Impact
The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
Patches
This issue has been corrected in version 0.4.9
Credit
This issue was reported by Felix Wilhelm f…
[org.jeecgframework.boot:jeecg-boot-common] Jeecg-boot vulnerable to SQL Injection
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-45206
https://github.com/jeecgboot/jeecg-boot/issues/4129
http://jeecg-boot.com
http…
[electron] Heap buffer overflow in GPU
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
References
http…
[wger] wger vulnerable to brute force attempts
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2650
https://github.com/wger-project/wger/commit/5e3167e3a2dc95836fa2607fe201524c031a2c…
[org.apache.dolphinscheduler:dolphinscheduler-alert-plugins] Command injection in Apache DolphinScheduler Alert Plugins
Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users. We recommend you upgrade to version 2.0.6 or higher.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-45462
https://lists….
[io.quarkus:quarkus-parent] Code injection in quarkus dev ui config editor
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4116
https://access.redha…
[apache-airflow] OS Command Injection in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access …
[org.xwiki.platform:xwiki-platform-filter-ui] Missing Authorization in Filter Stream Converter Application
Impact
The application allow anyone with view access to modify any page of the wiki by importing a crafted XAR package.
Patches
The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8.
Workarounds
The problem can be patched immediately by setti…
[org.xwiki.platform:xwiki-platform-menu-ui] Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) in org.xwiki.platform:xwiki-platform-menu-ui
Impact
Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and…
[org.xwiki.platform:xwiki-platform-icon-ui] Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) in xwiki-platform-icon-ui
Impact
Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro.
The URL &l…