All versions of package opcua; all versions of package asyncua are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks – per single session or in total for all concurrent sessions. An attacker can exploit …
[node-opcua] node-opcua DoS vulnerability via message with memory allocation that exceeds v8’s memory limit
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
References
https://nvd.ni…
[ansible-runner] ansible-runner 2.0.0 default temporary files written to world R/W locations
A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansibl…
[ansible-runner] ansible-runner 2.0.0 vulnerable to Race Condition
A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner’s private_data_dir the next time …
[org.jenkins-ci.plugins:git] Improper masking of credentials Jenkins in Git Plugin
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (gitUsernamePassword) credentials binding.
References
https://nvd.nist.gov/vuln/detail/C…
[org.jenkins-ci.plugins:collabnet] RabbitMQ password stored in plain text by Jenkins CollabNet Plugins Plugin
Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
References
https://…
[org.jenkins-ci.plugins:jobConfigHistory] Cross-site Scripting in Jenkins Job Configuration History Plugin
Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job…
[notrinos/notrinos-erp] Missing password strength check in notrinos/notrinos-erp
In versions of notrinos/notrinoserp prior to 0.7 new account passwords were missing a password strength check.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2927
https://github.com/notrinos/notrinoserp/commit/e61e76b44c6a2b28a4a648a06ef34f65c37…
[yetiforce/yetiforce-crm] Cross site scripting in yetiforce/yetiforce-crm
Cross-site Scripting (XSS) – Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1340
https://github.com/yetiforcecompany/yetiforcecrm/commit/2c14baaf8dbc7fd82d5c585f2fa0c23528…
[OctoPrint] Unverified Password Change in OctoPrint
Versions of OctoPrint prior to 1.8.3 did not require the current user password in order to change that users password. As a result users could be locked out of their accounts or have their accounts stolen under certain circumstances.
References
https:…