rdiffweb prior to version 2.4.9 is vulnerable to Use of Cache Containing Sensitive Information. Due to improper cache control, an attacker can view sensitive information even if they are not logged into an account. Version 2.4.9 contains a patch for th…
[dparse] ReDoS issue in dparse
Impact
dparse versions prior to 0.5.1 contain a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
All users parsing index server URLs with dparse are impacted by this vulnerability.
Patches
The Patch is applied in t…
[express-xss-sanitizer] express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute
The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the allowedTags attribute, allowing the attacker to bypass xss sanitization.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-21169
https://github.com/AhmedAde…
[centreon/centreon] Centreon contains cross-site scripting vulnerability via esc_name parameter
Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTM…
[org.apache.pulsar:pulsar-broker] Apache Pulsar Broker, Proxy, and WebSocket Proxy vulnerable to Improper Certificate Validation
TLS hostname verification cannot be enabled in the Pulsar Broker’s Java Client, the Pulsar Broker’s Java Admin Client, the Pulsar WebSocket Proxy’s Java Client, and the Pulsar Proxy’s Admin Client leaving intra-cluster connections and geo-replication c…
[org.apache.pulsar:pulsar-broker] Apache Pulsar Brokers and Proxies vulnerable to Improper Certificate Validation
Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client’s intra-cluster and geo-replication HTTPS c…
[org.apache.pulsar:pulsar-client] Apache Pulsar Java Client vulnerable to Improper Certificate Validation
Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the …
[github.com/hashicorp/consul] HashiCorp Consul vulnerable to authorization bypass
HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially cr…
[https://pkg.go.dev/github.com/mattermost/mattermost-server/v6] Mattermost subject to Denial of Service via upload of special GIF
Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-s…
[org.apache.pulsar:pulsar] Proxy component of Apache Pulsar subject to abuse as Denial of Service endpoint
Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy’s IP address. When the Apache Pulsar Proxy component is used, it is possible to attem…