The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
The particular code…
[rdiffweb] Missing rate limit on rdiffweb
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3456
https://github.com/ikus060/rdiffweb/commit/b78ec09f4582e363f6f449df6f987127e126c311
ht…
[apollo-server] The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
Impact
The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, t…
[github.com/hashicorp/nomad] Nomad Panics On Job Submission With Bad Artifact Stanza Source URL
HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 jobs submitted with an artifact stanza using invalid S3 or GCS URLs can be used to crash client agents. Fixed in 1.2.13, 1.3.6, and 1.4.0.
References
https://nvd.nist.gov/vuln/detail/C…
[github.com/AdguardTeam/AdGuardHome] AdGuardHome vulnerable to Cross-Site Request Forgery
In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifyi…
[metro4] Cross site scripting in Metro UI
Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is not properly sanitized before rendering in the textarea component.
References
https://nvd.nist.gov/vuln…
[rdiffweb] rdiffweb vulnerable to Open Redirect
A lack of user input validation leads to an open redirect vulnerability in rdiffweb prior to 2.5.0a4.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3438
https://github.com/ikus060/rdiffweb/commit/4d464b467f14b8eb9103d7f5f0774e49995527c7
https:/…
[fat_free_crm] Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
Impact
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.
This vulnerability has been assigned the CVE identifier: CVE-2022-39281
Affected versions: All
Not affected: None
Fixed versions: 0.20.1
All users running …
[nocodb] NocoDB vulnerable to Denial of Service
NocoDB prior to 0.92.0 allows actors to insert large characters into the input field New Project on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.
References
https://nvd.nist.go…
[twisted] Twisted vulnerable to HTTP Request Smuggling Attacks
Impact
Twisted Web is vulnerable to request smuggling attacks:
“When presented with two content-length headers, Twisted Web ignored the first header. When the second content-length was set to zero this caused Twisted Web to interpret the request body …