Advisories

This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

botbait is known to record and track user information. The module tracks the following information: * Source IP * process.versions * process.platform * How the module was invoked (test, require, pre-install)

The forwarded module is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Fresh is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry.

In a ZIP Bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

The module pandora-doomsday infects other modules. It's since been unpublished from the registry.

UEdit has XSS via the SRC attribute of an IFRAME element.

cuciuci is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

welcomyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverzyy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

datachannel-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

rtcmulticonnection-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

liyujing is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About k characters can block the event loop for 2 seconds.

The timespan module is vulnerable to regular expression denial of service. Given k characters of untrusted user input it will block the event loop for around seconds.

An incorrect kupu security declaration would allow any authenticated user to edit kupu settings.

Plone's URL checking infrastructure includes a method for checking if URLs valid and located in the Plone site. By passing HTML into this specially crafted url, XSS can be achieved.

When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the Problem Report screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script.

OWASP AntiSamy before allows XSS via HTML5 entities.

geminabox (aka Gem in a Box) has an XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file.

geminabox (aka Gem in a Box) is vulnerable to CSRF.

A vulnerability that allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator.

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

The tough-cookie module is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is limited to around seconds of blocking.

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

A flaw was found in instack-undercloud where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly. In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context …

In the Convention plugin in Apache Struts, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

If an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

The REST Plugin in Apache Struts uses an outdated XStream library which is vulnerable and allow to perform a DoS attack using malicious request with specially crafted XML payload.

In Apache Struts, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

An attacker may be able to login with an empty password. This issue affects an application using this package if these conditions are met: (1) it relies only on the return error of the Bind function call to determine whether a user is authorized (i.e., a nil return value is interpreted as successful authorization) and (2) it is used with an LDAP server allowing unauthenticated bind.

The REST Plugin in this package is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this …

When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

When using a VirtualDirContext with Apache Tomcat it is possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further …

Various course reports allow teachers to view details about users in the groups they cannot access.

Moodle has an XSS in the contact form on the "non-respondents" page in non-anonymous feedback.

The REST Plugin in this package uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

SilverStripe CMS has an XSS via an SVG document that is mishandled by (1) the Insert Media option in the content editor or (2) an admin/assets/add pathname.

Default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.

The Fastly CDN for Magento, when used with a third-party authentication plugin, might allow remote authenticated users to obtain sensitive information from authenticated sessions via vectors involving caching of redirect responses.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

Copies of several well known Python packages were published under slightly modified names in the official Python package repository PyPI (prominent example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code.

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.

Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by …

In Apache Brooklyn, the REST server is vulnerable to cross-site scripting where one authenticated user can cause scripts to run in the browser of another user authorized to access the first user's resources. This is due to improper escaping of server-side content.

The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.

tmock is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverwzl is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serveryztyzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serverhuwenhui is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

gaoxiaotingtingting is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

weather.swlyons is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error.

Unrestricted File Upload vulnerability in the fileDenyPattern in sysext/core/Classes/Core/SystemEnvironmentBuilder.

There is a SQL injection vulnerability in don/list.

Dolibarr contains an SQL injection vulnerability in admin/menus/edit.

There is a sensitive information disclosure vulnerability in dolibarr.

Information disclosure in backend content tree menu.

If a view has been disabled in site.ini SiteAccessRules Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu may contain hidden items, this may lead to information disclosure.

Kura takes control over the device's firewall setup but does not allow IPv6 firewall rules to be configured. The Equinox console port is left open, logs into Kura without any user credentials over unencrypted telnet and executes commands using the Equinox exec command. As the process is running as root full control over the device can be acquired. IPv6 is also left in auto-configuration mode, accepting router advertisements automatically and …

Multiple cross-site scripting vulnerabilities.

dolibarr is vulnerable to Cross-site scripting.

GeniXCMS allows remote attackers to cause a denial of service (account blockage) by leveraging the mishandling of certain username substring relationships, such as the admin<script> username versus the admin username, related to register.php, User.class.php, and Type.class.php.

In Netwide Assembler (NASM) rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.

When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

charset is vulnerable to regular expression denial of service. Input of around k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is kb so the impact of the ReDoS is relatively low.

serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

If untrusted user input is allowed into the resolve() method then command injection is possible.

The application is vulnerable to Cross-Site Request Forgery because of the lack of "protect_from_forgery" in the Rails controllers.

The library is vulnerable to LDAP injection through the "username" parameter.

tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

A cyberjs server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

serveryaozeyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

In order to be fully RFC compliant for TOTPs, no valid OTP may be used more than once for a given timestep.

Failing to properly encode user input, backend forms are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Information Disclosure in TYPO3 CMS.

HTTP requests being performed using the TYPO3 API expose the specific TYPO3 version to the called endpoint.

Information Disclosure in TYPO3 CMS.

Failing to properly check user permission on file storages, editors could gain knowledge of protected storages and its folders as well as using them in a file collection being rendered in the frontend. A valid backend user account is needed to exploit this vulnerability.

XSS in TYPO3 CMS Backend.

Arbitrary Code Execution in TYPO3 CMS.

Due to a missing file extension in the fileDenyPattern, backend user are allowed to upload *.pht files which can be executed in certain web server setups.

The secureCompare method in lib/SimpleSAML/Utils/Crypto when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

SimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.

SimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.

The SimpleSAML_Session class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).

The InfoCard module for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.

The multiauth module in SimpleSAMLphp allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.

Sencisho is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

This package can be tricked into connecting to a host different from the one extracted by java.net.URI if a'?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a query command.

Async Http Client can be tricked into connecting to a host different from the one extracted by java.net.URI if a ? character occurs in a fragment identifier.

RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name Solr does not validate the file name, hence it is possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk …

serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Baser CMS contains a SQL injection vulnerability.

ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.

baserCMS allows remote attackers to delete arbitrary files via unspecified vectors when the "File" field is being used in the mail form.

This package allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.

Error responses from Apache Atlas include stack traces, exposing excessive information.

Apache Atlas allow access to the webapp directory contents by pointing to URIs like /js and /img.

list-n-stream is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

tinyserver2 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Apache Atlas uses cookies that could be accessible to client-side script.

Apache Atlas is vulnerable to DOM XSS in the edit-tag functionality.

Apache Atlas is vulnerable to cross frame scripting.

Apache Atlas is vulnerable to Stored Cross-Site Scripting in the edit-tag functionality.

Apache Atlas is vulnerable to Reflected XSS in the search functionality.

This package is vulnerable to Cross-site Scripting (XSS) attacks. The autoescape option was set to False in the jinja configuration, allowing attackers to use inject content into user input.

The fs-git module relies on child_process.exec, however, the buildCommand method used to construct exec strings does not properly sanitize data and is vulnerable to command injection across all methods that use it and call exec.

baserCMS allows an attacker to execute arbitrary PHP code on the server via unspecified vectors.

This package is vulnerable to Arbitrary File Download. A client can use backslashes to escape the directory the files where exposed from. Note: Only if the host server is a windows-based operating system.

Zend/Diactoros/Uri::filterPath in zend-diactoros does not properly sanitize path input, which allows remote attackers to perform cross-site scripting (XSS) or open redirect attacks.

Cross-site request forgery (CSRF) vulnerability this package.

components/filemanager/class is vulnerable to remote command execution because shell commands can be embedded in parameter values, as demonstrated by search_file_type.

There is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Nimbus JOSE+JWT proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Nimbus JOSE+JWT proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

The gem open-uri-cached contains a flaw that is due to the program creating predictable temporary files and loading YAML without a safe loader. This may allow a local attacker to gain elevated privileges.

The Reporting feature in X-Pack has an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

hawtio is vulnerable to CSRF vulnerability allowing remote attackers to trick the user to visit their website containing a malicious script which can be submitted to hawtio server on behalf of the user.

The numpy.pad function in Numpy versions is missing input validation. An empty list or array will stick into an infinite loop, which can allow attackers to cause a DoS attack.

A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name.

The HTTP/2 implementation in Tomcat bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

The CORS Filter in Apache Tomcat does not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory, aka "Scripting Engine Memory Corruption Vulnerability".

The CORS Filter in Apache Tomcat did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

The Realm implementations in Apache Tomcat does not process the supplied password if the supplied user name did not exist which makes it possible to use a timing attack to determine valid user names.

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage.

In Apache Tomcat, a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

The HTTP transport module in Apache CXF uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest which is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back …

The package rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal …

Express do not specify a charset field in the content-type header while displaying level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.

It was found that under some situations and configurations of Apache Storm, it is theoretically possible for the owner of a topology to trick the supervisor to launch a worker as a different, non-root, user. In the worst case this could lead to secure credentials of the other user being compromised.

cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

IdentityServer3 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response.

openssl.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

gruntcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

opencv.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

fabric-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodefabric was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mariadb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

sqlite.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-opencv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mysqljs was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mssql-node was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodesqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

ffmepg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

sqliter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-sqlite was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-openssl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mssql.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

d3.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

mongose was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-opensl was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodecaffe was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-tkinter was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemssql was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

nodemailer-js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

babelcli was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

jquery.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

noderequest was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

node-fabric was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.

When a call-site passes a subject for an email that contains line-breaks, the caller can add arbitrary SMTP headers.

Recent Electron versions do not have strict Same Origin Policy (SOP) enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host.

The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code.

Safemode is vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete-permissions or possibly to privilege escalation.

A logged in back end user can include arbitrary PHP files by manipulating an URL parameter. Since Contao does not allow to upload PHP files in the file manager, the attack is limited to the existing PHP files on the server.

Contao allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.

An XSS vulnerability exists in framework/views/errorHandler/exception.

The code_generator.phps example does not filter user input prior to output. This file is distributed with a .phps extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There's also an undisclosed potential XSS vulnerability in the default exception handler (unused by default).

DNN (aka DotNetNuke) has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."

Csrf.cs in NancyFX Nancy has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.

In the XSS Protection API module in Apache Sling, the method XSS.getValidXML() uses an insecure SAX parser to validate the input string, which allows for XXE attacks in all scripts which use this method to validate user input, potentially allowing an attacker to read sensitive data on the filesystem, perform same-site-request-forgery (SSRF), port-scanning behind the firewall or DoS the application.

In the XSS Protection API module in Apache Sling, the encoding done by the XSSAPI.encodeForJSString() method is not restrictive enough and for some input patterns allows script tags to pass through unencoded, leading to potential XSS vulnerabilities.

When access is denied, mysql_pconnect() raises a warning that exposes the user credentials.

phpMyAdmin is vulnerable to an open redirect weakness.

Apache OpenMeetings does not check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server.

Apache OpenMeetings responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.

Apache OpenMeetings is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.

Modx is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.

phpMyAdmin is vulnerable to a weakness where a user with appropriate permissions is able to connect to an arbitrary MySQL server.

Mautic fails to set flags on session cookies.

Chef Software's mixlib-archive are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using .. in tar archive entries.

Apache OpenMeetings has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.

Akeneo PIM is vulnerable to shell injection in the mass edition, resulting in remote code execution.

Kubernetes is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

Moodle has a user fullname disclosure through the user preferences page.

The re-key admin monitor in Jenkins re-encrypts all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups are world-readable and not removed.

Apache OpenMeetings displays Tomcat version and detailed error stack trace.

The course overview block reveals activities in hidden courses.

Uploaded XML documents are not correctly validated in Apache OpenMeetings.

Apache OpenMeetings uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.

Course creators are able to change system default settings for courses.

phpMyAdmin is vulnerable to a DoS weakness in the table editing functionality.

Apache OpenMeetings is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.

phpMyAdmin is vulnerable to a DoS attack in the replication status by using a specially crafted table name.

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies.

The qs module is vulnerable to a DoS. A malicious user can send an evil request to cause the web framework crash.

Akka is vulnerable to a java deserialization attack in its remoting component, resulting in remote code execution in the context of the ActorSystem.

phpMyAdmin is vulnerable to a CSS injection attack through crafted cookie parameters.

Bolt CMS allows stored XSS by uploading an SVG document with a Content-Type: image/svg+xml header.

Mapbox is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON Name.

Mapbox is vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios via TileJSON name and map share control

Bolt CMS allows stored XSS via text input, as demonstrated by the Title field of a new entry.

Global and Room chat are vulnerable to XSS attack in Apache OpenMeetings.

Plotly suffers from an XSS issue.

Apache OpenMeetings is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

RVM automatically loads environment variables from files in $PWD resulting in command execution.

Apache OpenMeetings updates user password in insecure manner.

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.

If an application allows to enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Missing anchor in generated regex for rack-cors allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.

It is possible for an attacker to take advantage of a user's trust in the server to trick them into visiting a link that points to a shared Spark cluster and submits data including MHTML to the Spark master, or history server. This data, which could contain a script, would then be reflected back to the user and could be evaluated and executed by MS Windows-based clients. It is not …

In Netwide Assembler (NASM) rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.

This package uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using …

This package allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

ikst downloads resources over HTTP, which leaves it vulnerable to MITM attacks.

gfe-sass downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

A Cross-site scripting allows remote attackers to inject arbitrary web script or HTML via the body to blog/add/.

In Netwide Assembler (NASM) rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write …

An XSS can be exploited through index.php in Zen by means of the products_id parameter.

f2e-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by f2e-server requiring elevated privileges to run.

Multiple cross-site request forgery vulnerabilities are present in vimbadmin.

Dolibarr ERP/CRM allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.

Remote Code Execution Vulnerability in shopware.

SPIP does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

Jetty is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

The client libraries in Apache Thrift might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.

Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to false) can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data binding property mappings.

The mail package does not disallow CRLF in email addresses; an attacker can inject SMTP commands in specially crafted email addresses passed to RCPT TO and MAIL FROM.

Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

There are certain user input components in the UI which had been guarding for some forms of XSS issues but were insufficient.

Craft CMS allows for a potential XSS attack vector by uploading a malicious SVG file.

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework via null or malformed token identifiers.

Cross-site request forgery (CSRF) vulnerability in Zend/Validator/Csrf in Zend Framework via null or malformed token identifiers.

Improprer symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment. File copying is not performed by code that is operating within the restricted environment (chroot, jail, or zone).

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. The Default Servlet in Apache Tomcat does not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured …

TeamPass is vulnerable to an SQL injection in users.queries.php.

Dolibarr ERP/CRM is vulnerable to an SQL injection in user/index.php (search_supervisor and search_statut parameters).

In Apache Hadoop, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this behavior an attacker with the ability to man-in-the-middle a developer or system performing a package installation could compromise the integrity of the installation.

The pidusage module passes unsanitized input to child_process.exec, resulting in command injection in the ps method, as the pid is never cast to an integer as the comment expects. This module is vulnerable to this PoC on Darwin, SunOS, FreeBSD, and AIX. Windows and Linux are not vulnerable.

The LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root.

Under certain circumstances, it’s possible to execute an authorized foreign code in Shopware.

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive does not seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) …

Apache Hive (JDBC + HiveServer2) implements SSL for plain TCP and HTTP connections (it supports both transport modes). While validating the server's certificate during the connection setup, the client in Apache Hive does not seem to be verifying the common name attribute of the certificate. In this way, if a JDBC client sends an SSL request to server abc.com, and the server responds with a valid certificate (certified by CA) …

Missing state parameter in OAuth requests leading to CSRF vulnerability.

There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice …

There's a vulnerability that allows phishing attempts on users of the application. Using the password reset system, malicious users can attempt to trick your users into entering their login credentials into a separate application that they control. Since the password reset notification uses the host of the incoming request to build the password reset URL, the host of the password reset URL may be spoofed. If users do not notice …

This package does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host.

Directory traversal vulnerability in Contao allows remote authenticated back end users to view files outside their file mounts or the document root via unspecified vectors.

An authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox.

Both Firefox and Safari are vulnerable to XSS if we use an inert document created via document.implementation.createHTMLDocument().

This package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring …

Under some situations, this package is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

This package did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

When processing user provided XML documents, the Spring Framework does not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

Spring Security relies on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring …

The ActiveDirectoryLdapAuthenticator in this package does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

When using the CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, …

Multiple cross-site scripting vulnerabilities in vimbadmin.

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session.

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session.

Cairo is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.

The findLoad method passes a provided string directly to the shell, allowing arbitrary command execution.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

libxml2 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash.

A buffer overflow was discovered in libxml2 . The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits …

libxml2 is vulnerable to a stack-based buffer overflow. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. At the end of the routine, the function may strcat two more characters without checking whether the current strlen(buf) + 2 < size. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Arbitrary shell execution in php_codesniffer.

A malicious web application could create new clients, or reset secrets, etc, after the admin user has logged on to the client registration service and the session is still active.

Apache CXF Fediz ships with a number of container-specific plugins to enable WS-Federation for applications that were found vulnerable to Cross-Site Request Forgery.

A properly crafted filename would allow for arbitrary code execution when using the –filter=gitmodified command line option

Sensitive data may be stored on disk in temporary files on the Ambari Server host. The temporary files are readable by any user authenticated on the host.

Remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.

In Moodle, searching of arbitrary blogs is possible because a capability check is missing.

A CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.

pygmentize contains a Remote Code Execution vulnerability.

Cross-site scripting vulnerability in ADOdb allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

An authorized user of the Ambari Hive View may be able to gain unauthorized read access to files on the host where the Ambari server executes.

Keycloak does not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

An elevation of privilege vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

A spoofing vulnerability exists when the ASP.NET Core fails to properly sanitize web requests.

A denial of service vulnerability exists when the ASP.NET Core fails to properly validate web requests. NOTE: Microsoft has not commented on third-party claims that the issue is that the TextEncoder.EncodeCore function in the System.Text.Encodings.Web package in ASP.NET Core Mvc allows remote attackers to cause a denial of service by leveraging failure to properly calculate the length of 4-byte characters in the Unicode Non-Character range.

Cross-site scripting vulnerability in the baserCMS Blog plugin allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in the baserCMS Blog plugin allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in baserCMS allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Cross-site request forgery (CSRF) vulnerability in the baserCMS Mail plugin allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Dolibarr has an SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.

The htmlParseTryOrFinish function in HTMLparser.c in libxml2 allows attackers to cause a denial of service (buffer over-read) or information disclosure.

Dolibarr ERP/CRM stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

Dolibarr ERP/CRM allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.

Dolibarr has an XSS in doli/societe/list.php via the sall parameter.

Multiple cross-site request forgery vulnerabilies exist in Matic.

Product: Apache Cordova Android. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. When using platforms prior to Android (Jelly Bean), …

Cookie leakage to wrong origins and non-restricted cookie acceptance

A null dereference vulnerability has been found in the MIME handling component of LibEtPan.

forgotpassword.php lacks a rate limit, which might allow remote attackers to cause a denial of service (login inability) or possibly conduct Arbitrary User Password Reset attacks via a series of requests.

Zen Cart has an XSS in the main_page parameter to `index.php.

Cookies of foo.bar.example.com are leaked to foo.bar. Additionally, any site can set cookies for any other site.

pcre2test.c in PCRE2 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression.

GeniXCMS has an XSS that can be triggered by a comment that is mishandled during a publish-operation by an administrator.

GeniXCMS has an XSS that can be triggered by an authenticated user who submits a page.

RuboCop does not use /tmp in safe way, allowing local users to exploit this to tamper with cache files belonging to other users.

Carefully crafted requests can expose information about strings and objects allocated during the request for unauthorised users.

Craft CMS does not prevent modification of the URL in a forgot-password email message.

GeniXCMS has an SQL Injection in inc/lib/Control/Backend/menus.control.php that can be exploited via the menuid parameter.

PCRE2 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures."

Craft CMS does not properly restrict viewing the contents of files in the craft/app/ folder.

GeniXCMS contains an XSS that can be triggered by an authenticated comment that is mishandled during a mouse operation by an administrator.

Craft CMS allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based.

GeniXCMS allows remote attackers to bypass the alertDanger MSG_USER_EMAIL_EXIST protection mechanism via a register.php?act=edit&id=1` request.

When a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(<void/>) call.

gomeplus-h5-proxy is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL.

smalruby-editor allows remote attackers to execute arbitrary OS commands via unspecified vectors.

cnvs.io has XSS in the title and content fields of a Posts > Add New action, and during creation of new tags and users.

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace

The HDFS web UI in Apache Hadoop is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

The xsltAddTextString function in transform.c in libxslt, as used by nokogiri, lacks a check for integer overflow during a size calculation, which allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.

Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors.

An easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors.

Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL.

Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.

pooledwebsocket is vulnerable to Directory Traversal, which may allow access to files and data stored on the server.

hftp is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Craft CMS allows XSS attacks.

Under certain conditions it is possible to execute unauthorized code in Shopware.

The "restore teacher" feature in Moodle allows remote authenticated users to overwrite the course id number.

The user editing form in Moodle allows remote authenticated users to edit profile fields locked by the administrator.

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

A Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle allows remote attackers to hijack the authentication of users for requests that marks forum posts as read.

Drupal allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

AESCrypt.encrypt and AESCrypt.decrypt functions are not randomized with an Initialization Vector (IV), which allows attackers to defeat cryptographic protection mechanisms via a chosen plaintext attack.

This is a critical access bypass vulnerability in Drupal.

Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack …

Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

A known /tmp filename is used during passenger-install-nginx-module execution, which can allow local attackers to gain the privileges of the passenger user.

JAX-RS XML Security streaming clients in Apache CXF does not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

badjs-sourcemap-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack …

When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

When "send file" is used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

The refactoring of the HTTP connectors introduced a regression in the send file processing. If the file processing completed quickly, it is possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

The OAuth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

By default, Ember will escape any values in Handlebars templates that use double curlies ({{value}}). Developers can specifically opt out of this escaping behavior by passing an instance of SafeString rather than a raw string, which tells Ember that it should not escape the string because the developer has taken responsibility for escapement. It is possible for an attacker to create a specially-crafted payload that causes a non-sanitized string to …

handler/ssl/OpenSslEngine.java in this package allows remote attackers to cause a denial of service (infinite loop).

This advisory has been marked as a false positive.

The FeedProxy.aspx script in Umbraco allows remote attackers to proxy requests on their behalf via the "url" parameter.

Forms did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms may be vulnerable to cross site scripting

Because of the way errors are handled, an attacker that forces an error can crash the server, causing a denial of service.

The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.

web2py does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

Apache Ignite allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.

Apache Tika allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

When hapi encounters a malformed accept-encoding header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.

When a cluster has enabled security by setting the security-manager property, allows remote authenticated users with CLUSTER:READ but not DATA:READ permission to access the data browser page in Pulse and consequently execute an OQL query that exposes data stored in the cluster.

file_open in Tryton allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack.

During installation, Ambari Server artifacts are not created with proper ACLs.

An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

The vulnerability exists due to insufficient filtration of user-supplied data (mail) passed to the SocialNetwork-andrea/app/template/pw_forgot.php URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

There is XSS in the Course summary filter of the "Add a new course" page.

go-jose before suffers from a CBC-HMAC integer overflow on architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on architectures.

The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Apache Camel's Jackson and JacksonXML unmarshalling operation is vulnerable to Remote Code Execution attacks.

A reflected Cross-site scripting exists in yii2.

Netflix Security Monkey has an Open Redirect. The logout functionality accepted the "next" parameter which then redirects to any domain irrespective of the Host header.

An SQL injection can occur via user preferences.

In Moodle global search displays user names for unauthenticated users.

An XSS can occur via evidence of prior learning.

In Moodle, an XSS can occur via attachments to evidence of prior learning.

This package allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Apache POI allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Pi Engine CMS contains a Cross-Site Scripting vulnerability.

jQuery's main method in affected versions contains an unreliable way of detecting whether the input to the jQuery(strInput) function is intended to be a selector or HTML.

When text/javascript responses are received from cross-origin ajax requests not containing the option dataType, the result is executed in jQuery.globalEval potentially allowing an attacker to execute arbitrary code on the origin.

An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

libpcre1 in PCRE and libpcre2 in PCRE2 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup.

An issue was discovered in includes/component. It is possible for authenticated users to edit documents of other users without proper permissions.

TYPO3 sends an HTTP request to an index.php?loginProvider URI in cases with an HTTP Referer, which allows remote attackers to obtain sensitive cleartext information by sniffing the network and reading the userident and username fields.

A 3rd party development library included with Drupal development dependencies is vulnerable to remote code execution

A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your …

Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Some administrative paths in Drupal does not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

This package is vulnerable against SSRF via remote DTDs and XXE.

When adding a private file via the editor in Drupal, the editor will not correctly check access for the file being attached, resulting in an access bypass.

When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid.

Cross-site scripting (XSS) vulnerability in jQuery UI might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true. This can result in a cross-site scripting vulnerability because user input is assumed to be escaped, but is not.

Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser.

A serialization vulnerability was found in the SocketServer and ServerSocketReceiver components.

node-jose is vulnerable to an invalid curve attack. This allows an attacker to recover the private secret key when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used.

remarkable allows the use of data: URIs.

EpicEditor contains an XSS vulnerability because of an insecure default marked.js configuration. An example attack vector is a crafted IMG element in an HTML document.

http-signature signs only the header values, but not the header names. This makes http-signature vulnerable to header forgery. Thus, if an attacker can intercept a request, he can swap header names and change the meaning of the request without changing the signature.

Running $sanitize on bad HTML can freeze the browser. The problem occurs with clobbered data; typically the "nextSibling" property on an element is changed to one of it's child node, this makes it impossible to walk the HTML tree and leads to an infinite loop which freezes the browser.

This package is vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the CamelJacksonUnmarshalType property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

This package is vulnerable to Java object de-serialization vulnerability. Camel allows to specify such a type through the CamelJacksonUnmarshalType property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. Deserializing untrusted data can lead to security flaws.

There is an XSS in SilverStripe CMS.

Multiple Cross-Site Scripting vulnerabilities exist in inter-mediator. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

The package festivaltts4r passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the to_speech and to_mp3 methods in lib/festivaltts4r/festival4r.rb library.

The gem passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to the speak, save, bytes and bytes_wav methods in the lib/espeak/speech.rb library.

brace expansion is vulnerable to Regular Expression Denial of Service attacks.

This release contains a fix for a security advisory related to the improper handling of shell commands. Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases A properly crafted filename or configuration option would allow for arbitrary code execution when using some features.

TYPO3 is vulnerable to Cross-Site Scripting.

An error during signature verification can be treated as a successful verification.

An error during signature verification can be treated as a successful verification.

Authentication Bypass in TYPO3 Frontend.

XSS in TYPO3 CMS.

Due to late TCA initialization the authentication service fails to restrict frontend user according to the validation rules. Therefore it is possible to authenticate restricted (e.g. disabled) frontend users.

The Zip::File component in the rubyzip gem for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses ../ pathname substrings to write arbitrary files to the filesystem.

Arbitrary shell execution in php_codesniffer.

, AngularJS allows bootstrapping of invalid/bad svg and currentScript if it was clobbered.

Remote attackers can inject arbitrary web script or HTML via the token parameter.

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [\w]* in a regular expression.

An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 …

An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.

Froxl uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value.

Passing untrusted data to the .deserialize function can cause arbitrary code execution through an Immediately Invoked Function Expression (IIFE).

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display.

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display.

An issue was discovered in the node-serialize package for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).

Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.

node-serialize can be abused to execute arbitrary code via a Immediately Invoked Function Expression (IIFE) if untrusted user input is passed into unserialize()

There's a flaw in LdapBindAuthenticationProvider that allows for an unauthorized access on a misconfigured LDAP server when using an empty password. Applications are affected only if they use the LDAP authentication provider.

There's a flaw in LdapBindAuthenticationProvider that allows for an unauthorized access on a misconfigured LDAP server when using an empty password. Applications are affected only if they use the LDAP authentication provider.

A remote attacker could learn information about the exact PHP version run by the affected system, allowing the search for vulnerabilities known to work with that version.

Symfony allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block.

The installation wizard in DotNetNuke (DNN) allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.

PECL in the download utility class in the Installer in PEAR Base System does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. in an extracted filename.

Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. in an extracted filename.

SilverStripe is vulnerable to XSS via the page name. For instance, page name "><svg/onload=alert(/xss/)> will trigger an XSS alert.

The png_set_text_2 function in libpng allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

OkHttp allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

OkHttp allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

nes has a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to cookie. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.

An issue was discovered in Pagekit. In this vulnerability the remote attacker is able to reset the registered user's password, when the debug toolbar is enabled. The password is successfully recovered using this exploit.

Remote Code Execution Vulnerability in shopware.

The package ruby-saml is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced two elements at the same time (but past the scheme validator process since 1 of the element was inside the encrypted assertion).

The tar module allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

The send module discloses the root path.

Under certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware.

uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse(). A regular expression leading to a very long processing time can be used to make the program hang for a very long time.

ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

Extbase in TYPO3 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action.