Advisories

libraries/common.inc.php in phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.

SS-2016-003: Hostname, IP and Protocol Spoofing through HTTP Headers

'Missing security check on dev/build/defaults.

CSRF vulnerability in GridFieldAddExistingAutocompleter.

SQL Injection in dbal.

The Rails gem allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. in a pathname.

The Rails gem supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.

Cross-Site Scripting in form component.

Cross-Site Scripting in link validator component.

Cross-Site Scripting in legacy form component.

Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe.

Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer which can lead to an XSS attack.

Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for http_basic_authenticate_with method calls in your application.

Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications.

A carefully crafted Accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack.

Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. Rails users using Strong Parameters are generally not impacted by this issue as they are encouraged to allow parameters and must specifically opt-out of input verification using the permit! method …

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Carefully crafted requests can render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability. Carefully crafted requests can render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

Users that have a route that contains the string :controller are susceptible to objects being leaked globally which can lead to unbounded memory growth. To identify if your application is vulnerable, look for routes that contain :controller.

When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allow_destroy: false option to the accepts_nested_attributes_for method. The allow_destroy flag prevents the :reject_if proc from being called because it assumes that the record will be destroyed anyway. However, this is not true if :allow_destroy is false so this leads to changes that would have been rejected being applied to the …

This package vulnerable to Arbitrary Script Injection because the shell=True flag which enables subshells in the workspace.run() method.

The htmlParseNameComplex function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (out-of-bounds read) via a crafted XML document.

composer is vulnerable to Cache Injection.

The filesystem storage backend in Radicale on Windows allows remote attackers to read or write to arbitrary files via a crafted path.

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.

When attempting to allow authentication mode try in hapi, Hapi introduced an issue whereby people can bypass authentication.

A REST API endpoint that is used for development was not disabled in production environments, a malicious user can use it to fill up the server and cause a Denial of Service or content injection.

The sync-exec module is used to simulate child_process.execSync in node Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain confidential information from the buffer/tmp file, while it exists.

Buffer overflow in the png_set_PLTE function in libpng allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.

If a request is made using multipart, and the body type is a number, then the specified number of non-zero memory is passed in the body.

Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.

Specifically crafted MQTT packets can crash the application, making a DoS attack feasible with very little bandwidth.

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM allow remote authenticated users to inject arbitrary web script or HTML via the parameters to htdocs/user/card.php.

Mapbox.js is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

If you use L.mapbox.map and L.mapbox.shareControl, it is possible for a malicious user with control over the TileJSON content to inject script content into the name value of the TileJSON. After clicking on the share control, the malicious code will execute in the context of the page using Mapbox.js.

It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost. See "Affected use-cases" in provided link …

The gem contains a flaw that is triggered when handling the params[:default_class_name] option. This allows users to search any object of all given ActiveRecord classes.

The gem contains a flaw that is triggered when handling the params[:default_class_name] option. This allows users to search any object of all given ActiveRecord classes.

The contents of the image_path, colors, and depth variables generated from possibly user-supplied input are passed directly to the shell. If a user supplies a value that includes shell metacharacters such as ';', an attacker may be able to execute shell commands on the remote system as the user id of the Ruby process.

jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter …

jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator. "The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a …

When given a number instead of a string, the ping function sends a non zeroed buffer of the corresponding length which exposes memory to the recipient.

A security issue was found in bittorrent-dht that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

Keys of objects are not escaped with mysql.escape() which could lead to SQL Injection.

When server level, connection level or route level CORS configurations are combined and when a higher level config included security restrictions (like origin), a higher level config that included security restrictions (like origin) would have those restrictions overridden by less restrictive defaults (e.g. origin defaults to all origins *).

Certain input strings when passed to new Date() or Date.parse() will cause v8 to raise an exception. This leads to a crash and denial of service in ecstatic when this input is passed into the server via the If-Modified-Since header.

Decamelize uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.

Certain input passed into the If-Modified-Since or Last-Modified headers will cause an 'illegal access' exception to be raised. Instead of sending a HTTP error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

When using rack-attack with a RoR app, developers expect the request path to be normalized. In particular, trailing slashes are stripped so a request path /login/ becomes /login by the time you're in ActionController. Since Rack::Attack runs before ActionDispatch, the request path is not yet normalized. This can cause throttles and denylists to not work as expected.

Browser information is not filtered properly while saving the session values which leads to a Remote Code Execution vulnerability.

Multiple CRLF injection vulnerabilities allow attackers to inject arbitrary SMTP commands via CRLF sequences in an email address to the validateAddress function in class.phpmailer.php or SMTP command to the sendCommand function in class.smtp.php.

The vendored version of libxml2 is affected by multiple vulnerabilities.

Several vulnerabilities were discovered in the libxml2 library that this package gem depends on.

The xmlStringLenDecodeEntities function in parser.c in libxml2 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

The xmlParseMisc function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags.

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

The xmlParseXMLDecl function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.

The xmlNextChar function in libxml2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.

Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors.

Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure.

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service.

All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert javascript commands by using the url scheme "javascript:".

Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

TYPO3 is susceptible to Cross-Site Flashing.

Cross-Site Scripting in TYPO3 component Indexed Search.

Cross-Site Scripting vulnerability in typolinks.

Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend.

Multiple Cross-Site Scripting vulnerabilities in frontend.

The flashplayer misses to validate flash and image files. Therefore it is possible to embed flash videos from external domains.

Remote Code Execution Vulnerability

A vulnerability allows unauthorized disclosure of registered user information.

Denial Of Service attack vector in dompdf.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Session fixation vulnerability in the Remember Me login feature in Symfony allows remote attackers to hijack web sessions via a session id.

Symfony allow remote attackers to have unspecified impact via a timing attack involving.

Symfony allows remote attackers to have unspecified impact via a timing attack.

Symfony allows remote attackers to have unspecified impact via a timing attack.

Symfony allow remote attackers to have unspecified impact via a timing attack.

Information Disclosure in dompdf.

Dompdf contains a Remote Code Execution vulnerability.

Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

The png_convert_to_rfc1123 function in png.c in libpng allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.

A potential XML External Entity processing vulnerability has been discovered in the MediaTypeConverter.

Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup.

SavedJobData and SavedJobMessages contain php serialized data. There's no point showing these to a CMS Admin as they're not human readable. Worse, it might be insecure, as a malicious CMS Admin might be able to craft a payload thats dangerous to unserialize. This issue has been resolved by hiding this content, even from administrators.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Zend generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. The selection is performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This can potentially lead to information disclosure should an attacker be able to brute force the random number generation.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Potential Information Disclosure and Insufficient Entropy vulnerability in Zend\Captcha\Word.

Arbitrary file upload and XML External Entity processing.

XSS vulnerabilities in Neos.

There's a flaw that allows arbitrary file uploads, including server-side scripts, posing the risk of attacks.

By default, the CMS Admin editable template for the NotifyUsers action has access to a large number of fields, including (for instance) Member#Password. This would allow a malicious CMS Admin to extract other admin passwords by adding a template emailing these fields to themselves when other admins trigger the workflow. A new configuration option has been added; when this option is set to true via the Config API then only …

Parsing an unclosed comment can result in Conditional jump or move depends on uninitialised value(s) and unsafe memory access.

The xz_decomp function in xzlib.c in libxml2 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.

The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.

A high level XSS risk has been identified in the encoding of validation messages in certain FormField classes. Certain fields such as the NumericField and DropdownField have been identified, but any form field which presents any invalid content as a part of its validation response will be at risk.

The vendored libxml2 and libxslt libraries have multiple vulnerabilities: CVE-2015-1819 CVE-2015-7941_1 CVE-2015-7941_2 CVE-2015-7942 CVE-2015-7942-2 CVE-2015-8035 CVE-2015-7995

"Add from URL" does not clearly sanitize URL server side in HtmlEditorField_Toolbar. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it's possible future changes would break this.

HtmlEditor improper URL sanitisation.

Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

Form field validation message XSS vulnerability.

Unsafe view template filenames result in a Remote File Inclusion vulnerability.

Remote File Inclusion through View template name manipulation.

There's an XSS attack vector in Security Library method xss_clean().

XSS attack vector in Security Library method xss_clean().

gm is vulnerable to command injection when user input is passed into the arguments of the gm.compare function. The compare() function fails to sanitize meta characters correctly before calling the graphics magic binary.

ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in which can lead to long processing time that make the application unresponsive.

bleach is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into the sanitize function. This can lead to long processing time, hanging the process while they occur.

Secure-compare does not actually compare two strings properly. compare actually compares the first argument with itself, meaning the check passes for any two strings of the same length.

If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with control over the TileJSON content to inject script content into the attribution value of the TileJSON which will be executed in the context of the page using Mapbox.js.

Mapbox.js is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios.

Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter.

Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI.

Hapi implement CORS incorrectly and allowes for configurations that at best return inconsistent headers and at worst allow cross-origin activities that are expected to be forbidden.

There are multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface).

A vulnerability allows attackers to gain read access to arbitrary files on the system.

The library does not properly escape attribute values making XSS exploits possible.

The library does not properly escape attribute values making XSS exploits possible.

It's possible to cause a DoS by uploading files with a spoofed media type, because it causes megabytes of logging to be written.

This library is vulnerable to LDAP injection through the "username" parameter.

Shis package are vulnerable to Open Redirect attacks. When a colon is present in the URL path, the urljoin method ignores the upstream request and redirects it to a path cntrolled by an attacker, possibly causing content injection.

A maliciously forged file opened for editing can execute javascript, specifically by being redirected to /files/ due to a failure to treat the file as plain text.

It has been discovered, that it is possible to forge a link to a backend module, which contains a JavaScript payload. This JavaScript is executed, if an authenticated editor with access to the module follows the link that, is tricked to click on a certain HTML target. Because TYPO3 include a secret token unknown to an attacker in every URL, an exploit would not be feasible for these versions.

Potential SQL injection vector using null byte for PDO (MsSql, SQLite).

A member with the permission EDIT_PERMISSIONS is able to re-assign themselves (or another member) to ADMIN level.

XSS in dev/build returnURL Parameter.

XSS in install.php.

Forum Module CSRF Vulnerability.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged in user’s session. This means that the malicious hacker can change the logged in user’s password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability, an attacker can hijack a user's session. This means that the malicious hacker can change the user's password and invalidate the session of the victim while the hacker maintains access.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a user session. This means that the malicious hacker can change a user's password and invalidate the session of the victim.

By exploiting a Cross-site scripting vulnerability the attacker can hijack a user's session. This means that the malicious hacker can change the user's password and invalidate the session of the victim while the hacker maintains access.

It has been discovered, that calling a PHP script which is delivered with TYPO3 for testing purposes, discloses the absolute server path to the TYPO3 installation.

Frontend: Unauthenticated Path Disclosure.

Static file serving allows directory traversal with a URI encoded path.

File upload exposure on UserForms module.

The userforms module allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without …

There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

There's a flow that allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters. This only apply when running under PHP-FPM in a threaded environment.

The Zend_Xml_Security::scan in ZendXml and Zend Framework, when running under PHP-FPM in a threaded environment, allows remote attackers to bypass security checks and conduct XML external entity (XXE) and XML entity expansion (XEE) attacks via multibyte encoded characters.

RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.

There's a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated to allow potentially malicious code to be hidden within secure code, activated by minification. Affected versions erroneously minify boolean expressions.

There's a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification. This bug was demonstrated to allow potentially malicious code to be hidden within secure code, activated by minification. Affected versions erroneously minify boolean expressions.

If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "> and then I access to it, the cookies will be prompted.

If you create a new folder in the iPython file browser and set Javascript code as its name the code injected will be executed. So, if I create a folder called "> and then I access to it, the cookies will be prompted.

A session can be created when anonymously accessing the django.contrib.auth.views.logout view (provided it wasn't decorated with django.contrib.auth.decorators.login_required as done in the admin). This allows an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users' session records to be evicted.

The Bolt CMS does not allow the upload or editing of PHP files in its admin area, which should prevent code execution once an attacker gained admin credentials. However, when uploading, the actual file type is not checked. The theme editor allows for the renaming of uploaded files, and it does not check the file extension or file type when doing so. Because of this, an attacker can gain code …

Several vulnerabilities were discovered in the libxml2 and libxslt libraries that this package gem depends on.

Your application is affected if you allow end users to submit Twig templates, even if you protected this template with Twig's sandbox mode. End users can craft valid Twig code that allows them to execute arbitrary code (RCEs) via the _self variable, which is always available, even in sandboxed templates.

Ansible fails to adequately validate HTTPS certificates when using the get_url and uri modules, and when using the url and etcd lookup plugins. This allows for man-in-the-middle attacks on those connections.

Remote code execution in templates.

A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures. Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

There's a flow in Validation::compare() and Validation::range() that makes possible to pass validation criteria using crafted data.

Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the prefix routing key you should upgrade as soon as possible.

State guessing vulnerability.

State is not pulled of the session, and can be guessed later.

When a Hash containing user-controlled data is encoded as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

Critical SQL injection bug in the ODBC database driver.

Carefully crafted requests can cause a SystemStackError and potentially cause a denial of service attack.

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This nonly impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

Specially crafted remote requests can spoof their origin, bypassing the IP allowlist, in any environment where Web Console is enabled (development and test, by default).To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to https://attacker.com (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker …

Insecure state generation.

The default exclude patterns (excludeParams) in this package allow remote attackers to "compromise internal state of an application" via unspecified vectors.

The package redcarpet contains a flaw that allows a stack overflow. This flaw exists because the header_anchor() function in html.c uses variable length arrays (VLA) without any range checking. This may allow a remote attacker to execute arbitrary code.

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

Class yii\web\ViewAction allowed to include arbitrary files that end with .php.

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check.

Forced Redirect to External Website.

Forced Redirect to External Website.

random_compat uses openssl_random_pseudo_bytes() but this Cryptographically Secure Pseudorandom Number Generator (CSPRNG) is insecure.

Sidekiq::Web lacks CSRF protection

This is a malicious package. You may want to install sidekiq.

Frontend login Session Fixation.

Information Disclosure possibility exploitable by Editors.

Brute Force Protection Bypass in backend login.

Access bypass when editing file metadata.

Cross-Site Scripting exploitable by Editors.

Cross-Site Scripting in 3rd party library Flowplayer.

The gem is vulnerable to external entity expansion attacks.

Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the nhref or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the …

A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.

The package sidekiq is vulnerable to XSS via queue name in Sidekiq::Web.

Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in this package allow remote attackers to read arbitrary files via an external entity in an invalid XML String or GenericFile object in an XPath query.

XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in this package allows remote attackers to read arbitrary files via an external entity in an SAXSource.

FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

This package is vulnerable to Information Exposure through the DualField and HashField columns which are insecure.

X-Forwarded-Host request hostname injection.

Denial of Service attack through XML payloads

Vulnerability on isDev, isTest and flush $_GET validation.

External redirection risk in Security?ReturnURL.

Potential SQL Injection Vulnerability in silverstripe.

The tab switching cookie is not properly escaped.

Libcontainer and Docker Engine opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.

Potential CRLF injection attacks in mail and HTTP headers.

Exploit in the private channel authentication.

This package is vulnerable to Cross-Site Scripting (XSS) attacks

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

Cross-site scripting (XSS) vulnerability in Yii Framework allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6

It's possible for an attacker to circumvent authentication by crafting special socket ID.

Incorrect CSRF validation in cakephp.

Potential CRLF injection attacks in mail and HTTP headers.

Potential CRLF injection attacks in mail and HTTP headers.

This is a malicious package. You may want to install sidekiq.

The gem is vulnerable to XPath injection on xml_security.rb. The lack of prepared statements allows for command injection, leading to arbitrary code execution.

REST Client for Ruby contains a flaw that is due to the application logging password information in plaintext. This may allow a local attacker to gain access to password information.

XSS via job arguments display class in Sidekiq::Web (web/views/queue.erb).

The package refile contains a flaw that is triggered when input is not sanitized when handling the remote_image_url field in a form, where image is the name of the attachment. This may allow a remote attacker to execute arbitrary shell commands.

User authentication bypass.

The default configuration in this package binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.

semver is vulnerable to regular expression denial of service when extremely long version strings are parsed.

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: getPort(), isSecure(), getHost() and getClientIps().

Critical vulnerabilities in JSON Web Token libraries.

Since algorithm isn't enforced in jwt.decode(), a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)". It is also possible for an attacker to create his own signed token with any payload he wants and have it considered valid using the "none" algorithm.

It is possible for an attacker to bypass verification when "a token digitally signed with an asymetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family)".

Remote attackers can conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data.

It has been discovered that TYPO3 Neos is vulnerable to Privilege Escalation. Logged in editors could access, create and modify content nodes that exist in the workspace of other editors.

Privilege Escalation in TYPO3 Neos.

XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in this package allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

XML external entity (XXE) vulnerability in the SVG to PNG and JPG conversion classes in Apache Batik allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

IE requests not properly behaving with rewritehashlinks.

XSS In rewritten hash links.

XSS in Director::force_redirect().

SiteTree Creation Permission Vulnerability in silverstripe.

File and directory names are not escaped in HTML output. If remote users can influence file or directory names, this can trigger a persistent XSS attack.

The kex_agree_methods function in libssh2 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.

The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

Critical vulnerabilities in JSON Web Token libraries.

This package allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a <x:parse> or <x:transform> JSTL XML tag.

Apache Standard Taglibs allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

A vulnerability in the API can allow an attacker to commit CSRF gaining access to private information.

The dns-sync library for node.js allows resolving hostnames in a synchronous fashion. dns-sync is vulnerable to arbitrary command execution via maliciously formed hostnames. This is caused by the hostname being passed through a shell as part of a command execution.

Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

XSS injection in backoffice.

XSS injection in backoffice.

Multiple cross-site scripting (XSS) vulnerabilities in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allow remote attackers to inject arbitrary web script or HTML via the (1) profile parameter to web/magmi.php or (2) QUERY_STRING to web/magmi_import_run.php.

This package contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

Passenger Gem for Ruby contains a flaw as the program creates the server instance directory insecurely. It is possible for a local attacker to use a symlink attack against the directory to cause the program to unexpectedly overwrite an arbitrary file.

Attackers able to impersonate users.

Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL.

There's a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.

The execute function in the xaviershay-dm-rail package exposes user credentials to the process table in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in this package uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

Race condition in this package allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

Race condition in JBoss Weld Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

XSS In FormAction.

History XSS Vulnerability in silverstripe.

VirtualPage XSS in silverstripe.

XSS In GridField print.

TreeDropdownField and TreeMultiSelectField XSS.

The program stores sensitive information in production logs. This may allow a local attacker to gain access to sensitive information.

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

The gem contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine.

Marked is vulnerable to content injection even when sanitize: true is enabled. [xss link](vbscript:alert(1&#41;) will get a link <a href="vbscript:alert(1)">xss link</a> this script does not work in IE edge mode, but works in IE compatibility view.

SQL Injection is possible in an application using the npm module sequelize if untrusted user input is passed into the order parameter. Example: Test.findAndCountAll({ where: { id :1 }, order : [['id', 'UNTRUSTED USER INPUT']] })

Incomplete block list vulnerability in marked for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.

Marked is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed.

Because the /topic command in messages is unescaped, attackers have the ability to inject HTML scripts that will run in the victim's browser.

Due to the use of child_process.exec when executing git commands, ungit allows for commands to be injectied from user input fields that end up in an executed git command.

This package allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.

When using serve-static middleware and it's configured to mount at the root it creates an open redirect on the site. For example: If a user visits http://example.com//www.google.com/%2e%2e they will be redirected to www.google.com

Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service.

Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.

XSS vulnerability in login redirect param.

wx.tools.img2py creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against an unspecified file to cause the program to unexpectedly overwrite an arbitrary file.

Cross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Commons ZfcUser allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.

Session validation vulnerability.

Session validation vulnerability.

Heap-based buffer overflow in the png_combine_row function in libpng, when running on systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

RedCloth Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input when parsing textile links before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Cross-site request forgery (CSRF) vulnerability in doorkeeper allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.

Header injection in NativeMailerHandler.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation.

The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Fixed versions of the gem depend on fixed versions of libgit2.

Docker does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) docker load operation or (2) registry communications.

Docker allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.

The inert directory handler always allows files in hidden directories to be served, even when showHidden is false.

Browserify has a security vulnerability where a malicious file can be executed when browserified.

Possible link spoofing on the homepage when anchors are used.

This package uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

Possible cache poisining on the homepage when anchors are used.

squelize-restful can crash when called on a crafted URL.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. "With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production." See provided link.

Directory traversal vulnerability in this package when running on Windows, allows remote attackers to read arbitrary files via a .. in a resource URI.

DocumentProvider in this package does not configure the external-general-entities or external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true

An attacker can provide input such as ../ to read files outside of the served directory.

Versions less than of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.

MAGMI (MAGento Mass Importer) suffers from File inclusion vulnerability (RFI) which allows an attacker to upload essentially any PHP file (without any sanity checks). This PHP file could then be used to skim credit card data, rewrite files, run remote commands, delete files, etc. Essentially, this gives attacker ability to execute remote commands on the vulnerable server.

Certain input when passed into remarkable will bypass the bad prototcol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

The validator module is vulnerable to Regular Expression Denial of Service (ReDoS) in the isURL method.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside an application's root directory. The files will not be served, but attackers can determine whether the file exists.

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether the file exists. This only impacts Rails applications that enable static file serving at runtime. For example, the application's production configuration will say: config.serve_static_assets = true

parser.c in libxml2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

Script language="php" HTML tags are interpreted even in secure mode. This may allow a remote attacker to bypass secure mode's intended restrictions and execute arbitrary PHP code.

Any Gemfile with multiple top-level source lines cannot reliably control the gem server that a particular gem is fetched from. As a result, Bundler might install the wrong gem if more than one source provides a gem with the same name. This is especially possible in the case of Github's legacy gem server, hosted at gems.github.com. An attacker might create a malicious gem on Rubygems.org with the same name as …

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

This package when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

When using TransportBinding, wss4j does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.

The SamlHeaderInHandler in this package allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Certificates.java in Not Yet Commons SSL does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Denial of Service in OpenID System Extension.

The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

The (1) Zend_Ldap class in Zend and (2) Zend dap component in Zend allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

Arbitrary Shell Execution in Swiftmailer library.

Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password.

A flaw in the iptype() function is triggered when handling octal encoding. This may allow a remote attacker to bypass the IP exclusion feature.

Cross-site scripting (XSS) vulnerability in System.Web.Mvc.dll in Microsoft ASP.NET Model View Controller (MVC) allows remote attackers to inject arbitrary web script or HTML via a crafted web page, aka "MVC XSS Vulnerability."

Cross-site scripting (XSS) vulnerability in the CORS functionality in this package allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

A vulnerability allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval.

This is a malicious package. You may want to install sidekiq.

This package allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

Web Console Gem contains an unspecified flaw. This impact of this security issue is unknown.

A flaw in Active Job that can allow string arguments to be deserialized as if they were Global IDs. This may allow a remote attacker to inject arbitrary objects.

As Gem for Ruby contains a flaw that is due to the program displaying credential information in plaintext in the process list. This may allow a local attacker to gain access to credential information.

SQL injection vector when manually quoting values for sqlsrv extension, using null byte.

SQL injection vector when manually quoting values for sqlsrv extension, using null byte.

This package is vulnerable to Cross-Site Scripting (XSS) attacks.

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged-in users.

When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'.

The gem contains a flaw in helper method dispatch where it uses Kernel::send to call helpers without checking that they are defined within the template context first. This allows expressions such as {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed.

Entropy is lost in the TokenGenerator.

The OPC SAX setup in this package allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

This package allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Denial of service with a malicious HTTP Host header.

Denial of service with a malicious HTTP Host header.

Direct access of ESI URLs behind a trusted proxy

Security issue when parsing the Authorization header.

Security issue when parsing the Authorization header.

Direct access of ESI URLs behind a trusted proxy.

CSRF vulnerability in the Web Profiler.

CSRF vulnerability in the Web Profiler

The getCN function in Apache Axis does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field.

The gem contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

There is a flaw that is triggered when handling zero-length block headers. This may allow a remote attacker to crash the program.

The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameter protection.

RESTEasy does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

XML Quadratic Blowup vulnerability.

qs is affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.

See links attached for details

When CORS is enabled on a hapi route handler, it is possible to set a crumb token for a different domain. An attacker would need to have an application consumer visit a site they control, request a route supporting CORS, and then retrieve the token. With this token, they could possibly make requests to non CORS routes as this user. A configuration and scenario where this would occur is unlikely, …

This package is vulnerable to Cross-Site Scripting (XSS) attacks due to not escaping HTML tags.

The SslHandler in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Fixed potential path traversal attack and remote code injection.

Code injection in the way Symfony implements translation caching in FrameworkBundle.

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

jmx-remoting.sar in JBoss Remoting does not properly implement the JSR specification, which allows remote attackers to execute arbitrary code via unspecified vectors.

This package does not perform appropriate encoding when a <h:outputText> tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

This package does not perform appropriate encoding when a <h:outputText> tag or EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.

When a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, attackers could conduct cross-site scripting (XSS) attacks via application-specific vectors.

sanitize-html will merge an incomplete attribute like SRC= with the next attribute. While the result is not valid HTML it may be misinterpreted by the browser.

Code injection in the way Symfony implements translation caching in FrameworkBundle.

Docker uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

The package lz4-ruby is vulnerable to an integer overflow attack. When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit. 32bit variants of the package are critically affected. 64bit variants are deemed infeasible to exploit.

This package contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /lib/brbackup.rb script not properly sanitizing user-supplied input to the 'name' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

This package contains a flaw that is triggered as input passed via the 'dbuser' variable is not properly sanitized. This may allow a remote attacker to inject shell metacharacters and execute arbitrary commands.

Someone created a alphanum only swf converter, which means that they can in theory use it as a callback at a JSONP endpoint, and as a result, send data across domains. Prepending callbacks with an empty inline comment breaks the flash parser, and prevents the issue. This is a fairly common solution currently being implemented by Google, Facebook, and Github.

SQLi vulnerability in activerecord.

SQLi vulnerability in activerecord.

An integer overflow can occur when processing any variant of a "literal run". When certain payloads are processed, a pointer to an output buffer can be set to an address outside the output buffer. Since the attacker can specify exact offsets in memory, it is very easy to create a reliable Remote Code Execution exploit.

If it is used in the context of a RoR application, since the user input isn't properly sanitized, the method decrypt in /lib/backup/cli/utility.rb is vulnerable to command injection.

org.jboss.seam.web.AuthenticationFilter in JBoss allows remote attackers to execute arbitrary code via a crafted authentication header, related to Seam logging.

The CDetailView widget in Yii PHP Framework allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property.

The library does not properly escape attribute values making XSS exploits possible.

The library does not properly escape attribute values making XSS exploits possible.

The file in /lib/karo/db.rb passes unsanitized user supplied input to the command line. This may allow a remote attacker to execute arbitrary commands.

The file /lib/kompanee-recipes/heroku.rb does not properly escape user controlled input for the 'password', 'user', 'deploy_name', and 'application' variables. A remote attacker, by passing shell metacharacters, may be able to execute arbitrary commands.

The file /lib/cmd_parse.rb contains a flaw that is triggered when handling shell metacharacters passed via the 'ip' variable. This may allow a remote attacker to inject arbitrary commands.

There is a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

This package allow remote attackers to read arbitrary files via a .. in the ln parameter to faces/javax.faces.resource/web.xml or the PATH_INFO to faces/javax.faces.resource/.

Yar uses an encrypted cookie for session support which can crash the process if it contains an invalid value.

Sendmail transport arbitrary shell execution.

The default configuration for the Xerces SAX Parser in this package allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

The default configuration for the Xerces SAX Parser in this package allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

Potential SQL injection in the ORDER implementation of Zend_Db_Select.

Unfortunately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted requests.

The Dragonfly gem for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.

SabreDAV allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

getID3() allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

The query caching functionality in the Extbase Framework does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.

TYPO3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to Host Spoofing.

The Authentication component in TYPO3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.

The Yaml::parse function in Symfony remote attackers to execute arbitrary PHP code via a PHP file.

Symfony allows remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml arser::parse function.

Symfony allows remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml arser::parse function.

The Yaml::parse function in Symfony allows remote attackers to execute arbitrary PHP code via a PHP file.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in screen_capture.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lingq.

Since the /tmp directory is readable by everybody on Unix, and since the patch name could be public or easy to guess, an attacker could create a symlink to a file writable by the user running hub, which would be replaced by the patch.

A malicious email attachment with a file name consisting of shell metacharacters could inject commands into the shell. If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.

The ExtJS JavaScript framework that is shipped with TYPO3 is susceptible to XSS.

This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.

Risk of mass-assignment vulnerabilities.

Risk of mass-assignment vulnerabilities in laravel framework.

pyxtrlock uses an incorrect variable name, which allows physically proximate attackers to bypass the lock screen via multiple failed authentication attempts, which trigger a crash.

pyxtrlock does not properly check the return values of the (1) xcb_grab_pointer and (2) xcb_grab_keyboard XCB library functions, which allows physically proximate attackers to gain access to the keyboard or mouse without unlocking the screen via unspecified vectors.

See CVE-2013-4489 advisory for GitLab: Remote code execution vulnerability in the code search feature http://seclists.org/oss-sec/2013/q4/224

A file descriptor leak that when triggered repeatedly will cause the server to run out of file descriptors and the node process to die. The effort required to take down a server depends on the process file descriptor limit. No other side effects or exploits have been identified.

The tomato API uses an access key to protect the admin API from unauthorized access. The key passed as parameter is checked to see if it is included in the configured value, not equal. As a result a single character contained in the key is sufficient to gain access to the admin API.

The Identity v3 API in OpenStack Dashboard (Horizon) does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.

Incomplete denylist in the lxml.html.clean module in lxml allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.

A local file inclusion is possible by specifying full path to any desired file in the Kickstart value in Cobbler's WebUI.

The package omniauth-facebook is vulnerable to CSRF.

It is vulnerable to XML External Entity Processing attack.

Unescaped user supplied input is passed to the command line for shell execution in lib/dragonfly/imagemagickutils.rb.

lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.

It is vulnerable to a Billion laughs attack.

Kafo, as used by Foreman, uses world-readable permissions for default_values.yaml, which allows local users to obtain passwords and other sensitive information by reading the file.

tag.py in eyeD3 (aka python-eyed3) allows local users to modify arbitrary files via a symlink attack on a temporary file.

CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the RoR application server.

Multiple integer overflows in libpng rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.

Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.

This package is vulnerable to Arbitrary Code Execution. The current directory '.' is on the load path for Ruby. If users create ruby source files with names that correspond to those that hiera trys to load, it may result in loading and the execution of these files.

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat JBoss allow remote attackers to inject arbitrary web script or HTML via a (1) parameter or (2) id name.

Unsanitized input is passed to the shell. A malicious user can inject shell commands by sending shell meta characters like ';' in some variables.

This package contains a flaw that is triggered when handling a root element in an XML document. This may allow a remote attacker to cause a consumption of memory resources.

Apache Commons BeanUtils does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts

This package does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts

This package does not properly restrict access to the getClass method, which allows remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Forms secured by SecurityComponent could be submitted to any action without triggering SecurityComponents tampering protection.

This package contains a flaw that is due to the API client code passing the API_KEY to a curl command. This may allow a local attacker to gain access to API key information by monitoring the process table.

CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

An arbitrary file read vulnerability is present on dompdf.php file that allows remote or local attackers to read local files using a special crafted argument. This vulnerability requires the configuration flag DOMPDF_ENABLE_PHP to be enabled (which is disabled by default). Using PHP protocol and wrappers it is possible to bypass the dompdf's "chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing system files or other files on the webserver. Please note …

Authentication adapter did not verify validity of tokens.

An attacker can Import Java classes to circumvent the security protections and execute arbitrary code outside the sandboxed environment.

There is a flaw in the json() function in bottle.py. The issue is due to the program using insufficient restrictions when parsing JSON content-types. This may allow a remote attacker to bypass access restrictions.

The gem contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.

npm allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

By a malicious user creating /tmp/browser.html first and repeatedly writing to it, they can inject malicious html into the file right before it is about to be opened.

This package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

The rbovirt gem uses rest-client with SSL verification disabled. Any products making use of this gem are likely vulnerable to MITM attacks.

Hijacked authentication cookies vulnerability in auth.

Hijacked authentication cookies vulnerability.

The default configuration of the Resources plugin does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.

The default configuration of the Resources plugin does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.

Sauce Connect is vulnerable to the HeartBleed bug (CVE-2014-0160). A new has been release to fix the bug. The package sauce-connect-launcher (up to included) is downloading vulnerable version of Sauce Connect.

There's a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the parse_inline() function in markdown.c does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Insufficient input validation allows for code injection and remote execution.

This package is vulnerable to Information Exposure. When an exception message occurs, it contains the full path of the project directory.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in jruby-sandbox.

MultipartStream.java in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

MultipartStream.java in this package allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

The doFilter function in webapp/PushHandlerFilter.java this package allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a large number of malformed atmosphere push requests.

Awesome spawn contains an OS command injection vulnerability, which allows execution of additional commands passed to Awesome spawn as arguments. If untrusted input is included in command arguments, an attacker could use this flaw to execute arbitrary commands.

The gem contains a flaw that enables a reflected cross-site scripting (XSS) attack. This flaw exists because the bootstrap_flash helper method does not validate input when handling flash messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Some adapters (i.e. jruby-rack) will pass through bad URIs, then display the resulting exception. This creates an attack vector for XSS attacks.

As stated on "The NPM Blog", "it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files." The NPM registry relies on st, meaning that all the versions of all the npms published prior …

The XSLT component in this package allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

The XSLT component in this package allows remote attackers to execute arbitrary Java methods via a crafted message.

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in this package allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

The HTMLBrowser plugin does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a backslash character.

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.

Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Display Name field in the Manage Profile.

Open redirect vulnerability in DotNetNuke (DNN) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

A vulnerability has been reported allowing an attacker to read arbitrary files on a system. Specially crafted url strings can be used to access unintended files via an escaped slash character %2e

The ParametersInterceptor in this package allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the {{link-to}} helper means that any user-supplied data bound to the {{link-to}} helper's title attribute will not be escaped correctly. In applications that use the {{link-to}} helper in non-block form and bind the title attribute to user-supplied content, a specially-crafted payload could …

The png_push_read_chunk function in pngpread.c in the progressive decoder in libpng allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an IDAT chunk with a length of zero.

Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.

Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.

Potential XXE/XEE attacks using PHP functions: simplexml load *, DOMDocument::loadXML, and xml parse.

Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse.

Potential XSS vector in multiple view helpers.

Potential XSS vector in multiple view helpers.

Potential XSS vector in multiple view helpers.

Potential XSS vector in multiple view helpers.

There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails. These helpers allow users to nicely format a numeric value. Some helper parameters (format, negative_format and units) are not escaped correctly. Applications which pass user controlled data as one of these parameters are vulnerable to an XSS attack. All users passing user controlled data to these parameters of the number helpers should either upgrade …

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns.

Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.