A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and before allows remote attackers to inject arbitrary web script or HTML via the groupId parameter. Date published : 2022-05-01 http://cyclos.com...
In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SUID binaries within the OpenEdge application were susceptible to privilege escalation. If exploited, a local attacker could elevate their privileges and compromise the affected...
CSV-Safe gem < 3.0.0 doesn't filter out special characters which could trigger CSV Injection. Date published : 2022-05-01 https://github.com/zvory/csv-safe https://github.com/zvory/csv-safe/issues/7
nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. Date published : 2022-05-01 https://github.com/nopSolutions/nopCommerce/commit/47ff9a241243db9359f10216bcf401baaa36d0b4 https://github.com/nopSolutions/nopCommerce/issues/6203
This affects the package pistacheio/pistache before 0.0.3.20220425. It is possible to traverse directories to fetch arbitrary files from the server. Date published : 2022-05-01 https://github.com/pistacheio/pistache/pull/1065 https://snyk.io/vuln/SNYK-UNMANAGED-PISTACHEIOPISTACHE-2806332
The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnerable to Server-side Request Forgery (SSRF) when interceptor mode is set to proxy. It occurs when an HTTP request is made by a backend server to an untrusted...
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ‘ ‘.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre...
All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files...
All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of local gadgets. Date published : 2022-05-01 https://github.com/JinYiTong/CVE-Req/blob/main/ureport2/ureport2-console.md https://snyk.io/vuln/SNYK-JAVA-COMBSTEKUREPORT-2322018
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. Date published : 2022-05-01 https://github.com/google/gson/pull/1991 https://github.com/google/gson/pull/1991/commits
All versions of package dset are vulnerable to Prototype Pollution via ‘dset/merge’ mode, as the dset function checks for prototype pollution by validating if the top-level path contains __proto__, constructor or protorype. By crafting...
All versions of package materialize-css are vulnerable to Cross-site Scripting (XSS) due to improper escape of user input (such as <not-a-tag />) that is being parsed as HTML/JavaScript, and inserted into the Document Object...
All versions of package jsgui-lang-essentials are vulnerable to Prototype Pollution due to allowing all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. Date published : 2022-05-01 https://github.com/metabench/jsgui-lang-essentials/issues/1...
The package git-pull-or-clone before 2.0.2 are vulnerable to Command Injection due to the use of the –upload-pack feature of git which is also supported for git clone. The source includes the use of the...