Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be rea…
[github.com/russellhaering/gosaml2] gosaml2 is vulnerable to NULL Pointer Dereference
This affects all versions less than 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on null pointer dereference caused by sending malformed XML signatures.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-7731
https://github.c…
[urllib3] Catastrophic backtracking in URL authority parser when passed URL containing many @ characters
Impact
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP red…
[org.xwiki.commons:xwiki-commons-core] XWiki users registered with email verification can self re-activate their disabled accounts
Impact
A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration.
Patches
The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, …
[prestashop/contactform] Potential XSS injection In PrestaShop contactform
Impact
An attacker is able to inject javascript while using the contact form.
Patches
The problem is fixed in v4.3.0
References
Cross-site Scripting (XSS) – Stored (CWE-79)
References
https://github.com/PrestaShop/contactform/security/advisories/GHSA…
[com.diffplug.spotless:spotless-maven-plugin] Improper Restriction of XML External Entity Reference in DiffPlug Spotless
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn’t respect the resolveExternalEntities setting. For example, this allows di…
[com.diffplug.spotless:spotless-maven-plugin] Improper Restriction of XML External Entity Reference in DiffPlug Spotless
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn’t respect the resolveExternalEntities setting. For example, this allows di…
[org.springframework.security:spring-security-cas] Insufficiently Protected Credentials and Improper Authentication in Spring Security
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user h…
[org.springframework.security:spring-security-cas] Insufficiently Protected Credentials and Improper Authentication in Spring Security
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user h…
[fs-path] Command Injection in fs-path
All versions of fs-path are vulnerable to command injection is unsanitized user input is passed in.
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available…