Advisories

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in axois.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in blingjs.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in codify.

pm2-kafka is a PM2 module that installs and runs a kafka server pm2-kafka downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

roslib-socketio - The standard ROS Javascript Library fork for add support to socket.io roslib-socketio downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenraotr.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in react-dates-sc.

apk-parser3 is a module to extract Android Manifest info from an APK file. apk-parser3 versions before 0.1.3 download binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in soket.js.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in regenrator.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in another-date-range-picker.

Cross-site scripting (XSS) vulnerability in dijit.Editor in Dojo before 1.1 allows remote attackers to inject arbitrary web script or HTML via XML entities in a TEXTAREA element.

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in mrk.js.

Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in react-marked-markdown.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in md-data-table.

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jingo.

Improper Neutralization in buefy.

The promisehelpers package is vulnerable to Prototype Pollution via the insert function.

The gammautils package is vulnerable to Prototype Pollution via the deepSet and deepMerge functions.

uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.

The confucious package is vulnerable to Prototype Pollution via the set function.

The deeps package is vulnerable to Prototype Pollution via the set function.

The safe-object2 package is vulnerable to Prototype Pollution via the setter function.

The gedi package is vulnerable to Prototype Pollution via the set function.

Improper Input Validation in personnummer.

The locutus package is vulnerable to Prototype Pollution via the php.strings.parse_str function.

The dot-notes package is vulnerable to Prototype Pollution via the create function.

The node-oojs package is vulnerable to Prototype Pollution via the setPath function.

The tiny-conf package is vulnerable to Prototype Pollution via the set function.

The arr-flatten-unflatten package is vulnerable to Prototype Pollution via the constructor.

ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.

The package node-forge is vulnerable to Prototype Pollution via the util.setPath function. Note, it is a breaking change removing the vulnerable functions.

The nodee-utils package is vulnerable to Prototype Pollution via the deepSet function.

The worksmith package is vulnerable to Prototype Pollution via the setValue function.

The deep-get-set package is vulnerable to Prototype Pollution via the main function.

MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is This can be done by sending at least simultaneous requests to the Magento …

Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort. Recommendation Update to version 3.0.0 or later.

A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.

In Apache Cassandra, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables …

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a byte value being returned, but one that is easily guessable. Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances …

adamvr-geoip-lite is a light weight native JavaScript implementation of GeoIP API from MaxMind adamvr-geoip-lite downloads geoip resources over HTTP, which leaves it vulnerable to MITM attacks. This impacts the integrity and availability of this geoip data that may alter the decisions made by an application using this data.

Affected versions of yjmyjmyjm resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Affected versions of wenluhong1 resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Affected versions of nodeload-nmickuli resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. Example request: GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo Recommendation No patch is available for this vulnerability. It is recommended that the package is only used for local development, and …

Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system. The featurebook package is not intended to be run in production code nor to be exposed to an untrusted network. Proof of Concept GET /../../../../../../../../../../etc/passwd HTTP/1.1 host:foo …

The @vivaxy/here module is a small web server that serves files with the process' working directory acting as the web root. It is vulnerable to a directory traversal attack. This means that files on the local file system which exist outside of the web root may be disclosed to an attacker. This might include confidential files. Mitigating Factors: If the node process is run as a user with very limited …

Versions of yar prior to 2.2.0 are affected by a denial of service vulnerability related to an invalid encrypted session cookie value. When an invalid encryped session cookie value is provided, the process will crash. Recommendation Update to version 2.2.0 or later.

Affected versions of mqtt will cause the node process to crash when receiving specially crafted MQTT packets, making the application vulnerable to a denial of service condition. Recommendation Update to v1.0.0 or later

All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing text+@[toc] causes the application to enter and infinite loop. No fix is currently available. Consider using an alternative module until a fix is made available.

Affected versions of swagger-ui are vulnerable to cross-site scripting in both the consumes and produces parameters of the swagger JSON document for a given API. Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link. Proof of Concept http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json Recommendation Update to version 2.2.1 …

Affected versions of swagger-ui are vulnerable to cross-site scripting via the url query string parameter. Recommendation Update to 2.2.1 or later.

Affected versions of swagger-ui are vulnerable to cross-site scripting. This vulnerability exists because swagger-ui automatically executes external Javascript that is loaded in via the url query string parameter when a Content-Type: application/javascript header is included. An attacker can create a server that replies with a malicious script and the proper content-type, and then craft a swagger-ui URL that includes the location to their server/script in the url query string parameter. …

Affected versions of fuelux contain a cross-site scripting vulnerability in the Pillbox feature. By supplying a script as a value for a new pillbox, it is possible to cause arbitrary script execution. Recommendation Update to version 3.15.7 or later.

Affected versions of emojione are vulnerable to cross-site scripting when user input is passed into the toShort(), shortnameToImage(), unicodeToImage(), and toImage() functions. Recommendation Update to version 1.3.1 or later.

Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later.

All versions of bootstrap-tagsinput are vulnerable to cross-site scripting when user input is passed into the itemTitle parameter unmodified, as the package fails to properly sanitize or encode user input for that parameter. Recommendation This package is not actively maintained, and has not seen an update since 2015. Because of this, the simplest mitigation is to avoid using the itemTitle parameter. With over 200 open issues and over 100 open …

Affected versions of pivottable are vulnerable to cross-site scripting, due to a new mechanism used to render JSON elements. Recommendation Update to version 2.0.0 or later.

Jenkins JSGames Plugin evaluates part of a URL as code, resulting in a reflected cross-site scripting (XSS) vulnerability.

Jenkins Cadence vManager Plugin does not escape build descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

The Jenkins Valgrind Plugin does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.

Jenkins Git Parameter Plug does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Jenkins Build Failure Analyzer Plugin does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

MAGMI is vulnerable to CSRF due to the lack of anti-CSRF tokens. RCE (via phpcli command) is possible in the event that a CSRF is leveraged against an existing admin session for MAGMI.

A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to execute arbitrary SQL scripts.

A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin allows attackers to connect to an attacker-specified database server using attacker-specified credentials.

Versions of samsung-remote are vulnerable to command injection. This vulnerability is exploitable if user input is passed into the ip option of the package constructor. Update to or later.

Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

The Jenkins SoapUI Pro Functional Testing Plugin transmits project passwords in its configuration in plain text as part of job configuration forms, potentially resulting in their exposure.

Versions of serve before 6.5.2 are vulnerable to the bypass of the ignore functionality. The bypass is possible because validation happens before canonicalization of paths and filenames. Example: Here we have a server that ignores the file test.txt. const serve = require('serve') const server = serve(__dirname, { port: 1337, ignore: ['test.txt'] }) Using the URL encoded form of a letter (%65 instead of e) attacker can bypass the ignore control …

ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection. Authentication is not required for remote exploitation. Recommendation Update to version 0.0.3 or greater.

Versions of validator prior to 3.22.1 are affected by a regular expression denial of service vulnerability in the isURL method. Recommendation Update to version 3.22.1 or later.

ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.

scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node.js allows remote attackers to execute arbitrary commands.

node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

The inert directory handler in inert node module before 1.1.1 always allows files in hidden directories to be served, even when showHidden is false.

Versions less than 0.1.4 of the static file server module fancy-server are vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the served directory.

paypal-ipn before 3.0.0 uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.

Dolibarr is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter.

Cross-Site Request Forgery (CSRF) in jquery-ujs.

Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with …

A buffer over-read vulnerability exists in bl which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

This affects the package json. It is possible to inject arbritary commands using the parseLookup function.

This advisory has been marked as a false positive.

MPXJ suffers from XXE vulnerabilities. This affects the GanttProjectReader and PhoenixReader components.

The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive data disclosure.

An XSS vulnerability was discovered in noVNC in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.

baserCMS content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js.

baserCMS is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php.

baserCMS is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The affected components are ThemeFilesController.php and UploaderFilesController.php.

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager, API Manager Analytics, API Microgateway, Data Analytics Server, Enterprise Integrat, IS as Key Manager, Identity Server, Identity Server Analytics, and IoT Server

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ps bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine as well as …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in flood.

An issue was discovered in MoscaJS Aedes lib/write.js does not properly consider exceptions during the writing of an invalid packet to a stream.

In the nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

In nodebb-plugin-blog-comments, a logged in user is vulnerable to an XSS attack which could allow a third party to post on their behalf on the forum. This is due to lack of CSRF validation.

In Netwide Assembler (NASM) rc10, there is heap use-after-free in saa_wbytes in nasmlib/saa.c.

GNU Bison has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated …

In Netwide Assembler (NASM), SEGV can be triggered in tok_text in asm/preproc.c by accessing READ memory.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in highcharts.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

A Cross Site Scripting vulnerability was found in Codiad. The vulnerability occurs because of improper sanitization of the folder name $path variable in components/filemanager/class.filemanager.php.

** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forgery (SSRF) vulnerability was found in Codiad v1.7.8. A user with admin privileges could use the plugin install feature to make the server request any URL via components/market/class.market.php. This could potentially result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."

wolfSSL mishandles TLS server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by …

A RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia module's leaderboard command. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid. The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.

The Management Console in WSO2 API Manager allows XML External Entity injection (XXE) attacks.

The Management Console in WSO2 API Manager allows XML Entity Expansion attacks.

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates.

Dolibarr CRM allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which disabled is changed to enabled in the HTML source code.

This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.

wolfSSL mishandles the change_cipher_spec (CCS) message processing logic for TLS If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service.

An issue was discovered in the DTLS handshake implementation in wolfSSL. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application.

An issue was discovered in wolfSSL when single precision is not employed. signing with a private key).

An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if …

Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C

Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .

In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

In SyliusResourceBundle request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

Magento allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks.

This advisory has been marked as a false positive.

HashiCorp vault-ssh-helper up to and including version incorrectly accepted Vault-issued SSH OTPs for the subnet in which a host's network interface was located, rather than the specific IP address assigned to that interface.

In auth0-lock dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

OpenMage LTS before versions 19.4.6 and 20.0.2 allows attackers to circumvent the fromkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks. This issue is related to Adobe's CVE-2020-9690. It is patched in versions 19.4.6 and 20.0.2.

The path package is vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.

The package property-expr is vulnerable to Prototype Pollution via the setter function.

connie-lang is vulnerable to Prototype Pollution in the configuration language library used by connie.

The path package is vulnerable to Prototype Pollution via the set, unSet, pushVal and pullVal functions.

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

All versions of package templ8 are vulnerable to Prototype Pollution via the parse function.

nis-utils is vulnerable to Prototype Pollution via the setValue function.

ftp-srv is vulnerable to Server-Side Request Forgery. The PORT command allows arbitrary IPs which can be used to cause the server to make a connection elsewhere. A possible workaround is blocking the PORT through the configuration.

A vulnerability in phpBB's remote image dimensions check can be abused to execute SSRF attacks.

lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

ldebug.c attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.

ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based), aka 'Scripting Engine Memory Corruption Vulnerability'.

The Replication handler allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e., you could read/write to any location the solr user can access.

A denial of service vulnerability exists when ASP.NET Core improperly handles web requests, aka 'ASP.NET Core Denial of Service Vulnerability'.

The package linux-cmdline is vulnerable to Prototype Pollution via the constructor.

In Apache Shiro a specially crafted HTTP request may cause an authentication bypass.

Apache Shiro, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

In Play Framework, the CSRF filter can be bypassed by making CORS requests with content types that contain parameters that can't be parsed.

madlib-object-utils is vulnerable to Prototype Pollution via setValue.

phpjs is vulnerable to Prototype Pollution via parse_str.

The resolveRepositoryPath function does not properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the repository.

A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.

A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.

A cross-site scripting (XSS) vulnerability in TinyMCE allows remote attackers to inject arbitrary web script when configured in classic editing mode.

The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.

JerryScript allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse("[]",a).

JerryScript is vulnerable to a buffer over-read.

Lua through allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.

Jenkins does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

Jenkins Yet Another Build Visualizer does not escape tooltip content, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

Jenkins does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.

Jenkins does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

A cross-site request forgery (CSRF) vulnerability in Jenkins Flaky Test Handler allows attackers to rebuild a project at a previous git revision.

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside an HTML template that is usually removed during rendering.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tinymce.

An improperly initialized migrationAuth' value in Google's go-tpm library can lead an eavesdropping attacker to discover the authvalue for a key created with CreateWrapKey. An attacker listening in on the channel can collect bothencUsageAuthandencMigrationAuth, and then can calculate usageAuth ^ encMigrationAuthas themigrationAuthcan be guessed for all keys created withCreateWrapKey`.

Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed. Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.

Cross-Site Request Forgery in datasette.

jpv (aka Json Pattern Validator) does not properly validate input, as demonstrated by a corrupted array.

TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

TinyMCE allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

** DISPUTED ** Prometheus Blackbox Exporter allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.

Prism is vulnerable to Cross-Site Scripting. The easing preview of the previewer plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer.

etcd does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.

The etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.

In etcd, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the –endpoints flag. This has been fixed with improved documentation and deprecation of the functionality.

When using H₂/MySQL/TiDB as Apache SkyWalking storage, there is an SQL injection vulnerability in the wildcard query cases.

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned …

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 …

In Contour (Ingress controller for Kubernetes), a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flipping the readiness endpoint to false, which removes Envoy from the routing pool. When running Envoy (For example on the host network, pod spec hostNetwork=true), the shutdown manager's endpoint …

The Chartkick gem for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in angular.

In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a 400 error code is returned, along with a error message saying that this user name does not exist. This enables attackers to retrieve valid usernames. Also, the response of the …

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be …

Cross-Site Request Forgery (CSRF) in polaris-website.

The Field Test gem for Ruby allows CSRF.

The PgHero gem allows CSRF.

This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …

This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …

In solidus, there is an ability to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes …

This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zone are impacted. This problem comes from how checkout permitted attributes are structured. We have a single list of attributes that are permitted across the …

save-server is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The CSRF attack would require you to navigate to a malicious site while you have an active session with Save-Server (Session key stored in cookies). The malicious user would then be able to perform some actions, including uploading/deleting files and adding redirects. If you are logged in as root, this attack is significantly more severe. …

Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set.

In OctoberCMS, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as …

In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …

In faye-websocket, there is a lack of certification validation in TLS handshakes. The Faye::WebSocket::Client class uses the EM::Connection#start_tls method in EventMachine to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any wss: connection …

A denial of service vulnerability exists in Fastify that allows a malicious user to trigger resource exhaustion (when the allErrors option is used) with specially crafted schemas.

The DAO/DTO implementation in SpringBlade through allows SQL Injection in an ORDER BY clause. This is related to the /api/blade-log/api/list ascs and desc parameters.

This affects the package express-fileupload. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

In SLPJS (npm package slpjs), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.

In SLP Validate (npm package slp-validate), there is a vulnerability to false-positive validation outcomes for the NFT1 Child Genesis transaction type. A poorly implemented SLP wallet or opportunistic attacker could create a seemingly valid NFT1 child token without burning any of the NFT1 Group token type as is required by the NFT1 specification.

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code …

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any …

A malicious user could inject commands through the _data variable

Magento has an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

In auth0 (npm package), a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. and you are using a Machine to Machine application authorized to use Auth0's management API.

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

The typo3_forum extension before 1.2.1 for TYPO3 has Incorrect Access Control.

Virtual Machine Instances (VMIs) can be used to gain access to the host's filesystem. Successful exploitation allows an attacker to assume the privileges of the VM process on the host system. In worst-case scenarios an attacker can read and modify any file on the system where the VMI is running. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in git-tags-remote.

The turn extension through 0.3.2 for TYPO3 allows Remote Code Execution.

This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in readFile operation inside the readFileFromContentBase function.

In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal encryptionKey was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes …

In TYPO3 CMS, in a case where an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1), it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch typo3conf/LocalConfiguration.php, which again contains the encryptionKey as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, …

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

In auth0 (npm package) and you are using a Machine to Machine application authorized to use Auth0's management API

The Kubernetes ingress-nginx component allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type.

In TYPO3 installations with the mediace extension, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation.

In TYPO3 CMS, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains including potential privilege escalation, insecure deserialization & remote code execution. The overall severity of this vulnerability is high based on mentioned attack chains and the requirement of having a valid …

The dlf (aka Kitodo.Presentation) for TYPO3 allows XSS.

Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.

In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.

This affects all versions of package UmbracoForms. When using the default configuration for upload forms, it is possible to upload arbitrary file types. The package offers a way for users to mitigate the issue. The users of this package can create a custom workflow and frontend validation that blocks certain file types, depending on their security needs and policies.

In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.

In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.

An issue was found in Apache Airflow versions 1.10.10 and below. A stored XSS vulnerability was discovered in the Chart pages of the the "classic" UI.

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.

Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.

In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out-of-bounds reads exist in the parsing of SGI image files, a different issue than CVE-2020-5311.

An issue was found in Apache Airflow versions 1.10.10 and below. It was discovered that many of the admin management screens in the new/RBAC UI handled escaping incorrectly, allowing authenticated users with appropriate permissions to create stored XSS attacks.

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

LibEtPan has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a begin TLS response, the client reads additional data (e.g., from a meddler-in-the-middle attacker) and evaluates it in a TLS context, aka response injection.

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

kube-proxy was found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to localhost running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or by containers running …

The Kubelet and kube-proxy components were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services bound to running on the node or in the node's network namespace. Such a service is generally thought to be reachable only by other processes on the same host, but due to this defeect, could be reachable by other hosts on the same LAN as the node, or …

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Kylin has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c.

An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit …

This affects all versions of package fast-http. There is no path sanitization in the path provided at fs.readFile in index.js.

This affects all versions of package rollup-plugin-server. There is no path sanitization in the readFile operation performed inside the readFileFromContentBase function.

This affects all versions of the marked-tree package. There is no path sanitization for the path provided in fs.readFile of index.js.

This affects all versions of the marscode package. There is no path sanitization for the path provided in fs.readFile of index.js.

This affects all versions of package rollup-plugin-dev-server. There is no path sanitization in the readFile operation inside the readFileFromContentBase function.

Uncontrolled resource consumption in jpeg-js allows attacker to launch denial of service attacks using specially a crafted JPEG image.

Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.

Lua has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.

The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

The Kubernetes kubelet component do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the …

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." Example Code: async () => …

An SQL injection vulnerability in softwareupdate_controller.php in the Software Update module for MunkiReport allows attackers to execute arbitrary SQL commands via the last URL parameter of the /module/softwareupdate/get_tab_data/ endpoint.

An SQL injection vulnerability in reportdata_controller.php in the reportdata module for MunkiReport allows attackers to execute arbitrary SQL commands via the req parameter of the /module/reportdata/ip endpoint.

The UI in DevSpace allows web-sites to execute actions on pods (on behalf of a victim) because of a lack of authentication for the WebSocket protocol. This leads to remote code execution.

A Cross-Site Scripting (XSS) vulnerability in the munki_facts (aka Munki Conditions) module for MunkiReport allows remote attackers to inject arbitrary web script or HTML via the key name.

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

What kind of vulnerability is it? Who is impacted? JupyterHub deployments using: KubeSpawner <= 0.11.1 (e.g. zero-to-jupyterhub 0.9.0) and enabled named_servers (not default), and an Authenticator that allows: usernames with hyphens or other characters that require escape (e.g. user-hyphen or user@email), and usernames which may match other usernames up to but not including the escaped character (e.g. user in the above cases) In this circumstance, certain usernames will be able …

A buffer overflow in the patching routine of bsdiff4 allows an attacker to write to heap memory (beyond allocated bounds) via a crafted patch file.

In parser-server, an authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Magento has a stored cross-site scripting vulnerability. Successful exploitation could lead to sensitive information disclosure.

Magento has a php object injection vulnerability. Successful exploitation could lead to arbitrary code execution.

In LibreNMS, an authenticated attacker can achieve SQL Injection via the customoid.inc.php device_id POST parameter to ajax_form.php.

Lua's getobjname suffers from a heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.

Sails.js allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request.

An issue was discovered in LibreNMS. It has insufficient access control for normal users in routes/web.php.

Lua mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

The uppy npm package is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external networks or otherwise interact with internal systems.

A path traversal vulnerability in servey allows an attacker to read content of any arbitrary file.

In codecov (npm package), the upload method has a command injection vulnerability. Clients of the codecov-node library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. A similar CVE (CVE-2020-7597 for GHSA-5q88-cjfq-g2mh) was issued but the fix was incomplete. It only blocked &, and command injection is still possible using backticks instead to bypass the sanitizer. The attack surface is low in …

In Fiber, the filename that is given in c.Attachment() is not escaped, and therefore vulnerable for a CRLF injection attack. An attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().

When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.as_p (as directed in the documentation), any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy …

docsify is susceptible to Cross-site Scripting (XSS). Docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. Due to lack of validation here, it is possible to provide external URLs and render arbitrary JavaScript/HTML inside docsify page.

A buffer overflow is present in canvas version which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image.

This affects all versions of package rollup-plugin-serve. There is no path sanitization in readFile operation.

The kramdown gem processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution.

This affects all versions of package react-native-fast-image. When an image is loaded, all other subsequent images will use the same headers, this can lead to signing credentials or other session tokens being leaked to other servers.

Graylog lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections.

MIT Lifelong Kindergarten Scratch scratch-vm loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL content is treated as a script and is executed as a worker. The responsible code is getExtensionIdForOpcode in serialization/sb3.js. The use of _ is incompatible with a protection mechanism in older versions, in which URLs were split and consequently deserialization attacks were prevented.

Silverstripe CMS can be susceptible to script execution from malicious upload contents under allowed file extensions (for example HTML code in a TXT file). When these files are stored as protected or draft files, the MIME detection can cause browsers to execute the file contents.

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may …

A Path Traversal issue was discovered in the socket.io-file package for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.

Insufficient input validation in npm package may lead to OS command injection attacks.

In SilverStripe, a specific URL path configured by default through the silverstripe/framework module can be used to disclose the fact that a domain is hosting a Silverstripe application. There is no disclosure of the specific version. The functionality on this URL path is limited to execution in a CLI context, and is not known to present a vulnerability through web-based access. As a side effect, this preconfigured path also blocks …

The automatic permission-checking mechanism in the silverstripe/graphql module does not provide complete protection against lists that are limited (e.g., through pagination), resulting in records that should have failed a permission check being added to the final result set. GraphQL endpoints are configured by default (e.g., for assets), but the admin/graphql endpoint is access protected by default. This limits the vulnerability to all authenticated users, including those with limited permissions (e.g., …

Jenkins Gitlab Authentication Plugin does not perform group authorization checks properly, resulting in a privilege escalation vulnerability.

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator). A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code)

Jenkins does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.

Jenkins does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.

Jenkins does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.

Jenkins Deployer Framework Plugin does not escape the URL displayed in the build home page, resulting in a stored cross-site scripting vulnerability.

In SilverStripe, malicious users with a valid Silverstripe CMS login (usually CMS access) can craft profile information which can lead to XSS for other users through specially crafted login form URLs.

Jenkins Matrix Project Plugin does not escape the axis names shown in tooltips on the overview page of builds with multiple axes, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix Project Plugin does not escape the node names shown in tooltips on the overview page of builds with a single axis, resulting in a stored cross-site scripting vulnerability.

Jenkins Matrix Authorization Strategy Plugin does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

Jenkins does not escape correctly the href attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.

In openenclave, enclaves that use x87 FPU operations are vulnerable to tampering by a malicious host application. By violating the Linux System V Application Binary Interface (ABI) for such operations, a host app can compromise the execution integrity of some x87 FPU operations in an enclave. Depending on the FPU control configuration of the enclave app and whether the operations are used in secret-dependent execution paths, this vulnerability may also …

In freewvs, a directory structure of more than nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). This can be problematic in a case where an administrator scans the dirs of potentially untrusted users.

In freewvs, a user could create a large file that freewvs will try to read, which will terminate the scan process.

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible.

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely.

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat to M1 to to to Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code.

h2c does not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

In OctoberCMS, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in standard-version.

django-two-factor-auth versions 1.11 and before store the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user …

A command injection vulnerability in the devcert module may lead to remote code execution when users of the module pass untrusted input to the certificateFor function.

PKCE support is not implemented in accordance with the RFC for OAuth for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain …

Incorrect handling of Upgrade header with the value of websocket leads in crashing of containers hosting sockjs apps.

In TimelineJS, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file.

Server-Side Template Injection and arbitrary file disclosure are possible in Camel templating components.

In Electron, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.

In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected.

In Electron, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both contextIsolation and contextBridge are affected.

Affected versions of npm-registry-fetch are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Impact Inside Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::onPublish(), messages are arbitrarily broadcasted to the related Topic if Gos\Bundle\WebSocketBundle\Server\App\Dispatcher\TopicDispatcher::dispatch() does not succeed. The dispatch() method can be considered to not succeed if (depending on the version of the bundle) the callback defined on a topic route is misconfigured, a Gos\Bundle\WebSocketBundle\Topic\TopicInterface implementation is not found for the callback, a topic which also implements Gos\Bundle\WebSocketBundle\Topic\SecuredTopicInterface rejects the connection, or an Exception is unhandled. This can result in an …

npm is vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

npm CLI is vulnerable to an information exposure vulnerability through log files. The password value is not redacted and is printed to stdout and also to any generated log files.

This advisory has been marked as a false positive.

Improper Neutralization in com.upokecenter:cbor.

In Electron, an arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

In jspdf, it is possible to inject JavaScript code via the html method.

In jspdf, it is possible to use <script> in order to bypass improper filtering protections based off of regular expressions.

A denial of service vulnerability allows an untrusted user to run any pending migrations on an app running in production.

A denial of service vulnerability exists in Rails that allowed an untrusted user to run any pending migrations on a Rails app running in production.

A directory traversal vulnerability exists in rack that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

A missing permission check in Jenkins Fortify on Demand Plugin allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Jenkins White Source Plugin stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system.

Jenkins GitHub Coverage Reporter Plugin stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.

Jenkins TestComplete support Plugin stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Apache Guacamole does not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

Jenkins Slack Upload Plugin stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

A missing permission check in Jenkins Fortify on Demand Plugin in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

Apache Guacamole mishandles pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.

LibRaw lacks a thumbnail size range check. This affects decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example, malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without validating T.length.

The is a code injection vulnerability in versions of Rails that wouldallow an attacker who controlled the locals argument of a render call to perform a RCE.

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Jenkins Compatibility Action Storage Plugin does not escape the content coming from the MongoDB in the testConnection form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

Jenkins Sonargraph Integration Plugin does not escape the file path for the Log file field form validation, resulting in a stored cross-site scripting vulnerability.

Jenkins VncRecorder Plugin does not escape a tool path in the checkVncServ form validation endpoint, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.

Jenkins VncViewer Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack

Jenkins Link Column Plugin does not filter URLs of links created by users with View/Configure permission, resulting in a stored cross-site scripting vulnerability.

Jenkins VncRecorder Plugin does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

A CSRF vulnerability exists in rails that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

A cross-site request forgery vulnerability in Jenkins Fortify on Demand Plugin allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

There is a code injection vulnerability in versions of Rails that would allow an attacker who controlled the locals argument of a render call to perform a RCE.

Jenkins Stash Branch Parameter transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

This issue occurs because tagName user input is formatted inside the exec function is executed without any checks.

php/exec/escapeshellarg in Locutus PHP allows an attacker to execute code.

Data is truncated wrong when its length is greater than bytes.

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

There is an SQL injection vulnerability, which allows accessing unexpected data.

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

In express-jwt (NPM package) up and including, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass.

In Presto before version 337, authenticated users can bypass authorization checks by directly accessing internal APIs. This impacts Presto server installations with secure internal communication configured. This does not affect installations that have not configured secure internal communication, as these installations are inherently insecure. This only affects Presto server installations. This does NOT affect clients such as the CLI or JDBC driver. This vulnerability has been fixed in version 337. …

This advisory has been marked as a False Positive and has been removed.

Impact ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign. Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.13 or later, execution time of EC point and scalar multiplication is almost constant and fixed for the issue. …

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

CakePHP mishandles CSRF token generation. This might be remotely exploitable in conjunction with XSS.

jp2/opj_decompress.c in OpenJPEG through has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.

wifiscanner.js in thingsSDK Wi-Fi Scanner allows Code Injection because it can be used with options to overwrite the default executable/binary path and its arguments. An attacker can abuse this functionality to execute arbitrary code.

LibRaw before has an out-of-bounds write in parse_exif() in metadata\exif_gps.cpp via an unrecognized AtomName and a zero value of tiff_nifds.

Invalid input could cause a use-after-free in DeepScanLineInputFile::DeepScanLineInputFile() in IlmImf/ImfDeepScanLineInputFile.cpp.

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Invalid chunkCount attributes could cause a heap buffer overflow in getChunkOffsetTableSize() in IlmImf/ImfMisc.cpp.

An invalid tiled input file could cause invalid memory access in TiledInputFile::TiledInputFile() in IlmImf/ImfTiledInputFile.cpp, as demonstrated by a NULL pointer dereference.

Magento has a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to unauthorized access to admin panel.

Magento has a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

The private-key operations in ecc.c in wolfSSL does not use a constant-time modular inverse when mapping to affine coordinates.

In generator-jhipster-kotlin, log entries are created for invalid password reset attempts. As the email is provided by a user and the api is public this can be used by an attacker to forge log entries.

An issue was discovered in the acf-to-rest-api plugin for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and password values.

django-sendfile2 currently relies on the backend to correctly limit file paths to SENDFILE_ROOT. This is not the case for the simple and development backends, it is also not necessarily the case for any of the other backends either (it's just an assumption that was made by the original author). This will be fixed which is to be released the same day as this advisory is made public. When upgrading, you …

A potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASIC_AUTH_LOGIN and BASIC_AUTH_PASSWORD is set. Currently, the string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison. This enables a possibility that attacker may time the time it takes the server to validate different usernames and password, and use this knowledge to work out the valid …

In Apache Spark, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-crafted RPC to the master can succeed in starting an application's resources on the Spark cluster, even without the shared key. This can be leveraged to execute shell commands on the host machine. This does not affect Spark clusters using other resource managers (YARN, Mesos, etc).

The modules\users\admin\edit.php in NukeViet suffers from CSRF which may allow attackers to change a user's password via the admin/index.php?nv=users&op=edit&userid= URI. This is due to the old password not being required during the change password function.

clearsystem.php in NukeViet allows CSRF with resultant HTML injection via the deltype parameter to the admin/index.php?nv=webtools&op=clearsystem URI.

The modules\users\admin\add_user.php in NukeViet suffers from CSRF which may allow attackers to trick victim administrators into adding a user account via the admin/index.php?nv=users&op=user_add URI.

In Limdu, the trainBatch function has a command injection vulnerability. Clients of the Limdu library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

An issue was discovered in the jsrsasign package for Node.js. It allows a malleability in ECDSA signatures by not checking overflows in the length of a sequence and 0 characters appended or prepended to an integer. The modified signatures are verified as valid. This could have a security-relevant impact if an application relied on a single canonical signature.

An issue was discovered in the jsrsasign package for Node.js. Its RSA PKCS1 v1.5 decryption implementation does not detect ciphertext modification by prepending \0 bytes to ciphertexts (it decrypts modified ciphertexts without error). An attacker might prepend these bytes with the goal of triggering memory corruption issues.

An issue was discovered in the jsrsasign package for Node.js. Its RSASSA-PSS (RSA-PSS) implementation does not detect signature manipulation/modification by prepending \0 bytes to a signature (it accepts these modified signatures as valid). An attacker can abuse this behavior in an application by creating multiple valid signatures where only one signature should exist. Also, an attacker might prepend these bytes with the goal of triggering memory corruption issues.

A vulnerability was found in Keycloak where every Authorization URL that points to an IDP server lacks proper input validation. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients.

Apache Shiro, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

When using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

A client side enforcement of server side security vulnerability exists in rails and rails ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

A client side enforcement of server side security vulnerability exists in rails and rails ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

A directory traversal vulnerability in EC-CUBE allows remote authenticated attackers to delete arbitrary files and/or directories on the server via unspecified vectors.

Apache Archiva login service is vulnerable to LDAP injection. An attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

Apache Archiva login service is vulnerable to LDAP injection. An attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

Sensitive information written to a log file vulnerability was found in jaegertracing/jaeger when the Kafka data store is used. This flaw allows an attacker with access to the container's log file to discover the Kafka credentials.

In all versions of package casperjs, the mergeObjects utility function is susceptible to Prototype Pollution.

A reliance on cookies without validation/integrity check security vulnerability exists in rack that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

Strapi could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.

A deserialization of untrusted data vulnerability exists in rails which can allow an attacker to supply information can be inadvertently leaked.

A deserialization of untrusted data vulnerability exists in rails, rails which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

A deserialization of untrusted data vulnernerability exists in rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

A reflected cross-site scripting (XSS) vulnerability in Dolibarr allows remote attackers to inject arbitrary web script or HTML into public/notice.php.

A CSRF vulnerability exists in Rails' rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

A CSRF vulnerability exists in rails rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

WooCommerce when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

An SQL injection vulnerability in accountancy/customer/card.php in Dolibarr allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

In mversion, there is a command injection vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input.

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping <option> elements in <select> ones changes parsing behavior, leading to possibly unsanitizing code.

MJML contains a path traversal vulnerability when processing the mj-include directive within an MJML document.

The x/text package for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

In Sanitize (RubyGem sanitize) there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's relaxed config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist.

In IJG JPEG (aka libjpeg) jpeg_mem_available() in jmemnobs.c in djpeg does not honor the max_memory_to_use setting, possibly causing excessive memory consumption.

GNU Bison allows attackers to cause a denial of service (application crash).

A TOCTOU issue in the chownr package for Node.js could allow a local attacker to trick it into descending into unintended directories via symlink attacks.

In IJG JPEG (aka libjpeg), jdhuff.c has an out-of-bounds array read for certain table pointers.

libpcre in PCRE allows an integer overflow via a large number.

An issue was discovered in ecma/operations/ecma-container-object.c in JerryScript. Operations with key/value pairs did not consider the case where garbage collection is triggered after the key operation but before the value operation, as demonstrated by improper read access to memory in ecma_gc_set_object_visited in ecma/base/ecma-gc.c.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector …

If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker URI includes the useJMX=true parameter, a JMX port is opened on TCP port, which does not include authentication.

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to …

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for …

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

In Dijit there is a cross-site scripting vulnerability in the Editor's LinkDialog plugin.

KumbiaPHP in Development mode, allows XSS via the public/pages/kumbia PATH_INFO.

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

FasterXML jackson-databind mishandles the interaction between serialization gadgets and typing.

This advisory has been marked as False Positive as it affects org.apache.karaf.management.server.

Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network.

SSB-DB has an information disclosure vulnerability. The get() method is supposed to only decrypt messages when you explicitly ask it to, but there is a bug where it's decrypting any message that it can.

HashiCorp Consul and Consul Enterprise failed to enforce changes to legacy ACL token rules due to non-propagation to secondary data centers.

HashiCorp Consul and Consul Enterprise include an HTTP API caching feature that was vulnerable to denial of service.

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry.

HashiCorp Consul and Consul Enterprise do not appropriately enforce scope for local tokens issued by a primary data center, where replication to a secondary data center was not enabled.

agoo allows request smuggling attacks where agoo is used as a backend with a frontend proxy that is also vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer-Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

goliath allows request smuggling attacks where goliath is used as a used as a backend with a frontend proxy that is also vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer-Encoding headers were found to be parsed as valid which could be leveraged for TE:CL smuggling attacks.

A flaw was discovered in Undertow where certain requests to the Expect: header may cause an out of memory error. This flaw may potentially lead to a denial of service.

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may …

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may …

access-policy is vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution.

node-extend is vulnerable to Arbitrary Code Execution. User input provided to the argument A of extend function(A, B, as, isAargs) located within lib/extend.js is executed by the eval function, resulting in code execution.

mosc is vulnerable to Arbitrary Code Execution. User input provided to properties argument is executed by the eval function, resulting in code execution.

cd-messenger is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution.

In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the sanitize() and the validate() function used within schema-inspector.

phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be regarded as very high. Newer phpMussel versions don't use PHP's phar wrapper, and are therefore unaffected. This has been fixed in version 1.6.0.

phpMussel has an deserialization vulnerability in the phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution.

Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory.

A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory.

OWASP json-sanitizer allows XSS. An attacker who controls a substring of the input JSON, and controls another substring adjacent to a SCRIPT element in which the output is embedded as JavaScript, may be able to confuse the HTML parser as to where the SCRIPT element ends, and cause non-script content to be interpreted as JavaScript.

opencart allows remote authenticated users to conduct XSS attacks via a crafted filename in the image upload section because due to missing entity encoding.