In iana-time-zone v0.1.43 a use-after-free bug in the MacOS / iOS implementation was introduced.
The copied system time zone was released before its name was copied.
If the system time zone was changed between the call of CFRelease and str::to_owned(),…
[mz-avro] mz-avro’s incorrect use of `set_len` allows for un-initialized memory
Affected versions of this crate passes an uninitialized buffer to a user-provided Read
implementation.
Arbitrary Read implementations can read from the uninitialized buffer (memory exposure)
and also can return incorrect number of bytes written to the…
[snipe/snipe-it] snipe-it vulnerable to cross-site scripting (XSS)
Cross-site Scripting (XSS) – Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3035
https://github.com/snipe/snipe-it/commit/9cf5f30c77df6ab60baab1c0e6bb0b4e773f0eae
https://huntr.dev/bou…
[pagekit/pagekit] Pagekit CMS cross-site scripting in Markdown text box where articles are edited
A cross-site scripting (XSS) vulnerability in Pagekit CMS v1.0.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Markdown text box under /blog/post/edit.
References
https://nvd.nist.gov/vuln/detail/CV…
[intelliants/subrion] Subrion CMS 4.2.1 vulnerable to cross-site scripting in admin panel
Cross Site Scripting (XSS) in the Admin Panel of Subrion CMS 4.2.1 allows attacker to inject arbitrary code via the Login Field.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-37059
https://drive.google.com/file/d/1lmU8zuyzyC9LHFXuXzamnkcLcjcfs0…
[oslo-utils] python-oslo-utils has improper password parsing
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( ” ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.
References
https://nvd.nist.gov…
[froxlor/froxlor] Froxlor vulnerable to Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3017
https://github.com/froxlor/froxlor/commit/bbe82286aae21328668f24857995a67598fe978a
https://huntr.dev/bou…
[org.keycloak:keycloak-core] Keycloak has Files or Directories Accessible to External Parties
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the conten…
[org.keycloak:keycloak-core] Keycloak user may register themselves with same email ID of any existing user
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
References
https:/…
[deluge] Deluge Web-UI vulnerable to XSS through a crafted torrent file
The Deluge Web-UI is vulnerable to cross-site scripting through a crafted torrent file. The the data from torrent files is not properly sanitised as it’s interpreted directly as HTML. Someone who supplies the user with a malicious torrent file can exec…