odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE, this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11023
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:…
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE, this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11023
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:…
odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11024
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:/…
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-23369
https://github….
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-26759…
Withdrawn
Affected versions of the package are vulnerable to Cross-Site Request Forgery (CSRF) attacks.
References
https://github.com/scambra/devise_invitable/issues/457
https://github.com/scambra/devise_invitable/commit/d1bb19efca8e35885e1c2f0931d617…
lita-coin 0.0.3 contains a backdoor mechanism that allows launching of hidden cryptocurrency mining operations inside the project. The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised projec…
This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.
The vulnerability is determined to be low…
Impact
An attacker is able to inject javascript while using the contact form.
Patches
The problem is fixed in v4.3.0
References
Cross-site Scripting (XSS) – Stored (CWE-79)
References
https://github.com/PrestaShop/contactform/security/advisories/GHSA…
Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim’s browser.
Recommendation
Upgrade to versio…
