rdiffweb prior to 2.4.10 is vulnerable to Path Traversal. Version 2.4.10 contains a patch.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3389
https://github.com/ikus060/rdiffweb/commit/323383d1db656f1b1291be529947bd943a6b0e99
https://huntr.dev/…
Those using JXPath to interpret XPath may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a deni…
YetiForce CRM version 6.4.0 and prior is vulnerable to stored cross-site scripting. A patch is available on the developer branch.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3002
https://github.com/yetiforcecompany/yetiforcecrm/commit/54728be…
Impact
Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet.
In an effort to make enabling authentication easier for Flyte administrators, the default configuratio…
Summary
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown f…
Dapr Dashboard v0.1.0 through v0.10.0 is vulnerable to Incorrect Access Control that allows attackers to obtain sensitive data.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38817
https://github.com/dapr/dashboard/issues/222
https://github.com/…
A Server Side Request Forgery (SSRF) in the Data Import module in Heartex – Label Studio Community Edition versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. Furthermore, self-registration is enabled by def…
A vulnerability in the LIEF::MachO::BinaryParser::init_and_parse function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file. A patch for this issue is available at commit fde2c4898…
Snyk CLI before 1.996.0 allows arbitrary command execution, affecting Snyk IDE plugins and the snyk npm package. Exploitation could follow from the common practice of viewing untrusted files in the Visual Studio Code editor, for example. The original d…
OrchardCore versions starting with 1.0.0-rc1-11259 and prior to 1.4.0 are vulnerable to HTML injection. The vulnerability allows an authenticated user with an editor security role to inject a persistent HTML modal dialog component into the dashboard th…
