The package opcua from 0.0.0 until 0.11.0 is vulnerable to Denial of Service (DoS) via the ExtensionObjects and Variants objects, when it allows unlimited nesting levels, which could result in a stack overflow even if the message size is less than the …
[node-opcua] node-opcua DoS when bypassing limitations for excessive memory consumption
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.
References
h…
[exceedone/exment] exceedone/exment and exceedone/laravel-admin SQL Injection vulnerability
SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated…
[exceedone/laravel-admin] exceedone/exment and exceedone/laravel-admin Cross-site Scripting vulnerability
Reflected cross-site scripting vulnerability in Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows a remot…
[github.com/gravitational/teleport] Improper token validation leading to code execution in Teleport
Teleport 9.3.6 is vulnerable to Command injection leading to Remote Code Execution. An attacker can craft a malicious ssh agent installation link by URL encoding a bash escape with carriage return line feed. This url encoded payload can be used in plac…
[ansible-runner] ansible-runner vulnerable to shell command injection
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host’s shell command. A developer could unintentionally write code that ge…
[uri-template-lite] uri-template-lite Regular Expression Denial of Service
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the “URI.expand” method. A fix is available on the main branch of the repository.
R…
[getkirby/cms] Kirby CMS 2.5.12 Cross-site Scripting
An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14520
https://www.exploit-db.com/exploits/45068
htt…
[getkirby/cms] Kirby CMS 2.5.12 Cross-site Request Forgery
An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-14519
https://…
[node-opcua] node-opcua DoS vulnerability via message with memory allocation that exceeds v8’s memory limit
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
References
https://nvd.ni…