Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be rea…
[github.com/russellhaering/gosaml2] gosaml2 is vulnerable to NULL Pointer Dereference
This affects all versions less than 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on null pointer dereference caused by sending malformed XML signatures.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7731
https://github.c…
[urllib3] Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
Impact
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP red…
[@eivifj/dot] Improperly Controlled Modification of Dynamically-Determined Object Attributes in eivindfjeldstad-dot
eivindfjeldstad-dot below 1.0.3 is vulnerable to Prototype Pollution.The function ‘set’ could be tricked into adding or modifying properties of ‘Object.prototype’ using a ‘proto’ payload.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7639
https…
[org.xwiki.commons:xwiki-commons-core] XWiki users registered with email verification can self re-activate their disabled accounts
Impact
A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration.
Patches
The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, …
[@shopify/koa-shopify-auth] Cross-site scripting in koa-shopify-auth
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the shop parameter on the /shopify/auth/enable_cookies endpoint.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-81…
[k8s.io/kubernetes] Privilege Escalation
Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-100005…
[joplin] Cross-site Scripting in Joplin
An XSS issue in Joplin desktop allows arbitrary code execution via a malicious HTML embed tag.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-15930
https://github.com/laurent22/joplin/issues/3552
https://github.com/laurent22/joplin/releases/tag/…
[primefaces] Cross-site Scripting in PrimeFaces
An XSS issue was discovered in tooltip/tooltip.js in PrimeTek PrimeFaces 7.0.11. In a web application using PrimeFaces, an attacker can provide JavaScript code in an input field whose data is later used as a tooltip title without any input validation.
…
[google-closure-library] Improper Input Validation in Google Closure Library
A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation — update your library to version v202…