CRITICAL

[valine] Valine code injection vulnerability

Valine was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-38545
https://github.com/xCss/Valine/issues/…

[steal] steal vulnerable to Prototype Pollution

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-37258
https://github.com/stealjs/steal/issues/1527…

[github.com/ElrondNetwork/elrond-go] Elrond-go has improper initialization

Impact
Read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon the contract’s B state, the state will be altered for contract B…

[cruddl] cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch

Impact
If a vunerable version of cruddl is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB.
Schemas that do not use @flexSearch…

[org.xwiki.platform:xwiki-platform-mentions-ui] XWiki Platform Mentions UI vulnerable to Cross-site Scripting

Impact
It’s possible to store Javascript or groovy scripts in an mention macro anchor or reference field. The stored code is executed by anyone visiting the page with the mention.
For example, the example below will create a file at /tmp/exploit.txt:
{…

[org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki] XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability

Impact
It’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL parameter) using the XWikiServerClassSheet if the user has view access to this sheet and another page that has been saved with…

[org.xwiki.platform.applications:xwiki-application-tag] XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection

Impact
The tags document Main.Tags in XWiki didn’t sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity co…

[wee_alloc] wee_alloc is Unmaintained

Two of the maintainers have indicated that the crate may not be maintained.
The crate has open issues including memory leaks and may not be suitable for production use.
It may be best to switch to the default Rust standard allocator on wasm32 targets.
…

[typemap] typemap is Unmaintained

Posted inCRITICAL
Posted byGitHub
09/17/2022

The maintainer seems unreachable. The crate may or may not be usable as-is despite no maintenance and may not work in future versions of Rust. The last release seems to have been seven years ago.
References

https://github.com/reem/rust-typemap/issues/…

[traitobject] traitobject is Unmaintained

Crate traitobject has not had a release for over five years.
In addition there is an existing security advisory that has not been addressed:

RUSTSEC-2020-0027

Possible Alternative(s)
The below list has not been vetted in any way and may or may not c…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.jeecgframework.boot:jeecg-boot-common] Jeecg-boot vulnerable to SQL Injection

[electron] Heap buffer overflow in GPU

[wger] wger vulnerable to brute force attempts