Affected versions of sqlite3 will experience a fatal error when supplying a specific object in the parameter array. This error causes the application to crash and could not be caught. Users of sqlite3 v5.0.0, v5.0.1 and v5.0.2 are affected by this. Thi…
[org.xwiki.commons:xwiki-commons-xml] Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
Impact
It’s possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service.
For example:
{{velocity}}
#set($xml=$services.get(‘xml’))
#set($xxe_payload = …
[org.keycloak:keycloak-oidc-client-adapter-pom] OIDC Logout redirect in keycloak
A flaw was found in keycloak. The OIDC logout endpoint does not have CSRF protection. The highest threat from this vulnerability is to system availability.
References
https://github.com/keycloak/keycloak/security/advisories/GHSA-rvjg-gxwx-j5gf
https:/…
[github.com/hashicorp/go-getter] Insertion of Sensitive Information into Log File in Hashicorp go-getter
The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-29810
https://github.com/hashicorp…
[microweber/microweber] Cross-site Scripting in microweber
XSS in /demo/module/?module=HERE in GitHub repository microweber/microweber prior to 1.2.15. Typical impact of XSS attacks.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1504
https://github.com/microweber/microweber/commit/1f6a4de416a85e626dc64…
[actionview] XSS Vulnerability in Action View tag helpers
There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.
Versions Affected: ALL
Not affect…
[actionpack] XSS Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
…
[org.keycloak:keycloak-saml-core] ECP SAML binding bypasses authentication flows
Description
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and…
[org.owasp.esapi:esapi] Cross-site Scripting in org.owasp.esapi:esapi
Impact
There is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for “onsiteURL” in the antisamy-esapi.xml configuration file that can cause URLs with the “javascript:” scheme to NOT be sanitized. See the reference…
[org.owasp.esapi:esapi] Path traversal in the OWASP Enterprise Security API
Impact
The default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to b…