Advisories

May 2017

SQL Injection

GeniXCMS has an SQL Injection in inc/lib/Control/Backend/menus.control.php that can be exploited via the menuid parameter.

Code Injection

GeniXCMS allows remote attackers to bypass the alertDanger MSG_USER_EMAIL_EXIST protection mechanism via a register.php?act=edit&id=1` request.

Apr 2017

Improper Input Validation

When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(<void/>) call.

Denial of Service

XStream, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

Upstream libxslt vulnerabilities

The xsltAddTextString function in transform.c in libxslt, as used by nokogiri, lacks a check for integer overflow during a size calculation, which allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.

Incorrect Privilege Assignment

Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL.

Incorrect Privilege Assignment

Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.

Access Bypass

Drupal allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

XXE vulnerability

Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack …

Session Fixation

Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Denial of Service with XXE

Files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack …

Information Exposure

When "send file" is used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Information Exposure

The refactoring of the HTTP connectors introduced a regression in the send file processing. If the file processing completed quickly, it is possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Improper Resource Shutdown or Release

The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Exposure of Resource to Wrong Sphere

Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

XSS Vulnerability with User-Supplied JSON

By default, Ember will escape any values in Handlebars templates that use double curlies ({{value}}). Developers can specifically opt out of this escaping behavior by passing an instance of SafeString rather than a raw string, which tells Ember that it should not escape the string because the developer has taken responsibility for escapement. It is possible for an attacker to create a specially-crafted payload that causes a non-sanitized string to …

XSS Vulnerability

Forms did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms may be vulnerable to cross site scripting

Deserialization of Untrusted Data

The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.

Information Exposure

When a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

Cross-site Scripting

The vulnerability exists due to insufficient filtration of user-supplied data (mail) passed to the SocialNetwork-andrea/app/template/pw_forgot.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Mar 2017

Improper Access Control

The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

XSS

When text/javascript responses are received from cross-origin ajax requests not containing the option dataType, the result is executed in jQuery.globalEval potentially allowing an attacker to execute arbitrary code on the origin.

Remote code execution

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your …

Cross Site Request Forgery

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Cross Site Request Forgery

Some administrative paths in Drupal does not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Access Bypass

When adding a private file via the editor in Drupal, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Access Bypass

When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

Cross-Site Scripting

When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not.

Cross-Site Scripting

Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser.

Invalid Curve Attack

node-jose is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

Cross-site Scripting

EpicEditor contains an XSS vulnerability because of an insecure default marked.js configuration. An example attack vector is a crafted IMG element in an HTML document.

Header Forgery

http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Denial of service in $sanitize

Running $sanitize on bad HTML can freeze the browser. The problem occurs with clobbered data; typically the "nextSibling" property on an element is changed to one of it's child node, this makes it impossible to walk the HTML tree and leads to an infinite loop which freezes the browser.

Remote Code Execution attacks

This package is vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the CamelJacksonUnmarshalType property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Remote Code Execution attacks

This package is vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the CamelJacksonUnmarshalType property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Ruby Arbitrary Command Execution

The package festivaltts4r passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the to_speech and to_mp3 methods in lib/festivaltts4r/festival4r.rb library.

Remote Code Execution Vulnerability

The gem passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the speak, save, bytes and bytes_wav methods in the lib/espeak/speech.rb library.

Arbitrary shell execution

This release contains a fix for a security advisory related to the improper handling of shell commands. Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases A properly crafted filename or configuration option would allow for arbitrary code execution when using some features.

Feb 2017

Authentication Bypass

Due to late TCA initialization the authentication service fails to restrict frontend user according to the validation rules. Therefore it is possible to authenticate restricted (e.g. disabled) frontend users.

Directory traversal vulnerability

The Zip::File component in the rubyzip gem for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses ../ pathname substrings to write arbitrary files to the filesystem.

SQL Injection

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

SQL Injection

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

Incorrect signature verification of SAML 1 messages

An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 …

Improper Input Validation

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display.

Improper Input Validation

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

Improper Input Validation

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display.

Deserialization of Untrusted Data

An issue was discovered in the node-serialize package for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Injection Vulnerability

PECL in the download utility class in the Installer in PEAR Base System does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

Jan 2017

NULL Pointer Dereference

The png_set_text_2 function in libpng allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

Cryptographic Issues

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

Denial of Service

nes has a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.

XML signature wrapping attack

The package ruby-saml is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced two elements at the same time (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

Regular Expression Denial of Service

uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse(). A regular expression leading to a very long processing time can be used to make the program hang for a very long time.

Broken token revocation, wrong auth/auth method

Doorkeeper failed to implement OAuth Token Revocation (RFC ) in the following ways: Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked Requests were not properly authenticating the client credentials but were, instead, looking at the access token in a second location Because of 2, the requests were also not authorizing confidential clients' ability to revoke a given token. It should only revoke …

Code Injection

A vulnerability in includes/classes/ia allows remote attackers to conduct PHP Object Injection attacks via crafted deserialized data in a salt cookie in a login request.

Path Traversal

Directory traversal vulnerability in ecrire/exec/valider_xml.php in SPIP allows remote attackers to enumerate the files on the system via the var_url parameter in a valider_xml action.

Local File Disclosure

PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base directory is provided, it resolves to /, meaning that relative image URLs get treated as absolute local file paths and added as attachments.

Cross-Site Request Forgery (CSRF)

Web2py is affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged-in user to perform some unwanted actions. An attacker can trick a victim to disable the installed application just by sending a URL to victim.

DoS via Unlimited Stream Insertion

An HTTP/2 implementation built using the priority library could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.

Downloads Resources over HTTP

windows-build-tools download resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

SQL Injection

SQL injection vulnerability in register.php in GeniXCMS allows remote attackers to execute arbitrary SQL commands via the activation parameter.

Downloads Resources over HTTP

openframe-ascii-image downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

selenium-standalone-painful downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

haxe-dev downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

marionette-socket-host downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

libsbmlsim downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

msystem downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

imageoptim downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

limbus-buildgen download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

soci downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

strider-sauce downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

mystem-wrapper downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

webdriver-launcher downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

fibjs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

cloudpub-redis downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

poco downloads source file resources used for compliation over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

rs-brightcove downloads source file resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

curses downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

atom-node-module-installer binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

fis-sass-all downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

grunt-images downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

webdrvr downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

/nipip-coffee downloads geolocation resources over HTTP, which leaves it vulnerable to MITM attacks. This could impact the integrity and availability of the data being used to make geolocation decisions by an application.

Downloads Resources over HTTP

headless-browser-lite downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

phantomjs-cheniu downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

alto-saxophone download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

mystem-fix downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

slimerjs-edge downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

selenium-portal downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

pk-app-wonderbox downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

fis-parser-sass-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

windows-latestchromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

windows-seleniumjar downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

scala-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

windows-selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

co-cli-installer downloads the co-cli module as part of the install process, but does so over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

jstestdriverdownloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

wixtoolset downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

xd-testing downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

httpsync downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

massif downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

healthcenter downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

windows-seleniumjar-mirror downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

macaca-chromedriver-zxa downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

node-air-sdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

resourcehacker downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

node-thulac downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

windows-iedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

nw-with-arm downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

jdf-sass downloads executable resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested file with an attacker controlled file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

npm-test-sqlite3-trunk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

herbivore download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

redis-srvr downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

tomita-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

haxeshim downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

broccoli-closure downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

dalek-browser-ie-canary downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

chromedriver126 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

qbs downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

apk-parser2 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

libsbml downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

jvminstall downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

native-opencv downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

ntfserver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

box2d-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

haxe3 downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

grunt-webdriver-qunit downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

selenium-wrapper downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

arcanist downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

dwebp-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

js-given downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

scala-standalone-bin downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.

Downloads Resources over HTTP

mystem3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

webrtc-native downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

grunt-ccompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

haxe downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

openframe-glsviewer downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

sauce-connect downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

nodeschnaps downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

dalek-browser-chrome downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

react-native-baidu-voice-synthesizer downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

dalek-browser-ie downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

clang-extra downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Dec 2016

Remote Code Execution (0day Patch Bypass/exploit)

The patch for CVE-2016-10033 vulnerability added in PHPMailer sanitizes the $Sender variable by applying escapeshellarg() escaping before the value is passed to mail() function. It does not however take into account the clashing of the escapeshellarg() function with internal escaping with escapeshellcmd() performed by mail() function on the 5th parameter. As a result it is possible to inject an extra quote that does not get properly escaped and break out …

Remote Code Execution

The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a crafted e-mail address.

Remote Code Execution

There's a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

Command Injection

The setFrom function in the Sendmail adapter in the zend-mail component might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a &#34; in a crafted e-mail address.

Downloads Resources over HTTP

ibapi downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

cue-sdk-node downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

prince downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Remote code execution via Sendmail adapter

A malicious user may be able to inject arbitrary parameters to the system Sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

Downloads Resources over HTTP

Chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

macaca-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

nw downloads zipped resources over HTTP, It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

nodewebkit downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

closurecompiler downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

dalek-browser-chrome-canary downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

steroids downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested tarball with an attacker controlled tarball if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

ibm_db downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

libxl downloads zipped resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested zip file with an attacker controlled zip file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

closure-utils downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

selenium-binaries downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

wasdk downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

iedriver downloads binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

mongodb-instance downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

During the installation process, the go-ipfs-deps module insecurely downloads resources over HTTP. This allows for a MITM attack to compromise the integrity of the resources used by this module and could allow for further compromise.

Downloads Resources over HTTP

bkjs-wand downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

operadriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

fuseki downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

apk-parser3 downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

Kindlegen downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

baryton-saxophone downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

apk-parser downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

embedza downloads JavaScript resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested JavaScript file with an attacker controlled JavaScript file if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

pngcrush-installer downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

install-nw downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

product-monitor downloads JavaScript resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested JavaScript file with an attacker controlled JavaScript file if the attacker is on the network or positioned in between the user and the remote server.

Information Exposure

An issue was discovered in phpMyAdmin. A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user.

Incomplete List of Disallowed Inputs

An issue was discovered in phpMyAdmin involving improper enforcement of the IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules.

Improper Input Validation

An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp.

Improper Input Validation

An issue was discovered in phpMyAdmin. An unauthenticated user is able to execute a denial-of-service (DoS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true.

Directory Traversal

There is a directory traversal vulnerability that allows an attacker to read files outside the current directory by sending ../ in the url path for GET requests.

Cryptographic Issues

An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies.

Code Injection

An issue was discovered in phpMyAdmin. phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations that are running with the dbase extension.

Downloads Resources over HTTP

The library downloads binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

The library downloads binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

The library downloads binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Downloads Resources over HTTP

The library downloads binary resources over HTTP, which leaves the module vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in ecrire/exec/plonger.php in SPIP allows remote attackers to inject arbitrary web script or HTML via the rac parameter.

Nov 2016

ReadOnly transformation for formfields exploitable

Form fields returning isReadonly() as true are vulnerable to reflected XSS injections. This includes ReadonlyField, LookupField, HTMLReadonlyField, as well as special purpose fields like TimeField_Readonly. Values submitted to through these form fields are not filtered out from the form session data, and might be shown to the user depending on the form behaviour. For example, form validation errors cause the form to re-render with previously submitted values by default. SilverStripe …

Unprivileged access to taxonomy terms

Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users.

Unprivileged access to taxonomy terms

Modules wishing to restrict access to taxonomy terms may be incompatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. As a result, information on taxonomy terms may be disclosed to unprivileged users.

Cross Site Scripting

Stored Cross-Site-Scripting (XSS) is possible by including code outside of backticks in any ebook. This code will be executed on the online reader.

Improper Restriction of XML External Entity Reference

libxml2, as used in XMLSec and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

PHP Object Injection Vulnerability

There's a PHP Object Injection vulnerability that can be triggered through the saveLayout() method defined into the /plugins/Dashboard/Controller.php script. Since Piwik is not using "utf8mb4" collations for its database, this can be exploited in combination with a MySQL UTF8 truncation issue in order to corrupt the session array, allowing unauthenticated attackers to inject arbitrary PHP objects into the application scope and carry out Server-Side Request Forgery (SSRF) attacks, delete arbitrary …

Arbitrary shell command execution from .gitmodules

Git allows executing arbitrary shell commands using git-remote-ext via remote URLs. Normally git never requests URLs that the user does not specifically request, so this is not a serious security concern. However, submodules did allow the remote repository to specify what URL to clone from. If an attacker can instruct a user to run a recursive clone from a repository they control, they can get a client to run an …

Oct 2016

SQL Injection

Sequelize defaults SQLite to use MySQL backslash escaping, even though SQLite uses Postgres escaping. This leads to SQL injection.

Forgeable Public/Private Tokens

"algorithm" isn't enforced in jwt.decode() and a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

Forgeable Public/Private Tokens

Since algorithm isn't enforced in jwt.decode(), a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

Remote Code Execution

There exists a Java Object in this package that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call. This may or may not work depending on an application's implementation of …

OS command injection

Parsing a file with a malicious name leads to arbitrary OS command injection, this is especially risky when parsing user-supplied files on a server (e.g. uploaded files).

Broken CORS

Sails has an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests to vulnerable hosts through cross site scripting or a malicious HTML Document, effectively bypassing the Same Origin Policy. Note that this is only an issue when allRoutes is set to true and origin is set to * …

Bypass CSP protection

Extension URIs (resource://…) bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an extension installed that uses Angular, an attacked can load Angular from the extension, and Angular's auto-bootstrapping can be used to bypass the victim site's CSP protection.

XSS in autoescape mode

Nunjucks has a cross site scripting (XSS) vulnerability in autoescape mode: all template vars should automatically be escaped. By using an array for the keys, it is possible to bypass autoescaping and inject content into the DOM.

Denial of Service

By sending a Mb websocket message to a uws server instance, it is possible to crash the node process by exceeding V8's maximum string size.

Cross Site Scripting

If an attacker can trick an unsuspecting user into viewing a specially crafted plot on a site that uses plotly.js, then the attacker could potentially retrieve authentication tokens and perform actions on behalf of the user.

Arbitrary Code Injection

An arbitrary code injection vector was found via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.

Arbitrary Code Injection

Arbitrary code execution is possible through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on the server and user input is passed to the calc function.

SQL Injection

The qstr method in the PDO driver in the ADOdb Library for PHP might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting.

Sep 2016

libxml2 vulnerabilities

Nokogiri is affected via its dependency libxml2. CVE-2016-4448: Format string vulnerability in libxml2 allows attackers to have unspecified impact via format string specifiers in unknown vectors. CVE-2016-4658: libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE-2016-5131: libxml2 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the …

Cross-Site Scripting

Failing to properly encode user input, the page module is vulnerable to Cross-Site Scripting. A valid backend user account with permissions to edit plugins is needed to exploit this vulnerability.

Cache Flooding in Frontend

Links with a valid cHash argument lead to newly generated page cache entries. Because the cHash is not bound to a specific page, attackers could use valid cHash arguments for multiple pages, leading to additional useless page cache entries. Depending on the number of pages in the system and the number of available valid links with a cHash, attackers could add a considerable amount of additional cache entries, which in …

Information Exposure

The Views module in Drupal and the Views module might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

Information Exposure

The Views module in Drupal and the Views module might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

Improper Access Control

The Rails gem does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request.

Arbitrary password resets via NULL reset codes

There's a flaw in the DB schema where reset_password_code is NULL by default. If an attacker is able to provide a NULL reset code to the package, there are no guards against arbitrary anonymous password resets. In many cases, submitting a url-encoded null byte value (%00) will match what's in the database, passing the check and allowing the attacker to set the password to what they wish.

Aug 2016

XSS via tooltips

c3 contain a cross site scripting (XSS) vulnerability through improper html sanitization on rendered tooltips.

VersionedRequestFilter vulnerability

A cross-site scripting vulnerability in VersionedRequestFilter has been found. If an incoming user request should not be able to access the requested stage, an error message is created for display on the CMS login page that they are redirected to. In this error message, the URL of the requested page is interpolated into the error message without being escaped; hence, arbitrary HTML can be injected into the CMS login page.

Missing ACL on reports

The SS_Report, and the reports CMS section only checks canView() when listing the reports that can be viewed by the current user. It does not (and should) perform canView checks when the report is actually viewed, so if you know the URL to a report and can otherwise access the Reports section of the CMS, you can view any report.

Member.Name isn't escaped

The core template framework/templates/Includes/GridField_print.ss uses "Printed by $Member.Name". If the currently logged in members first name or surname contain XSS, this prints the raw HTML out, because Member->getName() just returns the raw FirstName + Surname as a string, which is injected directly.

ChangePasswordForm doesn't check Member::canLogIn()

After performing a password reset, ChangePasswordForm::doChangePassword() logs in the user without checking Member::canLogIn(). This presents an issue for sites that are using the extension point in that method to deny access to users (for example members that have not been “approved”, or members that have had their access revoked temporarily). It looks like Member::canLogIn() was originally designed to only be used for checking whether the user is locked out (due …

Jul 2016

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in Apache Archiva allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action.

Forgeable Public/Private Tokens

Since "algorithm" isn't enforced in jws.verify(), a malicious user could choose what algorithm is sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

XSS in primary functions

Primary functions of emojione do not properly sanitize input and are thus vulnerable to cross site scripting (XSS). If you application passes user supplied input to these functions, it may be vulnerable to this attack.

XSS in Pillbox

There exists a cross site scripting (XSS) vulnerability in the Pillbox feature of FuelUX. By supplying a script as a value for a new pillbox, it is possible to cause arbitrary script execution.

XSS in drag and drop node

Cross site scripting vulnerability in the drag and drop functionality for modifying tree data. A node that contains a standard XSS vector will have its payload execute when a user attempts to drag a node to a different position in the hierarchy.

Use After Free

Use-after-free vulnerability in libxml2, as used in Google Chrome, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.

XSS in key names

Swagger-ui contains a cross site scripting (XSS) vulnerability in the key names for the following object path in the JSON document: .definitions.{USER_DEFINED}.properties.{INJECTABLE_KEY_NAME}. Supplying a key name with script tags causes arbitrary code execution. In addition it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.

XSS in dialog closeText

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

DOM-based XSS

Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting. The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument.

DOM-based XSS

Three functions exposed by the Gmail.js API (not the Google Gmail API) are vulnerable to DOM-based cross site scripting (DOMXSS). The three functions are tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post. Each one of these functions calls new Function() with user data passed as the argument./n/nThis vulnerability is being disclosed before a public patched version is available because the issue was reported in a public Github issue.

XSS in Consumes/Produces Parameter

Swagger-UI contains a cross site scripting (XSS) vulnerability in the consumes and produces parameters of the swagger JSON document for a given API. A maliciously crafted swagger JSON doc can be loaded via the URL query-string parameter url.

Vulnerability in CGI applications

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY and HTTP_PROXY is a popular environment variable used to configure an outgoing proxy. This leads to a remotely exploitable vulnerability.

Improper Access Control

PHP does not attempt to address RFC section namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration …

Improper Access Control

PHP does not attempt to address RFC section namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration …

httpoxy vulnerability

humbug_get_contents is affected by httpoxy, a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to: * Proxy the outgoing HTTP requests made by the web application * Direct the server to open outgoing connections to an address and port of their choosing * …

Privilege Escalation

Unspecified vulnerability in libpng, as used in Android , allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug

Invalid input to route validation rules

call does not validate empty parameters, which could result in invalid input bypassing the route validation rules. For example, in the routing scheme /api/{param}/{param2}/details, a request made to /api/// would match incorrectly.

Invalid input to route validation rules

hapi does not validate empty parameters, which could result in invalid input bypassing the route validation rules. For example, in the routing scheme /api/{param}/{param2}/details, a request made to /api/// would match incorrectly.

Uncontrolled Resource Consumption

ActionServlet.java in Apache Struts mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

Jun 2016

Authorization bypass in JGroups

JGroups does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.

Potential Command Injection

The module does not properly escape ">" and "<" operator used for redirection in shell. Application escaping command-line args with this module might be vulnerable from malicious user input.

Regular Expression Denial of Service

The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line of minimatch.js: /((?:\{2}))(\?)|/g,. The problematic portion of the regex is ((?:\{2})) which matches against //.

Uncontrolled Resource Consumption

The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document.

Arbitrary File Write

Node-cli insecurely uses user provided data in the name of it's lock file and log file. It allows the starting user to overwrite any file they have access to.