Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-100005…
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE, this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11023
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:…
odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE, this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11023
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:…
odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. NOTE: this product is apparently discontinued.
References
https://nvd.nist.gov/vuln/detail/CVE-2016-11024
https://groups.google.com/d/msg/odata4j-discuss/_lBwwXP30g0/Av6zkZMdBwAJ
https:/…
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-23369
https://github….
clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-26759…
lita-coin 0.0.3 contains a backdoor mechanism that allows launching of hidden cryptocurrency mining operations inside the project. The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised projec…
Versions of require-node prior to 1.3.4 for 1.x and 2.0.4 for 2.x are vulnerable to Arbitrary Code Execution. The package fails to sanitize requests to the require-node endpoint, allowing attackers to execute arbitrary code in the server through the in…
Impact
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood’s builtin authentication to be bypassed. Given Flood is granted access to rTorrent’s SCGI interface (which is unprotected and ALLOWS arbitrary code …
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding “_bsontype”:”a” can sometimes interfere with a query filter. NOTE: th…
