Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
Source: Snyk
Max CVSS
8.2
EPSS Score
N/A
Published
2024-05-29
Updated
2024-05-29
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
Source: Snyk
Max CVSS
9.8
EPSS Score
0.05%
Published
2024-04-23
Updated
2024-04-23
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
Source: Snyk
Max CVSS
N/A
EPSS Score
0.04%
Published
2024-04-10
Updated
2024-04-10
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
Source: Snyk
Max CVSS
9.8
EPSS Score
0.04%
Published
2024-04-11
Updated
2024-04-11
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
Source: Snyk
Max CVSS
N/A
EPSS Score
0.05%
Published
2024-04-10
Updated
2024-04-10
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.
Source: Snyk
Max CVSS
5.2
EPSS Score
0.05%
Published
2024-04-06
Updated
2024-04-08
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
Source: Snyk
Max CVSS
7.5
EPSS Score
0.04%
Published
2024-03-25
Updated
2024-03-25
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
Source: Snyk
Max CVSS
6.1
EPSS Score
0.05%
Published
2024-03-19
Updated
2024-03-19
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Source: Snyk
Max CVSS
5.3
EPSS Score
0.05%
Published
2024-03-19
Updated
2024-03-19
Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
Source: Snyk
Max CVSS
7.5
EPSS Score
0.05%
Published
2024-02-24
Updated
2024-02-26
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server.
Source: Snyk
Max CVSS
5.3
EPSS Score
0.05%
Published
2024-02-24
Updated
2024-03-06
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes, attackers can bypass this blocking mechanism by automating the application’s full multistep 2FA process.
Source: Snyk
Max CVSS
4.8
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to HTTP Header Injection via the X-Forwarded-Proto header due to redirecting to the injected protocol.Exploiting this vulnerability could lead to bypass of security mechanisms or confusion in handling TLS.
Source: Snyk
Max CVSS
4.3
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Server-side Request Forgery (SSRF) via X-Forwarded-Host header manipulation. An attacker can expose sensitive information, interact with internal services, or exploit other vulnerabilities within the network by exploiting this vulnerability.
Source: Snyk
Max CVSS
5.3
EPSS Score
0.06%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Open Redirect via the redirect_url parameter. An attacker could perform a phishing attack and trick users into visiting a malicious website by crafting a convincing URL with this parameter. To exploit this vulnerability, the user must take an action, such as clicking on a portal button or using the browser’s back button, to trigger the redirection.
Source: Snyk
Max CVSS
5.4
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting (XSS) via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS (e.g., [&], [<], [>], ["], [']), it does not account for the attack based on the JavaScript URL scheme (e.g., javascript:alert(document.domain)// payload). Exploiting this vulnerability may not be trivial, but it could lead to the execution of malicious scripts in the context of the target user’s browser, compromising user sessions.
Source: Snyk
Max CVSS
6.1
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
Versions of the package github.com/greenpau/caddy-security before 1.0.42 are vulnerable to Insecure Randomness due to using an insecure random number generation library which could possibly be predicted via a brute-force search. Attackers could use the potentially predictable nonce value used for authentication purposes in the OAuth flow to conduct OAuth replay attacks. In addition, insecure randomness is used while generating multifactor authentication (MFA) secrets and creating API keys in the database package.
Source: Snyk
Max CVSS
6.5
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.
Source: Snyk
Max CVSS
5.4
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.
Source: Snyk
Max CVSS
5.3
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.
Source: Snyk
Max CVSS
4.8
EPSS Score
0.05%
Published
2024-02-17
Updated
2024-02-20
Versions of the package svix before 1.17.0 are vulnerable to Authentication Bypass due to an issue in the verify function where signatures of different lengths are incorrectly compared. An attacker can bypass signature verification by providing a shorter signature that matches the beginning of the actual signature. **Note:** The attacker would need to know a victim uses the Rust library for verification,no easy way to automatically check that; and uses webhooks by a service that uses Svix, and then figure out a way to craft a malicious payload that will actually include all of the correct identifiers needed to trick the receivers to cause actual issues.
Source: Snyk
Max CVSS
5.9
EPSS Score
0.05%
Published
2024-02-13
Updated
2024-03-06
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
Source: Snyk
Max CVSS
7.5
EPSS Score
0.05%
Published
2024-02-10
Updated
2024-05-14
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization. If (attacker-controlled) user input is given to the mac_address_for function of the package, it is possible for the attacker to execute arbitrary commands on the operating system that this package is being run on.
Source: Snyk
Max CVSS
9.8
EPSS Score
0.07%
Published
2024-01-30
Updated
2024-02-08
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary. An authenticated attacker who stores a view that exploits this vulnerability could steal the data that's visible to another user who opens that view - not just the data already included on the page, but they could also, in theory, make additional requests and access other data accessible to this user. In some cases, they could also steal the access tokens of that user, which would allow the attacker to act as that user, including viewing other apps and resources hosted on the same server. **Note:** This is only exploitable in Dash apps that include some mechanism to store user input to be reloaded by a different user.
Source: Snyk
Max CVSS
6.5
EPSS Score
0.09%
Published
2024-02-02
Updated
2024-03-06
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
Source: Snyk
Max CVSS
7.5
EPSS Score
0.08%
Published
2024-01-22
Updated
2024-03-06
753 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!