CRITICAL

[rdiffweb] Rdiffweb subject to Business Logic Errors

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3363
https://github.com/ikus060/rdiffweb/commit/c27c46bac656b1da74f28eac1b52dfa5df76e6f2
https://huntr.dev/bounties/b8a4…

[org.apache.flume:flume-parent] Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a …

[badaso/core] Badaso vulnerable to Remote Code Execution via malicious file upload

Badaso allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application does not properly validate the data uploaded by users.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-417…

[socket.io-parser] Insufficient validation when decoding a Socket.IO packet

Due to improper type validation in the socket.io-parser library (which is used by the socket.io and socket.io-client packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place…

[feathers-sequelize] PENDING feathers-sequelize contains improper input validation leading to SQL injection

Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2422
https://c…

[feathers-sequelize] feathers-sequelize vulnerable to SQL injection due to improper parameter filtering

feathers-sequelize is vulnerable to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-29822
https://csirt.divd.nl/cases/DIVD-2022-00020
https://csi…

[feathers-sequelize] Feather-Sequelize cleanQuery method vulnerable to Prototype Pollution

Feather-Sequelize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2982…

[github.com/flipped-aurora/gin-vue-admin/server] Gin-vue-admin subject to Remote Code Execution via file upload vulnerability

Impact
Gin-vue-admin < 2.5.4 has File upload vulnerabilities。
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing t…

[github.com/zalando/skipper] Skipper vulnerable to SSRF via X-Skipper-Proxy

Impact
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Sk…

[org.apache.heron:heron-api] Heron allows CRLF log injection

Heron versions <= 0.20.4-incubating allows CRLF log injection because of the lack of escaping in the log statements. Please update to version 0.20.5-incubating which addresses this issue.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-42010
h…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.jeecgframework.boot:jeecg-boot-common] Jeecg-boot vulnerable to SQL Injection

[electron] Heap buffer overflow in GPU

[wger] wger vulnerable to brute force attempts