Impact
This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories.
A security vulnerability (CVE-2022-29810) was discovered in go-getter library in versions prior to v1.5.11 that expose…
[com.hccake:ballcat-codegen] ballcat-codegen template engine remote code execution injection
Impact
Ballcat Codegen provides the function of online editing code to generate templates.
In version < 1.0.0.beta.2, since Velocity and freemarker templates are introduced but input verification is not done, attackers can implement remote code exec…
[getgrav/grav] Stored cross site scripting in getgrav/grav
Stored cross-site scripting in GitHub repository getgrav/grav prior to 1.7.33.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1173
https://github.com/getgrav/grav/commit/1c0ed43afa5dc14169e6aa693b38e1a2f7aecad9
https://huntr.dev/bounties/b6016e9…
[org.keycloak:keycloak-core] Improper authorization in Keycloak
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
References
h…
[org.keycloak:keycloak-services] Privilege escalation vulnerability on Token Exchange feature
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could …
[flask-session-captcha] Potential Captcha Validate Bypass in flask-session-captcha
Impact
flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session.
The captcha.validate() function would return None if passed no value (e.g. by submitting a request with an em…
[net.sourceforge.htmlunit:neko-htmlunit] OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser
Impact
NekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.
For mor…
[com.adobe.acs:acs-aem-commons] Page Compare Reflected Cross-site Scripting (XSS) vulnerability
Impact
ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not va…
[neorazorx/facturascripts] Cross site scripting in facturascripts
facturasripts is an open source ERP software. Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences…
[gibbon] Server side request forgery in gibbon
Gibbon v3.4.3 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. This issue has been resolved in version 3.4.4
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27311
https://github.com/amro/gibbon/pull/32…