A vulnerability was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to addre…
[nukeviet/nukeviet] NukeView CMS vulnerable to Cross-site Scripting
NukeView CMS has been found to be vulnerable to Cross-site Scripting. Affected by this issue is the function filterAttr of the file vendor/vinades/nukeviet/Core/Request.php of the component Data URL Handler. The manipulation of the argument attrSubSet …
[matrix-appservice-irc] Matrix-appservice-irc vulnerable to sql injection via roomIds argument
A vulnerability was found in matrix-appservice-irc up to 0.35.1. This vulnerability affects the file src/datastore/postgres/PgDataStore.ts. The manipulation of the argument roomIds leads to sql injection. Upgrading to version 0.36.0 is able to address …
[org.deeplearning4j:dl4j-examples] Use of unclaimed s3 bucket in tests and examples
Impact
People who use some older NLP examples that reference the old S3 bucket.
Patches
The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 …
[wasmtime] Wasmtime out of bounds read/write with zero-memory-pages configuration
Impact
There is a bug in Wasmtime’s implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration the virtual memory mapping for WebAssembly memo…
[github.com/phachon/mm-wiki] mm-wiki is vulnerable to Cross-Site Scripting (XSS)
mm-wki v0.2.1 is vulnerable to Cross Site Scripting (XSS).
References
https://nvd.nist.gov/vuln/detail/CVE-2021-40289
https://github.com/phachon/mm-wiki/issues/319
https://github.com/advisories/GHSA-99g5-5643-xphp
[readthedocs] Read the Docs vulnerable to Cross-Site Scripting (XSS)
Impact
This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project.
Exploiti…
[electron] Exfiltration of hashed SMB credentials on Windows via file:// redirect
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some….
[cleo] cleo is vulnerable to Regular Expression Denial of Service (ReDoS)
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-42966
https://…
[pymatgen] pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
References
https://nvd.nist.gov/vuln/detail/CVE-2022…