In OctoberCMS, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as …
In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …
In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …
A denial of service vulnerability exists in Fastify that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.
The DAO/DTO implementation in SpringBlade through allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters.
This affects the package express-fileupload. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.
In SLPJS (npm package slpjs), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
In SLP Validate (npm package slp-validate), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code …
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any …
A malicious user could inject commands through the _data variable
Magento has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
In auth0 (npm package), a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. and you are using a Machine to Machine application authorized to use Auth0's management API.
Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.
The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.
Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in git-tags-remote.
The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution.
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes …
In TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, …
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
In auth0 (npm package) and you are using a Machine to Machine application authorized to use Auth0's management API
The Kubernetes ingress-nginx component allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type.
In TYPO3 installations with the mediace extension, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation.
In TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid …
The dlf (aka Kitodo.Presentation) for TYPO3 allows XSS.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.
An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
LibEtPan has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a begin TLS response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka response injection.
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.
kube-proxy was found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to localhost running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running …
The Kubelet and kube-proxy components were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or …
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.
In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.
An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit …
This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.
This affects all versions of package rollup-plugin-server. There is no path sanitization in the readFile operation performed inside the readFileFromContentBase function.
This affects all versions of the marked-tree package. There is no path sanitization for the path provided in fs.readFile of index.js.
This affects all versions of the marscode package. There is no path sanitization for the path provided in fs.readFile of index.js.
This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in the readFile operation inside the readFileFromContentBase function.
Uncontrolled resource consumption in jpeg-js allows attacker to launch denial of service attacks using specially a crafted JPEG image.
Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
Lua has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.
The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
The Kubernetes kubelet component do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the …
The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." Example Code: async () => …
An SQL injection vulnerability in softwareupdate_controller.php in the Software Update module for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.
An SQL injection vulnerability in reportdata_controller.php in the reportdata module for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.
The UI in DevSpace allows web-sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.
A Cross-Site Scripting (XSS) vulnerability in the munki_facts (aka Munki Conditions) module for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the key name.
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
What kind of vulnerability is it? Who is impacted? JupyterHub deployments using: KubeSpawner <= 0.11.1 (e.g. zero-to-jupyterhub 0.9.0) and enabled named_servers (not default), and an Authenticator that allows: usernames with hyphens or other characters that require escape (e.g. user-hyphen or user@email), and usernames which may match other usernames up to but not including the escaped character (e.g. user in the above cases) In this circumstance, certain usernames will be able …
A buffer overflow in the patching routine of bsdiff4 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.
In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.
Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.
Magento has a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.
In LibreNMS, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.
Lua's getobjname suffers from a heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
Sails.js allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.
An issue was discovered in LibreNMS. It has insufficient access control for normal users in routes/web.php.
Lua mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.
The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.
A path traversal vulnerability in servey allows an attacker to read content of any arbitrary file.
In codecov (npm package), the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in …
In Fiber, the filename that is given in c.Attachment() is not escaped, and therefore vulnerable for a CRLF injection attack. An attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy …
docsify is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary JavaScript/HTML inside docsify page.
A buffer overflow is present in canvas version which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image.
This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.
The kramdown gem processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution.
This affects all versions of package react-native-fast-image. When an image is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.
Graylog lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections.
MIT Lifelong Kindergarten Scratch scratch-vm loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.
Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …
A Path Traversal issue was discovered in the socket.io-file package for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.
Insufficient input validation in npm package may lead to OS command injection attacks.
In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks …
The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., …
Jenkins Gitlab Authentication Plugin does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator). A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code)
Jenkins does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
Jenkins does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.
Jenkins does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.
Jenkins Deployer Framework Plugin does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.
In SilverStripe, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.
Jenkins Matrix Project Plugin does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.
Jenkins Matrix Project Plugin does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.
Jenkins Matrix Authorization Strategy Plugin does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.
Jenkins does not escape correctly the href attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.
In openenclave, enclaves that use x87 FPU operations are vulnerable to tampering by a malicious host application. By violating the Linux System V Application Binary Interface (ABI) for such operations, a host app can compromise the execution integrity of some x87 FPU operations in an enclave. Depending on the FPU control configuration of the enclave app and whether the operations are used in secret-dependent execution paths, this vulnerability may also …
In freewvs, a directory structure of more than nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). This can be problematic in a case where an administrator scans the dirs of potentially untrusted users.
In freewvs, a user could create a large file that freewvs will try to read, which will terminate the scan process.
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible.
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely.
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat to M1 to to to Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
An h2c direct connection to Apache Tomcat to M5 to to did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.
h2c does not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
In OctoberCMS, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in standard-version.
django-two-factor-auth versions 1.11 and before store the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user …
A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function.
PKCE support is not implemented in accordance with the RFC for OAuth for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain …
Incorrect handling of Upgrade header with the value of websocket leads in crashing of containers hosting sockjs apps.
In TimelineJS, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file.
Server-Side Template Injection and arbitrary file disclosure are possible in Camel templating components.
In Electron, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.
In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.
In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected.
Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.
Impact Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish(), messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch() does not succeed. The dispatch() method can be considered to not succeed if (depending on the version of the bundle) the callback defined on a topic route is misconfigured, a Gos\Bundle\WebSocketBundle\Topic\TopicInterface implementation is not found for the callback, a topic which also implements Gos\Bundle\WebSocketBundle\Topic\SecuredTopicInterface rejects the connection, or an Exception is unhandled. This can result in an …
npm is vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.
npm CLI is vulnerable to an information exposure vulnerability through log files. The password value is not redacted and is printed to stdout and also to any generated log files.
This advisory has been marked as a false positive.
Improper Neutralization in com.upokecenter:cbor.
In Electron, an arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.
In jspdf, it is possible to inject JavaScript code via the html method.
In jspdf, it is possible to use <script> in order to bypass improper filtering protections based off of regular expressions.
A denial of service vulnerability allows an untrusted user to run any pending migrations on an app running in production.
A denial of service vulnerability exists in Rails that allowed an untrusted user to run any pending migrations on a Rails app running in production.
A directory traversal vulnerability exists in rack that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
A missing permission check in Jenkins Fortify on Demand Plugin allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
Jenkins White Source Plugin stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system.
Jenkins GitHub Coverage Reporter Plugin stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.
Jenkins TestComplete support Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Apache Guacamole does not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
Jenkins Slack Upload Plugin stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
A missing permission check in Jenkins Fortify on Demand Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.
Apache Guacamole mishandles pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.
In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.
LibRaw lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.length.
The is a code injection vulnerability in versions of Rails that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.
Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Jenkins Compatibility Action Storage Plugin does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
Jenkins Sonargraph Integration Plugin does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability.
Jenkins VncRecorder Plugin does not escape a tool path in the checkVncServ form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.
Jenkins VncViewer Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack
Jenkins Link Column Plugin does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability.
Jenkins VncRecorder Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.
A CSRF vulnerability exists in rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
A CSRF forgery vulnerability exists in rails, rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.
There is a code injection vulnerability in versions of Rails that would allow an attacker who controlled the locals argument of a render call to perform a RCE.
Jenkins Stash Branch Parameter transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
This issue occurs because tagName user input is formatted inside the exec function is executed without any checks.
php/exec/escapeshellarg in Locutus PHP allows an attacker to execute code.
Data is truncated wrong when its length is greater than bytes.