Advisories

In Eclipse Jetty the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Characters in the GET url path are not properly escaped and can be reflected in the server response.

A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.

In Pannellum from URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe> could then be embedded on the attacker's …

Versions of vant are vulnerable to Cross-Site Scripting. The text value of the Picker component column is not sanitized, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Upgrade to or later.

A CSRF vulnerability in Pagekit allows an attacker to upload an arbitrary file by removing the CSRF token from a request.

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

The Ruby net-ldap gem uses a weak salt when generating SSHA passwords.

A path traversal vulnerability in Jenkins Support Core Plugin allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master.

An attacker can include file contents from outside the /adapter/xxx/ directory, where xxx is the name of an existent adapter like admin. It is exploited using the administrative web panel with a request for an adapter file.

Jenkins Anchore Container Image Scanner Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins QMetry for JIRA - Test Management Plugin transmits credentials in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

Jenkins QMetry for JIRA stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Spira Importer Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

An issue was discovered in Symfony. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

Serializing certain cache adapter interfaces could result in remote code injection.

The UriSigner is subject to timing attacks.

An issue was discovered in Symfony. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.

The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.

Missing permission checks in various API endpoints in Jenkins Google Compute Engine allows attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of default parameter expressions in closures allows attackers to execute arbitrary code in sandboxed scripts.

A missing permission check in Jenkins Support Core Plugin allows attackers with Overall/Read permission to delete support bundles.

If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime ).

The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code.

If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command.

If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command.

The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code.

Jenkins JIRA does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope.

A cross-site request forgery vulnerability in Jenkins Google Compute Engine in ComputeEngineCloud#doProvision could be used to provision new agents.

The UriSigner was subjectto timing attacks.

Jenkins Google Compute Engine Plugin does not verify SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing …

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing …

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.

The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

iobroker.admin allows attacker to include file contents from outside the /log/file1/ directory.

In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.

Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.

Withdrawn: duplicate of GHSA-pj4g-4488-wmxm

Versions of angular prior to 1.7.9 are vulnerable to prototype pollution. The deprecated API function merge() does not restrict the modification of an Object's prototype in the , which may allow an attacker to add or modify an existing property that will exist on all objects.

Cookie-signature is vulnerable to timing attacks.

When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to hours after logging out to make API requests to NiFi.

Information disclosure in simplesamlphp.

When updating a Process Group via the API in NiFi, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

The XMLFileLookupService in NiFi allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

RubyGems passenger betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process.

Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr. then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983`), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr …

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

pimcore/pimcore is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via id, storeId, pageSize and tables parameters, using a payload for trigger a time based or error based sql injection.

A flaw was found in org.codehaus.jackson:jackson-mapper-asl libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Apache Shiro when using the default remember me configuration, cookies could be susceptible to a padding attack.

This advisory has been marked as False Positive and has been removed.

KairosDB has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a "sampling":{"value":"<script>' substring.

Pimcore lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.

Pimcore lacks brute force protection for the 2FA token.

Pimcore allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus.

A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus.

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.

An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem for Ruby. It allows directory traversal through .. to access private resources because resource matching does not ensure that pathnames are in a canonical format.

Pomelo allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can manipulate internal attributes by adding additional attributes to user input.

Insufficient content type validation of proxied resources in go-camo allows a remote attacker to serve arbitrary content from go-camo's origin.

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

A remote attacker able to send XML requests to a REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the …

In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding of the symbiote/silverstripe-versionedfiles source code. (Users who upgrade from SilverStripe 3.x to 4.x and had Versioned Files installed have no further need for this module, because the 4.x release has built-in versioning. However, nothing in the …

An insecure component vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. Magento 2 codebase leveraged outdated versions of JS libraries (Bootstrap, jquery, Knockout) with known security vulnerabilities.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1427, CVE-2019-1428, CVE-2019-1429.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1427, CVE-2019-1429.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1426, CVE-2019-1428, CVE-2019-1429.

In SilverStripe through 4.3.3, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.

Istio allows Denial of Service because continue_on_listener_filters_timeout is set to True.

SilverStripe through 4.3.3 has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

An XML entity injection vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated admin user can craft document type definition for an XML representing XML layout. The crafted document type definition and XML layout allow processing of external entities which can lead to information disclosure.

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the Login form.

In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.

In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there is XSS in the search engine.

In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp.

The json-jwt gem before for Ruby lacks an element count during the splitting of a JWE string.

An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.

A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. A user with privileges to generate sitemaps can bypass configuration that restricts directory access. The bypass allows overwrite of a subset of configuration files which can lead to denial of service.

Chartkick.js, as used in the Chartkick gem for Ruby, allows prototype pollution.

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they …

Default Express middleware security check is ignored in production Impact All Cube.js deployments that use affected versions of @cubejs-backend/api-gateway with default express authentication middleware in production environment are affected. Patches @cubejs-backend/api-gateway@0.11.17 Workarounds Override default authentication express middleware: https://cube.dev/docs/@cubejs-backend-server-core#options-reference-check-auth-middleware For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/cube-js/cube.js/issues Reach out us in community Slack: https://slack.cube.dev/

Jupyter Notebook before 5.5.0 does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

strapi mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js.

XmlSecLibs performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

Rob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

Apache CXF does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments.

Apache CXF provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability …

An unrestricted file upload vulnerability exists in Magento. An authenticated admin user can manipulate the Synchronization feature in the Media File Storage of the database to transform uploaded JPEG file into a PHP file.

stratisX (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.

A remote code execution vulnerability exists in Magento. An authenticated user with admin privileges to manipulate shippment settings can execute arbitrary code through server-side request forgery due to unsafe handling of a carrier gateway.

Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash. Impacted code will look something like this: doc = Nokogiri.XML(untrusted_input).

An issue was discovered in Lightbend Play Framework. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.

A security issue was discovered in the kube-state-metrics versions. By default, the kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels thus inadvertently exposing the secret content in metrics.

In Magento an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

In Magento, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

A remote code execution vulnerability exists in Magento. An authenticated user with privileges to manipulate layouts and images can insert a malicious payload into the page layout.

A remote code execution vulnerability exists in Magento. An unauthenticated user can insert a malicious payload through PageBuilder template methods.

A remote code execution vulnerability exists in Magento. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.

In Magento an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file modification.

In Magento an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.

An authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path.

PhantomJS has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. The vulnerability exists in the page.open() function of the webpage module, which loads a specified URL and calls a given callback. An attacker can supply a specially crafted HTML file, as user input, that allows reading arbitrary files on the filesystem. For example, if page.render() is the function callback, this generates a PDF or …

An error when parsing XML entities can be exploited to exhaust memory and cause the server to crash via a specially crafted XML document including external entity references. Impacted code will look something like this: doc = Nokogiri.XML(untrusted_input).

A stored cross-site scripting (XSS) vulnerability exists in Magento. An authenticated user can inject arbitrary JavaScript code via customer attribute label.

In Magento an authenticated user with limited administrative privileges can inject arbitrary JavaScript code via import/export functionality when creating profile action XML.

A mitigation bypass to prevent cross-site scripting (XSS) exists in Magento. Successful exploitation of this vulnerability would result in an attacker being able to bypass the escapeURL() function and execute a malicious XSS payload.

A stored cross-site scripting (XSS) vulnerability exists in Magento. An authenticated user can inject arbitrary JavaScript code when adding a new customer attribute for stores.

A stored cross-site scripting (XSS) vulnerability exists in Magento. An authenticated user can inject arbitrary JavaScript code into the attribute set name when listing the products.

In Magento an unauthenticated user can inject arbitrary JavaScript code as a result of the sanitization engine ignoring HTML comments.

A stored cross-site scripting (XSS) vulnerability exists in in Magento. An authenticated user with access to the wysiwyg editor can abuse the blockDirective() function and inject malicious javascript in the cache of the admin dashboard.

OGNL provides, among other features, extensive expression evaluation capabilities. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation.

php-symfony2-Validator suffers from loss of information during serialization.

php-symfony2-Validator suffers from a loss of information during serialization.

Pimcore has XSS in the translations grid because bundles/AdminBundle/Resources/public/js/pimcore/settings/translations.js mishandles certain HTML elements.

columnQuote in medoo allows remote attackers to perform a SQL Injection due to improper escaping.

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.

sequelize allows attackers to perform a SQL Injection due to the JSON path keys not being properly sanitized in the Postgres dialect.

Sequelize all versions prior are vulnerable to SQL Injection due to JSON path keys not being properly escaped for the MySQL/MariaDB dialects.

All versions of archiver allow attacker to perform a Zip Slip attack via the unarchive functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a ../../file.exe location …

In Apache Thrift, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

In Apache Thrift, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.

A server or client may run into an endless loop when feed with specific input data.

In Apache Thrift, a server or client may run into an endless loop when feed with specific input data.

Zend Framework has Potential SQL injection in PostgreSQL Zend\Db adapter.

Zend Framework has Potential SQL injection in PostgreSQL Zend\Db adapter.

send_email in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent to an e-mail address that can be supplied by the attacker. Thus, an attacker can exfiltrate any information. Email will be send through SMTP server …

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire allows attackers to send arbitrary HTTP GET requests.

PluginServlet.java in Ignite Realtime Openfire does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.

The ruby_parser-legacy (aka legacy) gem for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency), a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

The ruby_parser-legacy (aka legacy) gem for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

Jenkins Dynatrace Application Monitoring Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins Bitbucket OAuth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Jenkins Zulip Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin in form-related methods allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

A missing permission check in Jenkins Libvirt Slaves Plugin in form-related methods allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

A missing permission check in Jenkins Global Post Script Plugin allows users with Overall/Read access to list the scripts available to the plugin stored on the Jenkins master file system.

A missing permission check in Jenkins Libvirt Slaves Plugin allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

A missing permission check in Jenkins Dynatrace Application Monitoring Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

A missing permission check in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

A missing permission check in Jenkins Deploy WebLogic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.

When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

An XML external entities (XXE) vulnerability in Jenkins FireLine Plugin allows attackers with Overall/Read access to have Jenkins resolve external entities, resulting in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

In Apache POI, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

The Post editor functionality in the hexo-admin plugin for Node.js is vulnerable to stored XSS via the content of a post.

A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

A cross-site request forgery vulnerability in Jenkins Dynatrace Application Monitoring Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

A cross-site request forgery vulnerability in Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

A cross-site request forgery vulnerability in Jenkins Deploy WebLogic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials, or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system.

A cross-site request forgery vulnerability in Jenkins Libvirt Slaves Plugin allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

An issue was discovered in Pillow before 6.2.0. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

In the Loofah gem for Ruby through unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Versions of realms-shim are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the rewriting function. Confined code which used the evaluator itself could provide a malicious rewriter function that captured this object, and use it to breach the sandbox. Upgrade to or …

Go Modules Vulnerability Disclosure Impact Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios. Patches The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later. Workarounds Disable Go Modules support. References Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure For more information If you have any questions or comments about this advisory: Open an issue in Renovate Email us at support@renovatebot.com

In libssh2 v1.9.0 versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.

In xsltCopyText in transform.c in libxslt, which is used by nokogiri, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Harbor API has a Broken Access Control vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account.

Sequelize is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.

Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

A missing permission check in Jenkins CRX Content Package Deployer Plugin in various doFillCredentialsIdItems methods allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

An arbitrary file read vulnerability in Jenkins Google OAuth Credentials allows attackers, who are able to configure jobs and credentials in Jenkins, to obtain the contents of any file on the Jenkins master.

A missing permission check in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

A missing permission check in Jenkins Google Kubernetes Engine Plugin allows attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified credentials ID.

A missing permission check in Jenkins iceScrum Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

A missing permission check in Jenkins Rundeck Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

A missing permission check in Jenkins CRX Content Package Deployer Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

Jenkins Cadence vManager Plugin disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

Jenkins Bumblebee HP ALM Plugin unconditionally disables SSL/TLS and hostname verification for connections to HP ALM.

An issue was discovered in Dolibarr. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the Sender email field.

An issue was discovered in Dolibarr. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields Errors-To in emails sent)" field.

An issue was discovered in Dolibarr. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.

A cross-site request forgery vulnerability in Jenkins Rundeck Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

A cross-site request forgery vulnerability in Jenkins CRX Content Package Deployer Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

A cross-site request forgery vulnerability in Jenkins Oracle Cloud Infrastructure Compute Classic Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

A cross-site request forgery vulnerability in Jenkins iceScrum Plugin allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins NeoLoad Plugin stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Jenkins iceScrum Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

There is HTML Injection in the Note field in Dolibarr ERP/CRM via user/note.php.

A flaw was found in the Keycloak REST API, where it would permit user access from a realm the user, was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that @import within the JSON data was a functional attack method.

User-provided input containting the ' is not properly escaped. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

safer-eval is vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.

safer-eval is vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.

Centreon allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4.

The netaddr gem before 1.5.3 and 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem.

YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.php via a name field to /contact.html.

csv-parse is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

An issue was discovered in LibreNMS through 1.47. A number of scripts import the Authentication libraries, but do not enforce an actual authentication check. Several of these scripts disclose information or expose functions that are of a sensitive nature and are not expected to be publicly accessible.

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

An issue was discovered in LibreNMS through 1.47. It does not parameterize all user supplied input within database queries, resulting in SQL injection. An authenticated attacker can subvert these database queries to extract or manipulate data, as demonstrated by the graph.php sort parameter.

An issue was discovered in LibreNMS 1.50.1. A SQL injection flaw was identified in the ajax_rulesuggest.php file where the term parameter is used insecurely in a database query for showing columns of a table, as demonstrated by an ajax_rulesuggest.php?debug=1&term= request.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in indico.

An issue was discovered in LibreNMS 1.50.1. An authenticated user can perform a directory traversal attack against the /pdf.php file with a partial filename in the report parameter, to cause local file inclusion resulting in code execution.

An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options (includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php) do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqli_real_escape_string, which is only useful for preventing SQL injection attacks; other parameters are unfiltered. This allows an attacker to inject RRDtool syntax with newline characters via the html/graph.php and html/graph-realtime.php scripts. RRDtool syntax is quite versatile and …

An issue was discovered in LibreNMS through 1.47. Information disclosure can occur: an attacker can fingerprint the exact code version installed and disclose local file paths.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1307, CVE-2019-1335, CVE-2019-1366.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1308, CVE-2019-1335, CVE-2019-1366.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1307, CVE-2019-1308, CVE-2019-1335.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1307, CVE-2019-1308, CVE-2019-1366.

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

An information disclosure vulnerability exists when affected Open Enclave SDK versions improperly handle objects in memory, aka 'Open Enclave SDK Information Disclosure Vulnerability'.

Automattic Mongoose allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored.

In JFinal cos before, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.

licenseUpload.php in Centreon Web allows attackers to upload arbitrary files via a POST request.

knex.js is vulnerable to SQL Injection attack. Identifiers are escaped incorrectly as part of the MSSQL dialect, allowing attackers to craft a malicious query to the host DB.

Ansible is logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

Auth0 auth0.net has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens.

Code using VerifyingKey.verify() and VerifyingKey.verify_digest() may receive exceptions other than the documented BadSignatureError when signatures are malformed. If those other exceptions are not caught, they may lead to program termination and thus Denial of Service Code using VerifyingKey.verify() and VerifyingKey.verify_digest() with sigdecode option using ecdsa.util.sigdecode_der will accept signatures even if they are not properly formatted DER. This makes the signatures malleable. It impacts only applications that later sign the signatures …

It is possible to inject JavaScript within node-red-dashboard versions due to the ui_notification node accepting raw HTML by default.

Bootstrap-3-Typeahead is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.

Relative Path Traversal in iodine.

Test breaking Impact In v1.2.0, tests are broken: all tests are always succeeding. If tests are looking for security vulnerabilities, these were compromised. Patches Users should upgrade to v1.2.1 Workarounds Users who don't use eye.js for looking for vulnerabilities are safe. Upgrading will just fix some bugs. For more information If you have any questions or comments about this advisory: Open an issue in EyeJS Email us at arguiot@gmail.com

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

TeamPass allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.

TeamPass allows Stored XSS at the Search page by setting a crafted password for an item in any folder.

TeamPass allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.

In Apache Hadoop, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in ses.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in realms-shim.

A flaw was found in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

faces/context/PartialViewContextImpl.java allows Reflected XSS because a client window field is mishandled.

go-yaml is vulnerable to a Billion Laughs Attack.

Relative Path Traversal in iodine.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Jenkins HTML Publisher Plugin does not escape the project and build display names in the HTML report frame, resulting in a cross-site scripting vulnerability exploitable by users able to change those.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of default parameter expressions in constructors allows attackers to execute arbitrary code in sandboxed scripts.

Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward.

Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure.

Jenkins Dingding Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Improper Neutralization in PeterO.Cbor.

Plataformatec Simple Form has Incorrect Access Control in file_method? in lib/simple_form/form_builder.rb, because a user-supplied string is invoked as a method call.

In phpBB includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them.

Denial of Service Impact Affected Centra versions will, when not in stream mode, buffer responses to requests into memory with no size limit. This issue affects anyone requesting content from untrusted sources. Patches resolves the issue by limiting the size of buffered response body. Workarounds Attempting workarounds isn't recommended. Updating is preferred. For more information If you have any questions or comments about this advisory, open an issue in ethanent/centra.

Dolibarr has a stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

Dolibarr has a stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)

Dolibarr has a stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.

Dolibarr has a stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.

phpBB allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS

This advisory has been marked as a false positive.

Netty mishandles whitespace before the colon in HTTP headers (such as a Transfer-Encoding : chunked line), which leads to HTTP request smuggling.

In SilverStripe, there is access escalation for CMS users with limited access through permission cache pollution.

Stored Cross-Site Scripting in DotNetNuke (DNN) allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when an admin user visits a notification page with stored cross-site scripting.

In SilverStripe, there is broken access control on files.

TeamPass allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)

In SilverStripe asset-admin, there is XSS in file titles managed through the CMS.

SQL injection vulnerabilities in Centreon allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.

SilverStripe allows session fixation in the "change password" form.

SilverStripe has incorrect access control for protected files uploaded via Upload::loadIntoFile(). An attacker may be able to guess a filename in silverstripe/assets via the AssetControlExtension.

Jenkins printed the value of the 'Cookie' HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

runc through allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

In SilverStripe, a missing warning about leaving install.php in a public webroot can lead to unauthenticated admin access.

In Rubyzip, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).

In Jenkins the f:expandableTextBox form control interpreted its content as HTML when expanded, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents (typically Job/Configure).

SilverStripe has Flash Clipboard Reflected XSS.

Jenkins does not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

Jenkins does not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

In Jenkins, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

Jenkins does not escape the SCM tag name on the tooltip for SCM tag actions, resulting in a stored XSS vulnerability exploitable by users able to control SCM tag names for these actions.

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

The omniauth failure endpoint is vulnerable to XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

DOMPurify allows XSS because of innerHTML mutation XSS (mXSS) for an SVG element or a MATH element, as demonstrated by Chrome and Safari.

Carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim

Carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim

Carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim

Carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim

Carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim

Multiple classes used within Apereo CAS make use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.

When a controller has multiple power directives, the :only and :except options of the last directive is applied to all directives. This can lead to unauthenticated access to certain controller actions.

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

Status Board has reflected XSS via dashboard.ts.

Status Board has reflected XSS via logic.ts.

Generated code uses repository configuration that downloads over HTTP instead of HTTPS Impact Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. Patches Maven users should at least upgrade to 6.3.0 while Gradle users should update to 6.3.1. If you are not able to upgrade make sure not to use a Maven repository via http in your …

On Apache JSPWiki, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWikia carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

On Apache JSPWiki, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

The Reset Password feature in Pagekit gives a different response depending on whether the e-mail address of a valid user account is entered, which might make it easier for attackers to enumerate accounts.

An issue was discovered in Mautic It has Stored XSS via the company name field.

The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server.

Circumvents open_basedir INI directive.

In Webkul Bagisto, the functionalities for customers to change their own values (such as address, review, orders, etc.) can also be manipulated by other customers.

SPIP mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

SPIP provides different error messages from the password-reminder page depending on whether an e-mail address exists, which might help attackers to enumerate subscribers.

SPIP allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.

In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

SPIP allows prive/formulaires/login.php XSS via error messages.

Tapestry processes assets /assets/ctx using classes chain StaticFilesFilter -> AssetDispatcher -> ContextResource, which does not filter the character , so attacker can perform a path traversal attack to read any files on Windows platform.

The File Session Manager in Beego allows local users to read session files because of weak permissions for individual files.

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.

This issue has been marked as a false positive.

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from …

In htdocs/societe/card.php in Dolibarr, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS.

The File Session Manager in Beego allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to com.zaxxer.hikari.HikariConfig.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

A class generated by the Generator in JHipster produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

In Pimcore, an attacker with limited privileges can bypass file-extension restrictions via a filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames.

In Pimcore an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory.

A class generated by the Generator in JHipster produces code that uses an insecure source of randomness. This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.

Clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile 3rd parties to abuse window.opener, e.g. by redirection or injection on the original page with smartbanner.

Bower has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted.

NPM package gitlabhook is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.

rel noopener vulnerability Impact Clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile 3rd parties to abuse window.opener, e.g. by redirection or injection on the original page with smartbanner. Patches rel="noopener" is automatically populated to links as of v1.14.1 which is a recommended upgrade to resolve the vulnerability. Workarounds If you can not upgrade to v1.14.1: Ensure View link is only …

A denial of service vulnerability exists when PowerShell Core or .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a PowerShell Core scripts. The update addresses the vulnerability by correcting how the .NET Core handles web requests. System administrators are advised to update PowerShell Core to an unaffected version (see affected software.)

A CSRF issue in phpMyAdmin allows deletion of any server in the Setup page.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allows attackers to execute arbitrary code in sandboxed scripts.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of method names in method call expressions allows attackers to execute arbitrary code in sandboxed scripts.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of property names in property expressions on the left-hand side of assignment expressions allows attackers to execute arbitrary code in sandboxed scripts.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of property names in property expressions in increment and decrement expressions allows attackers to execute arbitrary code in sandboxed scripts.

All versions of sailsjs-cacheman have a vulnerability that may lead to Undefined Behavior. The config variable is exposing to the global scope which may overwrite other variables and cause the application to misbehave. No fix is currently available. Consider using an alternative module until a fix is made available.

Relative Path Traversal in algo-httpserv.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1237, CVE-2019-1298, CVE-2019-1300.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1298.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1217, CVE-2019-1237, CVE-2019-1300.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1217, CVE-2019-1237, CVE-2019-1298, CVE-2019-1300.

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1217, CVE-2019-1298, CVE-2019-1300.

Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.

An elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests, aka 'ASP.NET Core Elevation Of Privilege Vulnerability'.

In the Eclipse Paho Java client library, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.

Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /change-password-by-admin/, /api/settings/add/, /cases/create/, /change-password-by-admin/, /comment/add/, /documents/1/view/, /documents/create/, /opportunities/create/, and /login/.

Verdaccio is vulnerable to XSS which allows malicious JavaScript packages to be executed in the user interface and steal user credentials.

Solr is vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via the update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.

Improper authentication is possible in Apache Traffic Control versions if LDAP is enabled for login in the Traffic Ops API component. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.

Seneca contains a vulnerability that could lead to exposing environment variables to unauthorized users.

Sakai allows XSS via a chat user name.

The breadcrumbs contributed module for Padrino Framework allows XSS via a caption.

Grav allows (Stored) Cross-Site Scripting due to JavaScript execution in SVG images.

An issue was discovered in Plataformatec Devise. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

core/api/user.go in Harbor allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration.

The Airbrake Ruby notifier mishandles the blacklist_keys configuration option and consequently may disclose passwords to unauthorized actors.

An issue was discovered in Mautic There is Stored XSS via the authorUrl field in config.json.

Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered.

Spotless is resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. If these artifacts were maliciously altered, developers using them could be compromised.

Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered.

Instagram-PHP-API has XSS via the example/success.php error_description parameter.

WebTorrent allows XSS in the HTTP server via a title or file name.

Rancher is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.

Rancher is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher. The attack requires a victim to be logged into a Rancher server, and then to access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the cluster's Kubernetes API with the permissions and identity of the victim.

An unintended require vulnerability in larvitbase-api may allow an attacker to load arbitrary non-production code (JavaScript file).

The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.

A path traversal vulnerability of statichttpserver npm module allows attackers to list files in arbitrary folders.

The file name encoding algorithm used internally in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

In kubelet, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output.

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files …

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes runs tar inside the container to create a tar archive, copies it over the network, and kubectl unpacks it on the user's machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files …

A stored cross-site scripting vulnerability in Jenkins allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages.

Jenkins allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control.

Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.

django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline.

connect-pg-simple allows SQL injection if tableName or schemaName is untrusted data.

Observational Health Data Sciences and Informatics (OHDSI) WebAPI allows SQL injection in FeatureExtractionService.java.

BEdita allows SQL injection during a save operation for a relation with parameters

In eslint-utils, the getStaticValue function can execute arbitrary code.

CyberChef before allows XSS in core/operations/TextEncodingBruteForce.mjs.

laracom is vulnerable to XSS.

set-value is vulnerable to Prototype Pollution. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

deeply is vulnerable to Prototype Pollution. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using a proto payload.

The proxystatistics module for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP element.

pandao Editor.md 1.5.0 allows XSS via the Javascript: string.

In Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario.

Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability. Recommendation Update to version 0.9.0 or later.

All versions of rgb2hex are vulnerable to Regular Expression Denial of Service (ReDoS) when an attacker can pass in a specially crafted invalid color value. Update to or later.

Kimai is vulnerable to XSS via a timesheet description.

Bolt is vulnerable to XSS via a title that is mishandled in the system log.

Bolt has XSS via an image's alt or title field.

Ignite Realtime Openfire has reflected XSS via an LDAP setup test.

selectize-plugin-a11y has XSS via the msg field.

Bolt is vulnerable to XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.

Jooby before has XSS via the default error handler.

mixin-deep is vulnerable to Prototype Pollution. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Improper Verification of a Cryptographic Signature in OpenPGP.js allows an attacker to forge signed messages by replacing its signatures with a standalone or timestamp signature.

Improper Verification of a Cryptographic Signature in OpenPGP.js allows an attacker to pass off unsigned data as signed.

A cryptographic issue in OpenPGP.js allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve attack in order to gain the victim's ECDH private key.

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

Recommender before 1.3.1 allows XSS. It is possible for a learner to craft a fake resource to recommender, that includes script which could possibly steal credentials from staff if they are lured into viewing the recommended resource.

assign-deep is vulnerable to Prototype Pollution. The function assign-deep could be tricked into adding or modifying properties of Object.prototype using either a constructor or a proto payload.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

In Apache Commons Beanutils, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Fat Free CRM has XSS in the tags_helper in app/helpers/tags_helper.rb.

core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected. NOTE: the vendor disputes this issue because it is exploitable only in conjunction with hypothetical other factors, i.e., an affected use case within a library caller, and a bug in the message receiver policy code that led to reliance …

The rest-client gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.

AdPlug has a double free in the Cu6mPlayer class in u6m.h.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, …

A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby's Kernel.open method.

Policy import functionality in Apache Ranger 0.7.0 to 1.2.0 is vulnerable to a cross-site scripting issue. Upgrade to 2.0.0 or later version of Apache Ranger with the fix.

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.

A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename.

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

It was found that Keycloak's SAML broker did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

This issue has been marked as a false positive.

An issue was discovered in Dolibarr. A user can store an IFRAME element (containing a user/card.php CSRF request) in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. (The protection mechanism for CSRF is to check the Referer header; however, because the attack is from one of the application's own settings pages, this mechanism is bypassed.)

Istio mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

An issue was discovered |20 Storage A Path Traversal vulnerability in the TwentyTwenty.Storage library in the LocalStorageProvider allows creating and reading files outside of the specified basepath. If the application using this library does not sanitize user-supplied filenames, then this issue may be exploited to read or write arbitrary files. This affects LocalStorageProvider.cs.

An issue was discovered in the mysql (aka mysqljs) module for Node.js. The LOAD DATA LOCAL INFILE option is open by default.

Bagisto allows CSRF under /admin URIs.

A Server Side Request Forgery (SSRF) vulnerability in go-camo up to version allows a remote attacker to perform HTTP requests to internal endpoints.

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.

verdaccio allows XSS.

The Backpack component for Laravel allows XSS via the select field type.

AdPlug has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp.

AdPlug has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp.

AdPlug has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp.

The PHP JOSE Library is vulnerable to key confusion/algorithm substitution in the JWS component resulting in bypassing the signature verification via crafted tokens.

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin does not properly apply masking to some values expected to be hidden when logging the configuration being applied.

YOURLS is affected by a type juggling vulnerability in the api component that can result in login bypass.

In certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem)

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

AdPlug has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp.

AdPlug has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp.

AdPlug has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.

In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

In Apache Tika, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs.

A carefully crafted package/compressed file that, when unzipped/uncompressed yields the same file (a quine), causes a StackOverflowError in Apache Tika's RecursiveParserWrapper.

A server-side request forgery (SSRF) vulnerability exists in Magento. This can be exploited by authenticated user with admin privileges to manipulate shipment settings to execute arbitrary code.

A carefully crafted or corrupt zip file can cause an OOM in Apache Tika's RecursiveParserWrapper.

An insecure direct object reference (IDOR) vulnerability in Magento can lead to unauthorized disclosure of company credit history details.

A remote code execution vulnerability exists in Magento. An authenticated user with administrator privileges to layouts can execute arbitrary code through a combination of product import, crafted csv file and XML layout update.

A remote code execution vulnerability exists in Magento. An authenticated user with admin privileges to layouts can execute arbitrary code through a crafted XML layout update.

A cryptograhic flaw in Magento could be abused by an unauthenticated user to discover an invariant used in gift card generation.

A stored cross-site scripting vulnerability exists in the product catalog form of Magento. This could be exploited by an authenticated user with privileges to the product catalog to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This can be exploited by an authenticated user with permissions to manage customer groups.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This can be exploited by an authenticated user with permissions to manage tax rules.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify product information.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to customer configurations to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the WYSIWYG editor of Magento. An authenticated user with privileges to the editor can inject malicious SWF files.

A reflected cross-site scripting vulnerability exists in the admin panel of Magento when the feature that adds a secret key to the Admin URL is disabled.

A cross-site scripting mitigation bypass exists in Magento. This could be exploited by an authenticated user to escalate privileges (admin vs. admin XSS attack).

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to edit newsletter templates to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to marketing email templates to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to email templates.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to store product attributes to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content block titles to inject malicious javascript.

A stored cross-site scripting vulnerability exists in the admin panel of Magento. This could be exploited by an authenticated user with privileges to modify content page titles to inject malicious javascript.

A cross-site request forgery vulnerability in Magento can cause unwanted items to be added to a shopper's cart due to an insufficiently robust anti-CSRF token implementation.

In Apache Solr, the DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with …

It was found that the Apache ActiveMQ client before 5.15.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

A flaw was found in Jolokia which is vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of method pointer expressions allows attackers to execute arbitrary code in sandboxed scripts.

A sandbox bypass vulnerability in Jenkins Script Security Plugin related to the handling of type casts allows attackers to execute arbitrary code in sandboxed scripts.

Jenkins Configuration as Code Plugin does not treat the proxy password as a secret to be masked when logging or encrypted for export.

Jenkins Configuration as Code Plugin does not reliably identify sensitive values expected to be exported in their encrypted form.

Missing permission checks in Jenkins Configuration as Code Plugin in various HTTP endpoints allowed users with Overall/Read access to access the generated schema and documentation for this plugin containing detailed information about installed plugins.

Jenkins Configuration as Code Plugin does not properly apply masking to values expected to be hidden when logging the configuration being applied.

Jenkins Configuration as Code Plugin does not not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

Teachers in a quiz group could modify group overrides for other groups in the same quiz.

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

Teachers in an assignment group could modify group overrides for other groups in the same assignment.

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.