Security Vulnerabilities by security@huntr.dev

Cross-site Scripting (XSS) - Reflected in GitHub repository viliusle/minipaint prior to 4.14.0.

Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.

Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter.

An attacker is able to steal secrets and potentially gain remote code execution via CSRF using the open source Prefect web server's API.

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication.

An attacker can overwrite any file on the server hosting MLflow without any authentication.

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.

MLflow allowed arbitrary files to be PUT onto the server.

An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.

Improper Access Control in GitHub repository microweber/microweber prior to 2.0.

Improper Authorization in GitHub repository teamamaze/amazefileutilities prior to 1.91.