node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component ui_text Format Handler. The attack may be initiated remotely. The iss…
[muhammara] muhammara and hummus vulnerable to denial of service by NULL pointer dereference
Impact
The package muhammara before 2.6.1, from 3.0.0 and before 3.1.1; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be parsed.
Patches
It has been patched in 3.1.1 and ha…
[org.apache.tomcat:tomcat] Apache Tomcat may reject request containing invalid Content-Length header
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request conta…
[muhammara] muhammara and hummus vulnerable to null pointer dereference on bad response object
The package muhammara before 2.6.0 and the package hummus before 1.0.111 are vulnerable to Denial of Service (DoS) when PDFStreamForResponse() is used with invalid data.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25885
https://github.com/gal…
[acryl-datahub] acryl-datahub missing JWT signature check
Missing JWT signature check (GHSL-2022-078)
The StatelessTokenService of the DataHub metadata service (GMS) does not verify the signature of JWT tokens. This allows an attacker to connect to DataHub instances as any user if Metadata Service authenticat…
[processwire/processwire] ProcessWire vulnerable to Cross-Site Request Forgery
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-40488
https://gist.github.com/filipaze/76138289ded98aa45dfcd939a8afd331
http://processwire.com
https://github.com/…
[processwire/processwire] ProcessWire vulnerable to Cross-site Scripting
ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted…
[noumo/easyii] easyii CMS’s File Upload Management vulnerable to unrestricted upload
This issue affects the function file of the file helpers/Upload.php of the component File Upload Management. The manipulation leads to unrestricted upload. The attack may be initiated remotely.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-377…
[github.com/cloudflare/cfrpki/cmd/octorpki] OctoRPKI crashes when max iterations is reached
Impact
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter that would cause the program to crash and not finish the validation and thus a denial of service.
Patches
This issue is fixed in v1.4.4
Wo…
[conduit-hyper] conduit-hyper vulnerable to Denial of Service from unchecked request length
Prior to version 0.4.2, conduit-hyper did not check any limit on a request’s length before calling hyper::body::to_bytes. An attacker could send a malicious request with an abnormally large Content-Length, which could lead to a panic if memory allocati…