HIGH

code injection in Wrapper::buildClientWrapperCode via manipulation of the $client argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server’s url.
References

https://github.c…

Impact
On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have …

Microweber 1.2.15 was discovered to allow attackers to perform an account takeover via a host header injection attack.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-33012
https://blog.jitendrapatro.me/cve-2022-33012-account-takeover-through-pas…

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Hive Provider, Apache Airflow allows an attacker to execute arbtrary commands in the task execution context, without write access…

Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write acces…

Impact
It’s possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form.
Patches
The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2.
Workarounds
The only workarounds …

Impact
Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki.
Patches
The …

Impact
It’s possible with a simple request to perform deletion or renaming of tags without needing any confirmation, by using a CSRF attack.
Patches
The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1.
Workarounds
It’s possible to patch…

Impact
What kind of vulnerability is it? Who is impacted?
ZipSlip issue when use fileutil package to unzip files.
Patches
Has the problem been patched? What versions should users upgrade to?
It will fixed in v2.1.10, Please upgrade version to v2.1.10 o…

Impact
The reference kernel of the CONV_3D_TRANSPOSE TensorFlow Lite operator wrongly increments the data_ptr when adding the bias to the result.
Instead of data_ptr += num_channels; it should be data_ptr += output_num_channels; as if the number of inp…