Impact
dparse versions prior to 0.5.1 contain a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
All users parsing index server URLs with dparse are impacted by this vulnerability.
Patches
The Patch is applied in t…
[express-xss-sanitizer] express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute
The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-21169
https://github.com/AhmedAde…
[joblib] joblib vulnerable to arbitrary code execution
The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-21797
https://github.com/joblib/joblib…
[rdiffweb] rdiffweb allows unlimited length of root directory name, which could result in DoS
rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.
References
https…
[rdiffweb] rdiffweb vulnerable to Improper Cleanup on Thrown Exception
rdiffweb prior to version 2.4.8 is vulnerable to Improper Cleanup on Thrown Exception. This could allow an attacker to display a message of their choice onto a web page. Version 2.4.8 contains a fix for this issue.
References
https://nvd.nist.gov/vuln…
[centreon/centreon] Centreon contains cross-site scripting vulnerability via esc_name parameter
Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTM…
[centreon/centreon] Centreon SQL Injection vulnerability via esc_name parameter
Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. Versions 21.04.16, 21.10.8, and 22.04.2 contain patches.
References
https://nvd.nist.go…
[rdiffweb] rdiffweb’s unlimited username field length can lead to DoS
rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length “username” field. This can result in excess memory consumption, or memory corruption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. …
[rdiffweb] rdiffweb’s unlimited length email field can lead to DoS
rdiffweb prior to 2.4.8 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the ser…
[rdiffweb] rdiffweb vulnerable to potential DoS via memory consumption
rdiffweb prior to 2.4.8 is vulnerable to a potential Dos attack via an unlimited length “title” field when adding an SSH key.
This can result in excess memory consumption, leading to a Denial of Service (DoS). This issue is patched in version 2.4.8. Th…