gem contains a flaw in helper method dispatch where it uses Kernel::send to call helpers without checking that they are defined within the template context first. This allows expressions such as {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed.

Entropy is lost in the TokenGenerator.

The OPC SAX setup in this package allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

This package allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Denial of service with a malicious HTTP Host header.

Denial of service with a malicious HTTP Host header.

Direct access of ESI URLs behind a trusted proxy

Security issue when parsing the Authorization header.

Security issue when parsing the Authorization header.

Direct access of ESI URLs behind a trusted proxy.

CSRF vulnerability in the Web Profiler.

CSRF vulnerability in the Web Profiler

The getCN function in Apache Axis does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.

The gem contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

There is a flaw that is triggered when handling zero-length block headers. This may allow a remote attacker to crash the program.

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection.

RESTEasy does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

XML Quadratic Blowup vulnerability.

qs is affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.

See links attached for details

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. A configuration and scenario where this would occur is unlikely, …